Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Very difficult virus, even affecting safe mode


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c

:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

:files
sc config WMPNetworkSvc start= disabled /c
sc config wsearch start= disabled /c
sc config "HP CUE DeviceDiscovery Service" start= disabled /c
net start /c
     
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.


This did not work for some reason last time. Let's try it again.
Copy the text in the code box:

/md5start
dxgthk.sys
ntdll.dll
/md5stop



Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

then Run Scan.


You should get only 1 log. Please copy and paste it.
  • 0

Advertisements


#32
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Listed below are OTL Run Fix Log and OTL Scan Log after Run Fix.


OTL Run Fix

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C7768536-96F8-4001-B1A2-90EE21279187} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7768536-96F8-4001-B1A2-90EE21279187}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
========== FILES ==========
< sc config WMPNetworkSvc start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
< sc config wsearch start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
< sc config "HP CUE DeviceDiscovery Service" start= disabled /c >
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
< net start /c >
These Windows services are started:
Apple Mobile Device
Application Layer Gateway Service
Automatic Updates
Bonjour Service
COM+ Event System
Computer Browser
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HID Input Service
HP CUE DeviceDiscovery Service
hpqcxs08
HTTP SSL
IPSEC Services
Java Quick Starter
MBAMService
MSSQLServer
Net Driver HPZ12
Network Connections
Network Location Awareness (NLA)
Plug and Play
Pml Driver HPZ12
Print Spooler
PrismXL
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
WMI Performance Adapter
Workstation
The command completed successfully.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.61.1 log created on 09092012_211321



OTL Scan after Run Fix

OTL logfile created on: 9/9/2012 9:21:09 PM - Run 2
OTL by OldTimer - Version 3.2.61.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1006.73 Mb Total Physical Memory | 487.12 Mb Available Physical Memory | 48.39% Memory free
1.62 Gb Paging File | 1.19 Gb Available in Paging File | 73.89% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.95 Gb Total Space | 45.65 Gb Free Space | 62.57% Space Free | Partition Type: NTFS
Drive D: | 3.72 Gb Total Space | 1.67 Gb Free Space | 44.98% Space Free | Partition Type: FAT32
Drive E: | 500.09 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: YOUR-6EA8154886 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/06 23:13:57 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/21 18:30:14 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2004/10/18 18:05:12 | 000,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwiconEM.exe
PRC - [1998/11/27 23:43:52 | 004,964,624 | ---- | M] (Microsoft Corporation) -- C:\MSSQL7\Binn\sqlservr.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2008/07/19 16:02:52 | 000,086,016 | ---- | M] () -- C:\WINDOWS\system32\custmon32.dll
MOD - [1998/11/13 04:22:18 | 000,020,480 | ---- | M] () -- C:\MSSQL7\Binn\sqlrgstr.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/08/15 07:28:55 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2005/01/21 18:30:14 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [1998/11/27 23:43:52 | 004,964,624 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\MSSQL7\Binn\sqlservr.exe -- (MSSQLServer)
SRV - [1998/11/13 02:09:58 | 000,339,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\MSSQL7\Binn\sqlagent.exe -- (SQLServerAgent)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/09/06 21:23:36 | 000,032,072 | ---- | M] () [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/06/02 11:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2005/07/22 12:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 12:01:10 | 000,231,168 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/07/22 12:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/01/21 18:40:25 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/10/27 18:57:38 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM)
DRV - [2004/10/20 15:39:32 | 000,040,724 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2004/10/18 18:05:12 | 000,042,968 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Sunkfilt39.sys -- (SunkFilt39)
DRV - [2004/06/17 18:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA A8 B8 9F 5E 17 CD 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{DD2A857A-AC14-4022-864F-EF0917956DBF}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\..\SearchScopes\{FFDBD6FF-4163-4777-A5E0-38F67693FB49}: "URL" = http://www.google.co...&rlz=1I7GWYA_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/12 15:52:20 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/12 15:52:20 | 000,000,000 | ---D | M]


========== Chrome ==========


O1 HOSTS File: ([2012/09/09 11:24:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Windows Media Connect 2] C:\Program Files\Windows Media Connect 2\WMCCFG.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: 66.129.114.121 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: 66.129.114.121 ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} http://www.trendsecu...vex/TmHcmsX.CAB (TmHcmsX Control)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} http://aolcc.aol.com...kup/qdiagcc.cab (QDiagAOLCCUpdateObj Class)
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/IXP000.TMP/setup.cab (PowerTeam HTML Printing Behavior)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1227734447859 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} https://objects.aol....s/Activator.cab (ActivatorControl1 Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...tel_4.5.5.0.cab (SysInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{914AE270-5FC9-44AA-9230-18100E3EAF26}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\mhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 14:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O32 - AutoRun File - [2011/12/07 07:42:16 | 000,000,128 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/09 19:28:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2012/09/08 23:44:34 | 002,211,928 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2012/09/08 00:02:20 | 000,693,235 | ---- | C] (Farbar) -- C:\Documents and Settings\Owner\Desktop\FSS.exe
[2012/09/07 23:21:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2012/09/07 23:13:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\RK_Quarantine
[2012/09/07 20:03:06 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/09/07 19:17:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/07 19:17:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/07 19:17:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/07 19:17:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/07 19:17:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/07 19:16:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/09/07 19:16:00 | 004,747,716 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2012/09/07 19:07:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2012/09/07 08:32:06 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/06 23:13:56 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/09/06 08:18:10 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2012/09/06 08:17:51 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2012/09/05 20:48:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Media
[2012/09/05 20:48:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Games
[2012/09/05 20:38:32 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/05 20:22:07 | 000,000,000 | ---D | C] -- C:\CCE_Quarantine
[2012/09/05 15:25:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Avg2013
[2012/09/05 15:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\MFAData
[2012/09/05 13:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2012/09/05 13:44:25 | 000,000,000 | ---D | C] -- C:\Program Files\Ad-Aware Antivirus
[2012/09/05 13:44:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
[2012/09/05 13:42:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Ad-Aware Antivirus
[2012/09/04 22:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/09/03 06:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/09/03 06:57:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/09/03 02:24:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/09/02 00:34:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/02 00:34:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/02 00:25:39 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent
[2012/09/02 00:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/02 00:14:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/08/26 12:32:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\6F63A557005475331A6421287B07D329
[2012/08/21 21:16:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\dvdcss
[2012/08/21 21:15:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\vlc
[2012/08/21 21:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/08/21 21:14:07 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN

========== Files - Modified Within 30 Days ==========

[2012/09/09 21:28:17 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/09/09 21:18:07 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/09 21:15:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/09 21:15:53 | 1055,707,136 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/09 14:37:58 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2012/09/09 11:24:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/09/09 11:06:22 | 004,747,716 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2012/09/09 00:35:11 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CA96D179-295C-424A-BAB1-D4000F96BFBE}.job
[2012/09/08 23:44:42 | 002,211,928 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2012/09/08 23:23:40 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/09/08 16:31:30 | 000,000,512 | ---- | M] () -- C:\fixedMBR.bin
[2012/09/08 00:02:22 | 000,693,235 | ---- | M] (Farbar) -- C:\Documents and Settings\Owner\Desktop\FSS.exe
[2012/09/07 23:21:07 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ServicesRepair.exe
[2012/09/07 23:13:35 | 001,378,816 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2012/09/07 20:03:12 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/07 19:13:34 | 000,000,512 | ---- | M] () -- C:\MBR.bin
[2012/09/07 19:07:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2012/09/07 19:00:45 | 000,061,440 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\VEW.exe
[2012/09/07 12:36:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/09/06 23:13:57 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/09/06 21:23:36 | 000,032,072 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/09/05 16:10:00 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
[2012/09/03 05:04:57 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/01 08:05:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/08/17 03:33:18 | 000,194,568 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/17 03:12:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/15 07:28:36 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/08/15 07:28:36 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/09/09 14:38:02 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2012/09/08 16:31:30 | 000,000,512 | ---- | C] () -- C:\fixedMBR.bin
[2012/09/07 23:20:57 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ServicesRepair.exe
[2012/09/07 23:13:31 | 001,378,816 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2012/09/07 20:03:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/09/07 20:03:09 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/09/07 19:17:25 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/07 19:17:25 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/07 19:17:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/07 19:17:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/07 19:17:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/07 19:13:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/09/07 19:13:34 | 000,000,512 | ---- | C] () -- C:\MBR.bin
[2012/09/07 19:00:45 | 000,061,440 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\VEW.exe
[2012/09/06 21:44:32 | 1055,707,136 | -HS- | C] () -- C:\hiberfil.sys
[2012/09/05 16:10:00 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2012/09/02 00:22:16 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2012/09/02 00:22:16 | 000,001,342 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\RealFA$T Setup 6.lnk
[2012/09/02 00:22:16 | 000,001,326 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\RealFA$T FORMS 6.lnk
[2012/09/02 00:22:16 | 000,001,011 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Media Connect.lnk
[2012/09/02 00:22:16 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\RinglingBrosDesktopTrain.lnk
[2012/09/02 00:22:16 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/09/02 00:22:16 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/09/02 00:22:15 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/09/02 00:22:14 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\I.R.I.S. OCR Registration.lnk
[2012/09/02 00:22:13 | 000,001,988 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Photoshop Album 2.0 Starter Edition.lnk
[2012/09/02 00:22:13 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/09/02 00:22:13 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Cisco Connect.lnk
[2012/09/02 00:22:13 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 7.0.lnk
[2012/09/01 23:45:01 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/29 15:05:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2012/05/27 13:19:21 | 000,032,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/05/27 10:56:05 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\mbam.context.scan
[2012/05/10 22:36:27 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2012/05/09 20:51:39 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2012/03/13 12:24:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2005/07/08 18:38:11 | 000,002,552 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat

========== Custom Scans ==========

< >

< MD5 for: DXGTHK.SYS >
[2004/08/04 15:00:00 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=A73F5D6705B1D820C19B18782E176EFD -- C:\WINDOWS\system32\dllcache\dxgthk.sys
[2004/08/04 15:00:00 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=A73F5D6705B1D820C19B18782E176EFD -- C:\WINDOWS\system32\drivers\dxgthk.sys

< MD5 for: NTDLL.DLL >
[2010/12/09 11:15:41 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=15CE4DBC22FAB90B3CA5352AF1FFF81C -- C:\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntdll.dll
[2008/04/13 20:11:24 | 000,706,048 | ---- | M] (Microsoft Corporation) MD5=27D9ED8CB8B62D1E0A8E5ACE6CF52E2F -- C:\WINDOWS\$NtUninstallKB956572$\ntdll.dll
[2008/04/13 20:11:24 | 000,706,048 | ---- | M] (Microsoft Corporation) MD5=27D9ED8CB8B62D1E0A8E5ACE6CF52E2F -- C:\WINDOWS\ServicePackFiles\i386\ntdll.dll
[2009/02/09 08:10:48 | 000,714,752 | ---- | M] (Microsoft Corporation) MD5=911DDF2E16761643A47225F654D811E5 -- C:\WINDOWS\$NtUninstallKB2393802$\ntdll.dll
[2009/02/09 06:56:35 | 000,715,264 | ---- | M] (Microsoft Corporation) MD5=B0913005EE3FC15D7F72472D0B8A30EB -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntdll.dll
[2004/08/04 00:56:38 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\cmdcons\SYSTEM32\NTDLL.DLL
[2004/08/04 15:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\$NtServicePackUninstall$\ntdll.dll
[2004/08/04 15:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\I386\NTDLL.DLL
[2004/08/04 15:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\I386\SYSTEM32\NTDLL.DLL
[2010/12/09 11:15:09 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=F8F0D25CA553E39DDE485D8FC7FCCE89 -- C:\WINDOWS\system32\dllcache\ntdll.dll
[2010/12/09 11:15:09 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=F8F0D25CA553E39DDE485D8FC7FCCE89 -- C:\WINDOWS\system32\ntdll.dll

< >

< End of report >
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:

Java™ 6 Update 13
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2

Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.


Uninstall Adobe Reader 7.1.0
then go to Adobe.com and get the latest version of Reader.

Uninstall Yahoo! Toolbar

Open IE, Security (or maybe Tools) Windows Updates and see if you are able to get updates.

Combofix is still not happy with the file verification.

See if you can get the Fixit here to work: http://support.microsoft.com/kb/822798

Can you get MalwareBytes to run?

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).
  • 0

#34
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I am getting a box saying cannot access windows installer service. This is stopping me from removing any of the listed java programs.

Thanks
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Try the fixit on
http://support.micro....com/kb/2438651

Also try the rest of the previous post which does not require uninstalling.
  • 0

#36
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Java and Adobe are updated. Windows did not seem to have any mass updates could be some custom ones(did not check, wasnt sure if needed). Yahoo! Toolbar did not want to uninstall. It gave an RUNDLL error: loading program... The specific module could not be found. "Fixit failed to process". Don't think it will be a problem to get malwarebytes to run. Listed below are the logs from ESET and bitdefender.


ESET threats

C:\CCE_Quarantine\{8F9CD95A-BF75-48FA-95F7-E5681F9F4EF2} Win32/Olmasco.O trojan cleaned by deleting - quarantined
C:\CCE_Quarantine\{B1557E67-2823-4012-BCFF-B2F8E4EFE96C} Win32/Olmasco.AA trojan cleaned by deleting - quarantined
C:\CCE_Quarantine\{EEEF8ADC-F710-4901-A5E1-ABF4CBAF9808} Win32/Olmasco.Q trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0006.dta Win64/Olmasco.Y trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0009.dta Win32/Olmasco.O trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0010.dta Win64/Olmasco.AA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0016.dta Win64/Olmasco.Z trojan cleaned by deleting - quarantined


ESET Log


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ad02744211bc1a46855f62f3c8ebbf38
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-10 07:54:50
# local_time=2012-09-10 03:54:50 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=84633
# found=7
# cleaned=7
# scan_time=4089
C:\CCE_Quarantine\{8F9CD95A-BF75-48FA-95F7-E5681F9F4EF2} Win32/Olmasco.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\CCE_Quarantine\{B1557E67-2823-4012-BCFF-B2F8E4EFE96C} Win32/Olmasco.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\CCE_Quarantine\{EEEF8ADC-F710-4901-A5E1-ABF4CBAF9808} Win32/Olmasco.Q trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0006.dta Win64/Olmasco.Y trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0009.dta Win32/Olmasco.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0010.dta Win64/Olmasco.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\05.09.2012_20.29.15\tdlfs0000\tsk0016.dta Win64/Olmasco.Z trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Bitdefender log


QuickScan 32-bit v0.9.9.118
---------------------------
Scan date: Mon Sep 10 18:23:56 2012
Machine ID: 74C63F3E

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - could not be accessed
--> Process explorer.exe (1444)


No infection found.
-------------------



Processes
---------
Microsoft® Windows® Operating System 3688 C:\WINDOWS\system32\notepad.exe
(verified) Bonjour 1044 C:\Program Files\Bonjour\mDNSResponder.exe
(verified) HP Smart Web Printing 2564 C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
(verified) HpqSRmon Application 2044 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
(verified) Intel® Common User Interface 1932 C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface 1956 C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface 1916 C:\WINDOWS\system32\igfxtray.exe
(verified) Java™ Platform SE 7 U7 1600 C:\Program Files\Java\jre7\bin\jqs.exe
(verified) Microsoft SQL Server 304 C:\MSSQL7\Binn\sqlservr.exe
(verified) Microsoft® Windows® Operating System 312 C:\Program Files\Windows Media Player\wmpnscfg.exe
(verified) Microsoft® Windows® Operating System 1444 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 2484 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 616 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 392 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 696 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 684 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 552 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 1572 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 848 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 876 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 920 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1320 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1164 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1704 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1144 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1016 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 976 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1304 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 464 C:\WINDOWS\system32\wbem\wmiapsrv.exe
(verified) Microsoft® Windows® Operating System 640 C:\WINDOWS\system32\winlogon.exe
(verified) Microsoft® Windows® Operating System 3352 C:\WINDOWS\system32\wscntfy.exe
(verified) MobileDeviceService 1068 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(verified) Multimedia Card Reader 1944 C:\Program Files\Digital Media Reader\shwiconEM.exe
(verified) PowerDVD 1904 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
(verified) PrismXL Software Family 1344 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
(verified) Windows® Internet Explorer 1384 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 1000 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 3024 C:\Program Files\Internet Explorer\iexplore.exe


Network activity
----------------
Process sqlservr.exe (304) listens on ports: 1032, 1433 (Microsoft SQL)
Process svchost.exe (920) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
(verified) Adobe® Flash® Player Update Service C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
(verified) Apple Push C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
(verified) Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
(verified) Default Manager C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
(verified) Google Updater C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
(verified) GoogleToolbarNotifier C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(verified) HpqSRmon Application C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
(verified) iTunes C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Malwarebytes Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(verified) Microsoft® Windows® Operating System C:\Program Files\Windows Media Connect 2\WMCCFG.exe
(verified) Microsoft® Windows® Operating System C:\Program Files\Windows Media Player\wmpnscfg.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\OOBE\oobebaln.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
(verified) Multimedia Card Reader C:\Program Files\Digital Media Reader\shwiconEM.exe
(verified) PowerDVD C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
(verified) QuickTime C:\Program Files\QuickTime\qttask.exe
(verified) Recguard Application C:\WINDOWS\SMINST\RECGUARD.EXE
(verified) Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
(verified) Windows® Search C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll


Browser plugins
---------------
(unsigned) VLC Web Plugin C:\Program Files\VideoLAN\VLC\npvlc.dll

(verified) Activator C:\WINDOWS\Downloaded Program Files\Activator.dll
(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(verified) Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
(verified) Bitdefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
(verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
(verified) Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\ImageUploader5.ocx
(verified) Fast Search C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
(verified) Google Toolbar for Internet Explorer C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
(verified) Google Updater C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
(verified) HP Smart Web Printing C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
(verified) Java Deployment Toolkit 7.0.70.11 C:\WINDOWS\system32\npDeployJava1.dll
(verified) Java™ Platform SE 7 U7 C:\Program Files\Java\jre7\bin\jp2ssv.dll
(verified) Java™ Platform SE 7 U7 C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
(verified) Java™ Platform SE 7 U7 C:\Program Files\Java\jre7\bin\ssv.dll
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) MetaStream 3 Plugin C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
(verified) Microsoft® Windows Live Login Helper C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll
(verified) npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(verified) Panda ActiveScan 2.0 C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll
(verified) Panda ActiveScan 2.0 C:\WINDOWS\Downloaded Program Files\as2stubie.dll
(verified) PrinterBvr C:\WINDOWS\Downloaded Program Files\PrinterBvr.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(verified) Silverlight Plug-In c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
(verified) TrendSecure C:\WINDOWS\Downloaded Program Files\TmHCMSMgr.dll
(verified) TrendSecure C:\WINDOWS\Downloaded Program Files\TmHcmsX.ocx
(verified) unagiuninst.exe C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
(verified) Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\IEFRAME.dll


Scan
----
MD5: aea69af0e4f27aaba1a4df66b43179a3 C:\Program Files\VideoLAN\VLC\npvlc.dll
MD5: 2a3748adca7fdb61b58dc9cb3d329e60 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MD5: 5e28284f9b5f9097640d58a73d38ad4c C:\WINDOWS\system32\notepad.exe


No file uploaded.

Scan finished - communication took 1 sec
Total traffic - 0.00 MB sent, 0.03 KB recvd
Scanned 673 files and modules - 144 seconds

==============================================================================



Thanks again,
  • 0

#37
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Also of another note. I have http://66.129.114.121 and https://66.129.114.121 in my trusted zones. They will not allow me to remove them.
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Do run MalwareBytes and let it do a quickscan.

I don't see yahoo running so don't worry about it. If you want to get rid of it the free Revo uninstaller should take care of it:
http://www.revounins...e_download.html

I assume when you said "Fixit failed to process" that you mean the one on

http://support.microsoft.com/kb/822798

Go to that page and then click on "Let me fix it myself" and follow the instructions there. Report any errors.

Adobe Acrobat 7.0 is very out of date. I think it has been replaced by Adobe Reader 10.something. Uninstall it and go to adobe.com and get the latest version of Reader.


Copy the text in the code box by highlighting and Ctrl + c



:OTL
O15 - HKCU\..Trusted Domains: 66.129.114.121 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: 66.129.114.121 ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.
  • 0

#39
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I'm a little confused about the fix it program. It seems the purpose of running this is to fix the ability to update or download programs? Not sure if updating or downloading is still a problem? Also Sorry I did update adobe reader to 10 before. Just got mixed up in the order(downloaded Reader last). Sorry if that messes up anything. I can rerun. I will move forward with OTL and Malwarebytes.
  • 0

#40
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Of course right as I open my mouth. Malwarebytes currupted upon update. I am going to try to uninstall reinstall. After working thru the fix it your self steps again.

Sorry
  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
The fixit tries to fix the verification problem that Combofix noticed. Without it working it is hard for a program to verify that its files are intact. Some programs don't check but MBAM does.
  • 0

#42
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I was kinda thinking you were going to say something like that. Tonight I am going to try to work thru the rest of the steps for fixit yourself. Tryed downloading Malwarebytes to see if I could get it running again, but keep getting a code 5 error. It happens immediately after the install begins. The first few steps on Fix it yourself seem to be ok. Does it benefit to go ahead and run the OTL Fix or should I wait until after the other steps?

Thanks again for you time,
  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
You can run OTL any time. It just removes sites from your trusted sites.
  • 0

#44
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Good evening Ron,

I have a couple of questions. I have not been able to spend much time on the subject the last couple of days but will give as much information as possible. I was able to download malwarebytes with some errors. However it did do a quick scan and came up with no errors. Was assuming since I have not completely worked thru fix it yourself, I would not put too much faith in the scan. Also the OTL fix worked successfully.
I am a little stumped on the fix it yourself process. Method 3 number 1. 1.Download the Microsoft product update that you want to install from the Microsoft Download Center... Not sure which one I should be downloading in my situation. It looks like there are three to work thru Windows files, archive files, and MS
-Dos files and one I am assuming is for MAC files. It also looks to be a little more complicated to work thru these methods, so I will do my best to figure thru.

Thanks for any help,

Todd
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I think you can skip method 3 since it is not just microsoft that is giving you a problem.

Error 5 is a permission error so we might have better luck resetting the permissions:


Download SubInACL.exe

http://www.microsoft...&displaylang=en

By default it installs the tool in C:\Program Files\Windows Resource Kits\Tools\

Please allow it to do so.


Download and Save the attached file, reset.zip, right click on it and Extract all and copy the reset.cmd file to C:\Program Files\Windows Resource Kits\Tools\.
Start, Run, cmd, OK Type with an Enter after each line:

cd  "\Program Files\Windows Resource Kits\Tools"

reset.cmd


This will take a while to finish. I would reboot when it is done and then try an install.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP