Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows XP Defender Alert Virus [Solved]


  • This topic is locked This topic is locked

#1
nrgeti

nrgeti

    Member

  • Member
  • PipPip
  • 17 posts
My system is running Windows XP Home.

I clicked on a message that was from Fedex but it turned out to be a fake. Now everytime an .EXE file executes, a popup warning appears that says the file is infected with a virus. The virus names are random. During boot, every .exe file pops up a similar message so that by the time Windows has finished there will be dozens of these alert messages on the screen.

I tried Safe Mode but the same problem occurs.

I cannot execute any scanning software, msconfig, regedit, iexplore or any other utility program. I did create an OTLP bootable flash drive and obtained the OTL text file which I have attached.

I have Googled this problem and some answers suggested that this virus has set up a proxy server and to turn it off in LAN settings. But since I cannot run any programs, I cannot get to the Control Panel or Internet Explorer to do it.

I experimented with some of the utilities on the OTLPE desktop and found I need to learn a lot more about them. Some questions:
1. Does the registry editor work on the c:\ drive registry?
2. Can the proxy server be turned off in the registry rather than through the Internet Options menu?
3. I tried to open the Software hive but got blocked by the file is in use message.
4. I ran TDSSkiller but it didn't find anything. It didn't run very long, so I suspect it did not scan the C: drive.
5. How do I use the registy editor? It is very different than Windows regedit. Looks like I would need a lot of learning here. Just enough to fix this virus problem.
6. How would I install scanning software like, Avast, on the c: drive and make it part of the original Windows environment so that I could boot into Windows and scan normally?

Edited by nrgeti, 21 December 2012 - 12:51 AM.

  • 0

Advertisements


#2
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Please note that I am currently in training as a GeekU Senior. My posts must be reviewed by an instructor, so there may be a slight delay.

Could you please post your OTLPE log for me? I think you forgot in your original post. Please copy & paste it and don't attach it. Please refrain from trying to fix the computer until I provide you with some instructions. Messing with the registry can cause to computer to become unbootable.
  • 0

#3
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I have cloned the drive so we are free to do anything with it without worrying about damaging it.
I am sorry about the OTL text file. I thought the procedure was to attach files. But here is a cut and past of it:

OTL logfile created on: 12/20/2012 4:07:04 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 128.73 Gb Free Space | 86.42% Space Free | Partition Type: NTFS
Drive D: | 57.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive X: | 3.73 Gb Total Space | 3.33 Gb Free Space | 89.49% Space Free | Partition Type: FAT

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- -- (AppMgmt)
SRV - [2012/11/10 12:14:02 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2012/11/10 12:13:47 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/09/16 15:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/09/06 16:45:27 | 000,127,192 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\AVAST Software\Avast\afwServ.exe -- (avast! Firewall)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2012/11/10 12:13:47 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/09/16 15:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 15:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2011/09/06 16:38:54 | 000,111,320 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 16:37:39 | 000,195,416 | ---- | M] (AVAST Software) [Kernel | Boot] -- C:\WINDOWS\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 16:36:23 | 000,110,552 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/09/06 16:33:11 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/09/06 16:10:01 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\aswNdis.sys -- (aswNdis)
DRV - [2007/07/23 14:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 14:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 14:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 14:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 14:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 14:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 14:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 14:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 13:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 13:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/06/13 19:41:44 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080613
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080613
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...?channel=us-smb
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080613
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Gene_Nazzaro_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Gene_Nazzaro_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKU\Gene_Nazzaro_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmailclust...e=1302033193332
IE - HKU\Gene_Nazzaro_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Gene_Nazzaro_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>




========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:6.0.1289
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 49333

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/11/08 17:18:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 06:40:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/08 16:24:08 | 000,000,000 | ---D | M]

[2008/06/18 15:38:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Extensions
[2012/12/19 07:24:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions
[2012/12/19 07:24:58 | 000,000,000 | ---D | M] (Mozilla Framework Assistant) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}
[2012/07/17 09:43:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/13 10:55:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/11/08 17:18:30 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/05/13 10:55:28 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/10/04 08:20:34 | 000,043,016 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npbasic.dll
[2011/05/13 10:55:26 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/11/08 17:24:39 | 000,437,362 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15069 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [dsapi] C:\Documents and Settings\Gene Nazzaro\Application Data\dsapi.dll (Donkey)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [rpneng] C:\Documents and Settings\Gene Nazzaro\Application Data\rpneng.dll (IDT, Inc.)
O4 - HKLM..\Run: [wmdwp] C:\Documents and Settings\Gene Nazzaro\Application Data\wmdwp.dll (SiliconMotion)
O4 - HKU\Gene_Nazzaro_ON_C..\Run: [mmclltva] File not found
O4 - HKU\Gene_Nazzaro_ON_C..\Run: [pcdfsvc] C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe (Корпорация Майкрософт)
O4 - HKU\Gene_Nazzaro_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Gene Nazzaro\Start Menu\Programs\Startup\Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe (3B Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Gene_Nazzaro_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Gene_Nazzaro_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Gene_Nazzaro_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Gene_Nazzaro_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:42 | 000,000,053 | ---- | M] () - X:\AUTORUN.INF -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/12/19 08:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2012/12/19 08:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2012/12/19 08:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2012/12/19 08:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2012/12/19 08:52:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2012/12/19 08:52:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2012/12/19 08:52:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2012/12/19 08:52:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2012/12/19 08:52:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2012/12/19 08:52:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2012/12/19 08:52:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2012/12/19 08:52:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2012/12/19 08:52:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2012/12/19 08:52:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PowerDVD DX
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Google Gadgets
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Dell Accessories
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2012/12/19 08:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2012/12/19 07:30:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pcdfdata
[2012/12/19 07:25:19 | 000,317,952 | ---- | C] (SiliconMotion) -- C:\Documents and Settings\Gene Nazzaro\Application Data\wmdwp.dll
[2012/12/19 07:24:56 | 000,609,792 | ---- | C] (IDT, Inc.) -- C:\Documents and Settings\Gene Nazzaro\Application Data\rpneng.dll
[2012/12/19 07:24:07 | 000,167,936 | ---- | C] (Donkey) -- C:\Documents and Settings\Gene Nazzaro\Application Data\dsapi.dll
[2012/12/06 13:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\My Documents\New Folder (2)
[2012/12/06 13:31:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\My Documents\New Folder
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/20 16:00:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/20 15:46:20 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/20 15:46:08 | 2136,129,536 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/20 14:31:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/19 07:50:10 | 000,006,524 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\3b4dec3f-5a05-48ff-9463-5211fc9ece33.crx
[2012/12/19 07:44:06 | 000,046,257 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\ufcxcohe
[2012/12/19 07:37:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Application Data\SharedSettings.ccs
[2012/12/19 07:25:20 | 000,317,952 | ---- | M] (SiliconMotion) -- C:\Documents and Settings\Gene Nazzaro\Application Data\wmdwp.dll
[2012/12/19 07:24:58 | 000,609,792 | ---- | M] (IDT, Inc.) -- C:\Documents and Settings\Gene Nazzaro\Application Data\rpneng.dll
[2012/12/19 07:24:07 | 000,167,936 | ---- | M] (Donkey) -- C:\Documents and Settings\Gene Nazzaro\Application Data\dsapi.dll
[2012/12/18 10:28:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/12/13 03:20:54 | 000,001,832 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Start Menu\Programs\Startup\Scheduler.lnk
[2012/12/13 03:20:41 | 000,091,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/12/13 03:04:19 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/12/06 13:04:47 | 001,790,025 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 049.jpg
[2012/12/06 13:04:40 | 002,061,666 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 047.jpg
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/20 13:58:48 | 2136,129,536 | -HS- | C] () -- C:\hiberfil.sys
[2012/12/19 08:52:11 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
[2012/12/19 08:52:11 | 000,000,683 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/12/19 08:52:11 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
[2012/12/19 08:52:11 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk
[2012/12/19 08:52:11 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/12/19 07:44:06 | 000,046,257 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\ufcxcohe
[2012/12/19 07:37:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\Application Data\SharedSettings.ccs
[2012/12/19 07:24:58 | 000,006,524 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\3b4dec3f-5a05-48ff-9463-5211fc9ece33.crx
[2012/12/06 13:31:34 | 002,061,666 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 047.jpg
[2012/12/06 13:31:19 | 001,790,025 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 049.jpg
[2012/10/11 16:33:38 | 000,000,545 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP39.INI
[2012/02/15 02:56:58 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/15 15:06:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/02/15 15:06:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/02/15 15:06:10 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/02/15 15:06:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/02/15 15:06:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/16 06:56:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/06/18 15:38:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/06/12 19:21:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/12 19:17:37 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/12 18:57:01 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/06/12 18:56:53 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/06/12 18:55:35 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 12:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 12:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 12:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 12:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 11:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 11:57:15 | 000,091,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 11:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 11:51:20 | 000,382,022 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 11:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 11:51:20 | 000,053,640 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 11:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 11:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 11:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 11:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 11:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 11:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 11:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 11:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2008/09/08 14:24:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gene Nazzaro\Application Data\Jetcast
[2011/11/08 17:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/12/20 09:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2012/12/19 07:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pcdfdata
[2008/06/12 19:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

========== Purity Check ==========


< End of report >
  • 0

#4
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi nrgeti,

Let's get started.

Step 1: Run OTLPE fix.

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
  • If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible

If you can now boot to normal mode, please continue with the steps below. If not, please let me know.

Step 2: Run RogueKiller.

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.

Posted Image

  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Step 3: Run MBAM.

Please download Malwarebytes' Anti-Malware
  • Please install the program if it is not already on your computer.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 4: Get a fresh OTL scan. Please follow the directions carefully.

Download OTL to your Desktop
  • Open OTL.
  • Select the button next to "Use SafeList" in the "Extra Registry" box.
  • Select the Scan All Users box in the middle on the top of the window
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    createrestorepoint
  • Click the Run Scan button. Post the logs it produces in your next reply.

Things I need in your next reply:

  • OTLPE fix log - it will be located here: C:\_OTL\MovedFiles
  • RogueKiller logs
  • MBAM log
  • OTL log
  • Extras log
  • How is your computer running now? Any more alerts?

Attached Files

  • Attached File  fix.txt   1.29KB   27 downloads

  • 0

#5
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Step1 ran fine. Log file below. I was able to boot normlly afterwards and all alerts are gone.
Step2 was pretty tricky. I finally got on the Internet after finding that the default URL in the IE shortcut had garbage in it. Then I had to use Google to search for a link since your message link was on a different computer. I finally got to the same URL as in your message but it had several advertising buttons making it difficult to find the right one. Too bad these free download sites don't mark these buttons more clearly. I finally downloaded something and got to a French version of RogueKiller and an English version. I think both of them ran one after the other. Anyway I got four log files.
Step3 Failed.
The version of MBAM that was already installed was corrupted and wouldn't start. I downloaded a fresh copy but it wouldn't install. Got an error "An error has occurred. MBAM_ERROR_EXPANDING_VARIABLES(0,453)" Then later another message, "MBAM_ERROR_MISSING_FILE(3,0, mbamswissarmy.sys"
Step4 Did not run.

----------------------------------------------------------------------------------------------------------------------------------------------------
========== OTL ==========
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 49333 removed from network.proxy.http_port
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dsapi deleted successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\dsapi.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\rpneng deleted successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\rpneng.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wmdwp deleted successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\wmdwp.dll moved successfully.
Registry value HKEY_USERS\Gene_Nazzaro_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\mmclltva deleted successfully.
Registry value HKEY_USERS\Gene_Nazzaro_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\pcdfsvc deleted successfully.
C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe moved successfully.
C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\ufcxcohe moved successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\SharedSettings.ccs moved successfully.
C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\3b4dec3f-5a05-48ff-9463-5211fc9ece33.crx moved successfully.
File C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\3b4dec3f-5a05-48ff-9463-5211fc9ece33.crx not found.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\pcdfdata folder moved successfully.

OTLPE by OldTimer - Version 3.1.48.0 log created on 12212012_214040

---------------------------------------------------------------------------------------------------------------------------------------------------
RKreport[1]RogueKiller V8.4.0 [Dec 20 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Gene Nazzaro [Admin rights]
Mode : Scan -- Date : 12/21/2012 22:04:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELLSPWN] HKCU\[...]\command : ("C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe" /ex "%1" %*) -> FOUND
[SHELLSPWN] HKUS\S-1-5-21-1812066080-1557628-3791528719-1006[...]\command : ("C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe" /ex "%1" %*) -> FOUND
[SHELLSPWN] HKCR\[...]\command : ("C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe" /ex "%1" %*) -> FOUND
[FILEASSO] HKCR\[...].exe : (4g) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160318AS +++++
--- User ---
[MBR] cb1b67aa08d78a59b552b1d0f81c09f2
[BSP] 486c81004b41ae2795cbf19c82385a01 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 152531 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 782afdaff672cb9525a7d88d0e4d40dc
[BSP] 4d3b9263eddcbaad4a20cea867c63403 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 63 | Size: 3814 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12212012_02d2204.txt >>
RKreport[1]_S_12212012_02d2204.txt


------------------------------------------------------------------------------------------------------------------------------------------RogueKiller V8.4.0 [Dec 20 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Gene Nazzaro [Admin rights]
Mode : Remove -- Date : 12/21/2012 22:06:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SHELLSPWN] HKCU\[...]\command : ("C:\Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe" /ex "%1" %*) -> REPLACED ("%1" %*)
[FILEASSO] HKCR\[...].exe : (4g) -> REPLACED (exefile)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160318AS +++++
--- User ---
[MBR] cb1b67aa08d78a59b552b1d0f81c09f2
[BSP] 486c81004b41ae2795cbf19c82385a01 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 152531 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 782afdaff672cb9525a7d88d0e4d40dc
[BSP] 4d3b9263eddcbaad4a20cea867c63403 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 63 | Size: 3814 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_12212012_02d2206.txt >>

-------------------------------------------------------------------------------------------------------------------------------------------RogueKiller V8.4.0 [Dec 20 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Gene Nazzaro [Admin rights]
Mode : Scan -- Date : 12/21/2012 22:10:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160318AS +++++
--- User ---
[MBR] cb1b67aa08d78a59b552b1d0f81c09f2
[BSP] 486c81004b41ae2795cbf19c82385a01 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 152531 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 782afdaff672cb9525a7d88d0e4d40dc
[BSP] 4d3b9263eddcbaad4a20cea867c63403 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 63 | Size: 3814 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3]_S_12212012_02d2210.txt >>

-------------------------------------------------------------------------------------------------------------------------------------------RogueKiller V8.4.0 [Dec 20 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Gene Nazzaro [Admin rights]
Mode : Shortcuts HJfix -- Date : 12/21/2012 22:13:10

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 14 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 75 / Fail 0
My documents: Success 4 / Fail 4
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 143 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\Harddisk1\DP(1)0-0+4 -- 0x2 --> Restored

Finished : << RKreport[4]_SC_12212012_02d2213.txt >>
  • 0

#6
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts

Step4 Did not run.



Could you please give me a few more details about this? Were you able to download and open the program? Did it freeze during the scan? If so, did you notice what section it was scanning when it froze (info near the bottom of the window)?
  • 0

#7
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I checked the MBAM forum for a solution. They suggested I remove it using their CLEAN utility. This gave the same error code a number of times but it did finish. Reinstalling MBAM worked and the scan did not turn up any viruses.

Step 4 When I said "Did not run", I meant that I did not try since Step 3 was not finished.

Anyway, I ran OTL for step four. Here is the log file:


-----------------------------------------------------------------------------------------------------------
OTL logfile created on: 12/22/2012 10:09:51 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Gene Nazzaro\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.96% Memory free
3.84 Gb Paging File | 3.23 Gb Available in Paging File | 84.13% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 130.19 Gb Free Space | 87.40% Space Free | Partition Type: NTFS
Drive D: | 57.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D3F11HG1 | User Name: Gene Nazzaro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/22 22:08:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gene Nazzaro\Desktop\OTL.exe
PRC - [2012/11/10 12:14:02 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/10 12:13:47 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/09/29 19:54:26 | 000,981,656 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/09/16 15:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 15:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2011/09/06 16:45:30 | 003,722,416 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/09/06 16:45:27 | 000,127,192 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\afwServ.exe
PRC - [2009/12/14 23:36:56 | 000,484,760 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 09:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/10/16 01:01:02 | 000,464,240 | ---- | M] (3B Software, Inc.) -- C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
PRC - [2006/09/11 03:40:30 | 000,992,176 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/08 13:31:17 | 001,645,056 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11120801\algo.dll
MOD - [2011/12/07 18:32:09 | 000,241,528 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11120801\aswRep.dll
MOD - [2007/07/23 14:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/11/10 12:14:02 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/10 12:13:47 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/09/16 15:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/09/06 16:45:27 | 000,127,192 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\afwServ.exe -- (avast! Firewall)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2012/12/22 21:33:45 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/11/10 12:13:47 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/09/16 15:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 15:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2011/09/06 16:38:54 | 000,111,320 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 16:37:39 | 000,195,416 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 16:36:23 | 000,110,552 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/09/06 16:33:11 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/09/06 16:10:01 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\aswNdis.sys -- (aswNdis)
DRV - [2007/07/23 14:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 14:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 14:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 14:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 14:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 14:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 14:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 14:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 13:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 13:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/06/13 19:41:44 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080613
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080613
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\..\SearchScopes,DefaultScope = {1EC9BFFD-DBB6-4A8E-A78F-57E65627449F}
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\..\SearchScopes\{1EC9BFFD-DBB6-4A8E-A78F-57E65627449F}: "URL" = http://www.google.co...&rlz=1I7GPEA_en
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\..\SearchScopes\{2F4C170D-AE32-4E46-A4C9-0BA36B6D887C}: "URL" = http://www.google.co...&rlz=1I7DKUS_en
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:6.0.1289
FF - prefs.js..network.proxy.http: ""
FF - prefs.js..network.proxy.http_port: ""
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/11/08 17:18:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 06:40:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/08 16:24:08 | 000,000,000 | ---D | M]

[2008/06/18 15:38:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Extensions
[2012/12/19 07:24:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions
[2012/12/19 07:24:58 | 000,000,000 | ---D | M] (Mozilla Framework Assistant) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}
[2012/07/17 09:43:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/13 10:55:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/11/08 17:18:30 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/05/13 10:55:28 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/10/04 08:20:34 | 000,043,016 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npbasic.dll
[2011/05/13 10:55:26 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U25 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\pdf.dll
CHR - plugin: Ringman Plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npbasic.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011/11/08 17:24:39 | 000,437,362 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15069 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\Gene Nazzaro\Start Menu\Programs\Startup\Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe (3B Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2CCBAE0F-912E-4C94-849F-2C2CE82C0436}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gene Nazzaro\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1812066080-1557628-3791528719-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/12/22 22:08:54 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gene Nazzaro\Desktop\OTL.exe
[2012/12/22 21:57:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Gene Nazzaro\Recent
[2012/12/22 21:57:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/12/22 21:57:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/12/22 21:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Defraggler
[2012/12/22 21:55:01 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2012/12/22 21:32:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\Application Data\Malwarebytes
[2012/12/22 21:32:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/12/22 21:32:28 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/12/22 21:32:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/12/22 21:32:26 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/22 21:32:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/12/21 22:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\Desktop\RK_Quarantine
[2012/12/21 21:40:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/12/06 13:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\My Documents\New Folder (2)
[2012/12/06 13:31:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gene Nazzaro\My Documents\New Folder
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/22 22:08:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gene Nazzaro\Desktop\OTL.exe
[2012/12/22 21:58:18 | 000,112,888 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\cc_20121222_215813.reg
[2012/12/22 21:57:18 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/12/22 21:55:02 | 000,001,580 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Defraggler.lnk
[2012/12/22 21:33:45 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/12/22 21:33:08 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/22 21:31:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/22 21:29:38 | 000,001,832 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Start Menu\Programs\Startup\Scheduler.lnk
[2012/12/22 21:29:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/22 21:29:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/22 21:29:24 | 2136,129,536 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/22 21:29:24 | 000,091,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/12/21 22:02:50 | 000,756,224 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\Desktop\RogueKiller.exe
[2012/12/18 10:28:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/12/16 07:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2012/12/16 07:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll
[2012/12/06 13:04:47 | 001,790,025 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 049.jpg
[2012/12/06 13:04:40 | 002,061,666 | ---- | M] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 047.jpg
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/22 21:58:15 | 000,112,888 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\cc_20121222_215813.reg
[2012/12/22 21:57:18 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/12/22 21:55:02 | 000,001,580 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Defraggler.lnk
[2012/12/22 21:33:08 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/21 22:02:47 | 000,756,224 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\Desktop\RogueKiller.exe
[2012/12/20 13:58:48 | 2136,129,536 | -HS- | C] () -- C:\hiberfil.sys
[2012/12/06 13:31:34 | 002,061,666 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 047.jpg
[2012/12/06 13:31:19 | 001,790,025 | ---- | C] () -- C:\Documents and Settings\Gene Nazzaro\My Documents\Barn Virginia, NCHA Equine Affair, Sean Ryon Saddle 049.jpg
[2012/10/11 16:33:38 | 000,000,545 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP39.INI
[2012/02/15 02:56:58 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/15 15:06:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/02/15 15:06:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/02/15 15:06:10 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/02/15 15:06:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/02/15 15:06:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

========== ZeroAccess Check ==========

[2004/08/10 12:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\Shdocvw.dll -- [2010/12/20 17:15:52 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Edited by nrgeti, 22 December 2012 - 09:26 PM.

  • 0

#8
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Did you get an extras.txt log too?

If you didn't, could you please run another OTL scan, noting especially the steps marked in red.


Open OTL
  • Select the button next to "Use SafeList" in the "Extra Registry" box.
  • Select the Scan All Users box in the middle on the top of the window
  • Click the Run Scan button. Post the log it produces in your next reply.

  • 0

#9
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I also ran MBAM full scan and found two viruses. The extras.txt is below.

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.22.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Gene Nazzaro :: D3F11HG1 [administrator]

12/22/2012 9:59:46 PM
mbam-log-2012-12-22 (21-59-46).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 255452
Time elapsed: 29 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\System Volume Information\_restore{C1C61695-B4D5-4C92-8C16-C45AE1D36A88}\RP88\A0030445.exe (Backdoor.Bredolab) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\12212012_214040\C_Documents and Settings\All Users\Application Data\pcdfdata\dphqenfb.exe (Trojan.LameShield) -> Quarantined and deleted successfully.

(end)


OTL Extras logfile created on: 12/22/2012 10:09:51 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Gene Nazzaro\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.96% Memory free
3.84 Gb Paging File | 3.23 Gb Available in Paging File | 84.13% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 130.19 Gb Free Space | 87.40% Space Free | Partition Type: NTFS
Drive D: | 57.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D3F11HG1 | User Name: Gene Nazzaro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1812066080-1557628-3791528719-1006\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java™ 6 Update 25
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{47C39213-7CE2-4eb0-A112-11671C0072A0}" = Canon MF5900 Series
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6767DFEE-8909-453A-B553-C7693912B2EB}" = Canon MF Toolbox 4.9.1.1.mf12
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.8.0
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{860B8100-3F1D-11D5-AF7D-000103C547E7}" = Auction Client
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E217A3D4-2FF9-4D5F-9C20-1386E0FF9864}" = LogMeIn
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Auction Client" = Auction Client
"avast" = avast! Internet Security
"CCleaner" = CCleaner
"CleanUp!" = CleanUp!
"Country Carpenters Screen Saver_is1" = Country Carpenters Screen Saver
"Defraggler" = Defraggler
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Jetcast" = Jetcast 1.1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Registry Repair Pro_is1" = Registry Repair Pro
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/4/2012 3:19:36 PM | Computer Name = D3F11HG1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17110, faulting
module sdhelper.dll, version 1.6.2.14, fault address 0x000051a0.

Error - 7/7/2012 12:59:26 PM | Computer Name = D3F11HG1 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/7/2012 12:59:26 PM | Computer Name = D3F11HG1 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/16/2012 11:34:19 AM | Computer Name = D3F11HG1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17112, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2012 6:52:40 PM | Computer Name = D3F11HG1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17115, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/19/2012 9:21:12 AM | Computer Name = D3F11HG1 | Source = Application Error | ID = 1000
Description = Faulting application dphqenfb.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00ac9858.

Error - 12/19/2012 9:21:20 AM | Computer Name = D3F11HG1 | Source = Application Error | ID = 1000
Description = Faulting application dphqenfb.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00ac9858.

Error - 12/19/2012 9:21:24 AM | Computer Name = D3F11HG1 | Source = Application Error | ID = 1000
Description = Faulting application dphqenfb.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00ac9858.

[ System Events ]
Error - 12/20/2012 12:07:46 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/20/2012 12:08:35 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/20/2012 10:31:11 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/20/2012 10:32:29 AM | Computer Name = D3F11HG1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSnx aswSP aswTdi Fips intelppm

Error - 12/20/2012 10:32:59 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/20/2012 10:32:59 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/20/2012 10:55:01 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/20/2012 11:10:56 AM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/20/2012 11:12:15 AM | Computer Name = D3F11HG1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSnx aswSP aswTdi Fips intelppm

Error - 12/20/2012 1:30:49 PM | Computer Name = D3F11HG1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >
  • 0

#10
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi ngreti,

I also ran MBAM full scan and found two viruses.


Please don't run scans on your own, as sometimes they can have unwanted results (In this case we ruined a restore point, which could have been used if we ran into bad trouble).

Note: I noticed a couple of registry cleaning programs on your computer (Registry Repair Pro, CCleaner). I would strongly recommend not using the registry cleaning features of these programs because they really don't provide any advantage to your computer as far as performance, and they can possibly cause your computer to become unbootable.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
  • 0

Advertisements


#11
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the eset log

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=7.00.6000.17115 (vista_gdr.121029-1623)
# OnlineScanner.ocx=1.0.0.6844
# api_version=3.0.2
# EOSSerial=30c70a54a6adff4ebaadda03fa947486
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-12-24 08:15:30
# local_time=2012-12-24 03:15:30 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=57405
# found=6
# cleaned=0
# scan_time=1486
C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}\chrome\content\browser.xul JS/Redirector.NCL trojan (unable to clean) 4F82F7C847C33B8410E2FEB38D94BB8E3084A438 I
C:\Documents and Settings\Gene Nazzaro\Application Data\Sun\Java\Deployment\cache\6.0\13\5149e84d-36e34b28 a variant of Java/Exploit.CVE-2010-0844.A trojan (unable to clean) DF260ED5526F4D09B82CD9E8A8B1C97C3DE2DFE9 I
C:\_OTL\MovedFiles\12212012_214040\C_Documents and Settings\Gene Nazzaro\Application Data\dsapi.dll a variant of Win32/Medfos.HB trojan (unable to clean) F39B9014FCFC00A6FDABCB5B1F76A2A933B03D50 I
C:\_OTL\MovedFiles\12212012_214040\C_Documents and Settings\Gene Nazzaro\Application Data\rpneng.dll a variant of Win32/Medfos.HA trojan (unable to clean) 55D89F9085EACAD1AEAB5963DADAEA4DF8664866 I
C:\_OTL\MovedFiles\12212012_214040\C_Documents and Settings\Gene Nazzaro\Application Data\wmdwp.dll a variant of Win32/Medfos.HA trojan (unable to clean) 7D8F76CA45A812EDCFF201182163961829BAD306 I
C:\_OTL\MovedFiles\12212012_214040\C_Documents and Settings\Gene Nazzaro\Local Settings\Application Data\3b4dec3f-5a05-48ff-9463-5211fc9ece33.crx JS/Redirector.NCG trojan (unable to clean) 209F99F18444507FEDF395566FEE66E9E47269B0 I
  • 0

#12
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Buddierdl,
So far I have not received a final reply to this operation. Am I good to go or should I resume my own scans to wrap up?

Nicholas
  • 0

#13
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Nicholas,

I'm so sorry about taking so long. I have some instructions pending the approval of my instructor now. We are just about finished. The holidays have kind of slowed things down. I should have some more instructions for you sometime today. Posted Image
  • 0

#14
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi ngreti,

Let's get rid of those last few remnants.

Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    
    [2012/12/19 07:24:58 | 000,000,000 | ---D | M] (Mozilla Framework Assistant) -- C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}
    
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply.

Also, let me know if there are any outstanding problem with or questions about your computer.
  • 0

#15
nrgeti

nrgeti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I am very impressed that you were able to fix this problem. When a virus takes over a computer and doesn't leave any way to install scanning tools, I am lost. I was ready to wipe the drive and start over but doing that is always a very traumatic process and takes a very long time. I usually do not get everything restored right away and only discover missing things much later.

How does GeeksToGo make money to survive? I can't imagine that you can do all this work for free.
I don't see any more problems with this computer but I have a laptop with a strange issue. Shall I start another thread?

The final OTL log below.
All processes killed
========== OTL ==========
C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}\chrome\content folder moved successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33}\chrome folder moved successfully.
C:\Documents and Settings\Gene Nazzaro\Application Data\Mozilla\Firefox\Profiles\wwsr2uct.default\extensions\{3b4dec3f-5a05-48ff-9463-5211fc9ece33} folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 32654 bytes
->Temporary Internet Files folder emptied: 680986 bytes
->Flash cache emptied: 41 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: Gene Nazzaro
->Temp folder emptied: 61333635 bytes
->Temporary Internet Files folder emptied: 15527765 bytes
->Java cache emptied: 95029 bytes
->FireFox cache emptied: 70804372 bytes
->Google Chrome cache emptied: 85354774 bytes
->Flash cache emptied: 703 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 4532241 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22220366 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 102243201 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 346.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12282012_105228

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP