Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

w32.koobface.A, Trojan.FakeAV and Win32.Netsky

Started by mutex , Jan 04 2010 08:37 PM

  • This topic is locked This topic is locked

#1
mutex
Posted 04 January 2010 - 08:37 PM

mutex

    Member

  • Member
  • PipPip
  • 16 posts
Trying to help another friend with Symantec AV. He was getting a million error messages about an encrypted email and WIN32.Netsky and his AV would start another scan with each message.

I booted to Safe Mode and ran a scan with his AV which found and quarantined w32.koobface.A and Trojan.FakeAV. There was still all kinds of junk loading in the registry (via msconfig) but regedit was disabled as was the ability to show hidden files and folders. I ran TFC and then a quick scan with Malwarebytes. The first scan found 45 items and said it fixed them all. The 2nd scan found nothing. I then rebooted into normal mode but still had the error messages. I shut down windows, disconnected the network cable and rebooted and the error messages went away. I then ran OTL in normal mode (please see the attached log file). I then plugged the network cable back in and had Internet access. At that point I may have rebooted but the next thing i knew I had lost Internet access. When I tried to check the properties of the network connection I got a message about an unknown error. I tried resetting the router and the cable modem and repairing the network connection. Nothing helped so I decided to uninstall and reinstall the network adaptor. Now I can't get the adaptor to install properly. It has a yellow exclamation point on it in device manager and says it isn't configured properly.

Anyway, if someone could check out the OTL log file and let me know where I stand it would be great!

Thanks.

Attached Files

  • Attached File  OTL.Txt   83.1KB   225 downloads

  • 0

Advertisements

#2
Rorschach112
Posted 05 January 2010 - 08:24 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
post the log, don't attach it
  • 0

#3
mutex
Posted 05 January 2010 - 09:38 AM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OTL logfile created on: 1/4/2010 6:05:55 PM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\quote_admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.04 Mb Total Physical Memory | 97.58 Mb Available Physical Memory | 19.44% Memory free
1.19 Gb Paging File | 0.75 Gb Available in Paging File | 63.02% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.93 Gb Total Space | 56.05 Gb Free Space | 79.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: QUOTE
Current User Name: randy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/25 20:40:09 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\quote_admin\Desktop\OTL.exe
PRC - [2009/05/21 10:34:07 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/29 09:55:54 | 01,347,584 | ---- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2007/06/25 08:17:35 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2006/07/11 18:04:42 | 00,015,872 | ---- | M] ( ) -- c:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2006/06/23 13:41:53 | 00,098,304 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2006/06/23 13:40:51 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/04/18 11:05:00 | 00,073,728 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\system32\IPSSVC.EXE
PRC - [2006/03/28 05:00:56 | 00,946,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2004/03/12 15:18:32 | 00,124,128 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2004/02/29 16:44:46 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe


========== Modules (SafeList) ==========

MOD - [2009/11/25 20:40:09 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\quote_admin\Desktop\OTL.exe
MOD - [2008/04/13 18:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 18:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2006/04/18 11:05:00 | 00,086,016 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\system32\PROCHLP.DLL


========== Win32 Services (SafeList) ==========

SRV - [2009/05/21 10:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/03/21 11:43:01 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 18:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/03/06 15:19:44 | 00,313,840 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2008/03/06 15:19:44 | 00,170,480 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2008/03/06 15:19:40 | 01,108,464 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2007/12/06 22:20:56 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/12/06 22:20:52 | 00,362,992 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/10/11 10:17:53 | 00,079,360 | ---- | M] (SolidWorks) -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/07/11 18:04:42 | 00,015,872 | ---- | M] ( ) -- c:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2006/07/11 17:52:52 | 00,023,552 | ---- | M] () -- C:\WINDOWS\system32\psasrv.exe -- (PsaSrv)
SRV - [2006/04/18 11:05:00 | 00,073,728 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\system32\IPSSVC.EXE -- (IPSSVC)
SRV - [2006/03/28 05:00:56 | 00,946,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/03/12 15:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2004/03/11 14:58:32 | 00,193,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/02/29 16:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/10 13:24:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/17 02:00:25 | 00,000,000 | ---D | M]


O1 HOSTS File: (765 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 localhost.ask.com
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (WeatherBug Browser Bar - powered by MyWebSearch) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (My Web Search)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (WeatherBug Browser Bar - powered by MyWebSearch) - {8EAB99C9-F9EC-4B64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (My Web Search)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1163654922703 (WUWebControl Class)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx (AcDcToday Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx (NOXLATE-BANR)
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx (InstaFred)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx (AcPreview Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.115.71.53 24.196.64.53 24.159.193.40
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AwayNotify: DllName - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll (Lenovo Group Limited)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/12 19:37:57 | 00,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{530d4112-fff6-11dc-8cbc-00016c90aa36}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2010/01/04 17:12:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\quote_admin\Application Data\Malwarebytes
[2010/01/04 17:12:49 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/04 17:12:46 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 17:12:46 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/04 17:12:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/04 17:04:34 | 00,341,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\quote_admin\Desktop\TFC.exe
[2010/01/04 17:04:17 | 04,045,536 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\quote_admin\Desktop\mbam-setup.exe
[2010/01/04 17:04:12 | 00,531,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\quote_admin\Desktop\OTL.exe
[2010/01/04 15:02:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\quote_admin\Local Settings\Application Data\scgecm
[2010/01/04 15:01:32 | 00,024,064 | ---- | C] (TJbFla) -- C:\WINDOWS\System32\winupdate86.exe
[2010/01/04 15:01:32 | 00,024,064 | ---- | C] (TJbFla) -- C:\WINDOWS\System32\winlogon86.exe
[2010/01/04 15:01:29 | 00,024,064 | ---- | C] (TJbFla) -- C:\khkil.exe
[2010/01/04 12:04:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\quote_admin\My Documents\2009 deer pics

========== Files - Modified Within 14 Days ==========

[2010/01/04 18:08:28 | 00,767,488 | ---- | M] () -- C:\WINDOWS\System32\drivers\doiuze.sys
[2010/01/04 18:02:56 | 00,009,954 | ---- | M] () -- C:\WINDOWS\System32\PROCDB.INI
[2010/01/04 18:02:54 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/04 18:02:12 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/04 18:02:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/04 18:01:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/04 18:01:52 | 52,649,9840 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/04 18:01:06 | 05,242,880 | ---- | M] () -- C:\Documents and Settings\quote_admin\NTUSER.DAT
[2010/01/04 18:01:06 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\quote_admin\ntuser.ini
[2010/01/04 18:01:03 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\quote_admin\Local Settings\Application Data\IconCache.db
[2010/01/04 17:44:16 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/04 17:44:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/04 17:44:16 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2010/01/04 17:25:35 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2010/01/04 17:25:34 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\AVR10.exe
[2010/01/04 17:25:31 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\winhelper86.dll
[2010/01/04 17:12:52 | 00,000,705 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 16:58:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2010/01/04 16:38:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2010/01/04 16:18:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2010/01/04 15:55:16 | 00,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/01/04 15:16:03 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\quote_admin\Desktop\Microsoft Outlook 2003.lnk
[2010/01/04 15:06:42 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_729068707099.b1k
[2010/01/04 15:06:31 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_35369478725.b1k
[2010/01/04 15:06:10 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_692073889395.b1k
[2010/01/04 15:02:09 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\bwsb.gio
[2010/01/04 15:01:40 | 00,626,688 | ---- | M] () -- C:\WINDOWS\System32\ntll.dll
[2010/01/04 15:01:35 | 00,000,001 | ---- | M] () -- C:\s
[2010/01/04 15:01:32 | 00,174,080 | ---- | M] () -- C:\qfhtgw.exe
[2010/01/04 15:01:32 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\yutojjos8.dll
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\WINDOWS\System32\winupdate86.exe
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\WINDOWS\System32\winlogon86.exe
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\khkil.exe
[2010/01/04 12:01:00 | 00,893,233 | ---- | M] () -- C:\Documents and Settings\quote_admin\My Documents\DSCN0163.JPG

========== Files Created - No Company Name ==========

[2010/01/04 18:01:52 | 52,649,9840 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/04 17:44:16 | 00,001,750 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
[2010/01/04 17:12:52 | 00,000,705 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 17:05:32 | 03,575,028 | ---- | C] () -- C:\Documents and Settings\quote_admin\Desktop\ComboFix.exe
[2010/01/04 16:58:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2010/01/04 16:38:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2010/01/04 16:18:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/04 15:06:42 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_729068707099.b1k
[2010/01/04 15:06:31 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_35369478725.b1k
[2010/01/04 15:06:10 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_692073889395.b1k
[2010/01/04 15:05:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2010/01/04 15:05:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\AVR10.exe
[2010/01/04 15:05:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\winhelper86.dll
[2010/01/04 15:03:09 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\bwsb.gio
[2010/01/04 15:01:58 | 00,767,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\doiuze.sys
[2010/01/04 15:01:40 | 00,626,688 | ---- | C] () -- C:\WINDOWS\System32\ntll.dll
[2010/01/04 15:01:35 | 00,000,001 | ---- | C] () -- C:\s
[2010/01/04 15:01:32 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\yutojjos8.dll
[2010/01/04 15:01:28 | 00,174,080 | ---- | C] () -- C:\qfhtgw.exe
[2010/01/04 12:02:58 | 00,893,233 | ---- | C] () -- C:\Documents and Settings\quote_admin\My Documents\DSCN0163.JPG
[2009/09/09 12:24:58 | 00,012,244 | ---- | C] () -- C:\WINDOWS\MSUMLT_Y.INI
[2009/07/14 07:28:54 | 00,019,028 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sumuc.dl
[2009/07/14 07:28:54 | 00,016,435 | ---- | C] () -- C:\Documents and Settings\quote_admin\Application Data\ewyvan.xxx
[2009/07/14 07:28:54 | 00,016,389 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\diqokyji.bat
[2009/07/14 07:28:54 | 00,015,851 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xoku._dl
[2009/07/14 07:28:54 | 00,014,521 | ---- | C] () -- C:\Program Files\Common Files\asymanave.exe
[2009/07/14 07:28:54 | 00,014,135 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ticocun.ban
[2009/07/14 07:28:54 | 00,010,197 | ---- | C] () -- C:\Documents and Settings\quote_admin\Application Data\hyguxejxxx.pif
[2008/07/25 12:53:52 | 00,001,739 | ---- | C] () -- C:\WINDOWS\cutgshop.INI
[2008/07/25 12:47:54 | 00,004,572 | ---- | C] () -- C:\WINDOWS\plot32.ini
[2008/07/25 12:47:53 | 00,811,090 | ---- | C] () -- C:\WINDOWS\System32\PlotLineRToV.dll
[2008/07/25 12:47:53 | 00,274,504 | ---- | C] () -- C:\WINDOWS\System32\Cadlib32d.dll
[2008/07/25 12:47:53 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\optlibd.dll
[2008/07/25 12:47:53 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Plotdll.dll
[2008/07/25 12:47:53 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\Spin32.dll
[2008/07/25 12:47:53 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\sortpoly.dll
[2008/07/25 12:47:53 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\builddlg.dll
[2007/10/11 10:17:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2007/01/03 11:08:49 | 00,000,313 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2007/01/03 11:08:49 | 00,000,146 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2007/01/03 11:08:49 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/01/03 11:08:43 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2007/01/03 11:08:43 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2007/01/03 11:08:43 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2007/01/03 11:08:41 | 00,008,975 | ---- | C] () -- C:\WINDOWS\HL-2070N.INI
[2007/01/03 11:06:58 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/11/16 00:40:03 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/16 00:24:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/11/15 23:28:06 | 00,096,976 | ---- | C] () -- C:\Documents and Settings\quote_admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/11/15 22:12:19 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\quote_admin\Application Data\desktop.ini
[2006/11/15 22:12:18 | 03,712,656 | -H-- | C] () -- C:\Documents and Settings\quote_admin\Local Settings\Application Data\IconCache.db
[2006/10/27 07:14:05 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/27 07:01:50 | 00,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/10/27 06:56:26 | 00,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2006/10/27 06:56:26 | 00,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
[2006/10/27 06:56:25 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2006/10/27 06:49:09 | 00,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2006/10/27 06:49:09 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll
[2006/07/14 17:02:37 | 00,026,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\TukarooNT.sys
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/05/23 06:37:23 | 00,009,954 | ---- | C] () -- C:\WINDOWS\System32\PROCDB.INI
[2006/05/23 06:37:19 | 00,000,487 | ---- | C] () -- C:\WINDOWS\System32\IPSCTRL.INI
[2006/04/30 01:31:51 | 00,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/04/30 01:22:10 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/04/30 01:13:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2006/04/30 01:09:54 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2006/04/30 01:09:54 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2006/04/30 01:09:23 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2006/04/30 01:09:23 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2006/04/30 00:56:30 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2006/04/30 00:56:29 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2006/04/30 00:56:09 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2006/04/30 00:56:08 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/04/30 00:56:06 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2006/04/30 00:56:06 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2006/04/30 00:56:05 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/04/30 00:55:59 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2006/04/30 00:55:59 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2006/04/30 00:55:58 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2006/04/30 00:55:57 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2006/04/30 00:55:57 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2006/04/30 00:55:56 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2006/04/30 00:55:56 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2006/04/30 00:55:56 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2006/04/30 00:55:56 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2006/04/30 00:55:56 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2006/04/30 00:55:56 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2006/04/30 00:55:56 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2006/04/30 00:55:55 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2006/04/30 00:55:55 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2006/04/30 00:55:55 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2006/04/30 00:55:51 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2006/04/30 00:55:51 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2006/04/30 00:55:51 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2006/04/30 00:55:51 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2006/04/30 00:55:51 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2006/04/30 00:55:51 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2006/04/30 00:55:51 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2006/04/30 00:55:51 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2006/04/30 00:55:51 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2006/04/30 00:55:51 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2006/04/30 00:55:49 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2006/04/30 00:55:45 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2006/04/30 00:55:45 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2006/04/30 00:55:45 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2006/04/30 00:55:45 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2006/04/30 00:55:43 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2006/04/30 00:55:43 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\winsts.sys
[2006/04/30 00:55:42 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2006/04/30 00:55:42 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2006/04/30 00:55:41 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2006/04/30 00:55:39 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2006/04/30 00:55:38 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2006/04/30 00:55:38 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2006/04/30 00:55:29 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2006/04/30 00:55:28 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2006/04/30 00:55:28 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2006/04/30 00:55:27 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2006/04/30 00:55:25 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2006/04/30 00:55:25 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2006/04/29 18:04:29 | 00,541,630 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2006/04/29 18:04:28 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/04/29 18:04:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/03/31 11:36:50 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 16:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll
[2000/09/18 16:50:28 | 00,202,752 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2007/01/19 11:50:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/09/13 12:37:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AskDS
[2008/12/18 11:17:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/01/04 06:32:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2009/09/02 05:42:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2006/11/15 22:38:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2010/01/04 17:12:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/14 14:01:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2007/03/16 12:47:26 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/09/02 05:42:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Roxio
[2006/10/27 06:42:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/09/02 05:42:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2008/07/25 12:43:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2006/11/15 23:07:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/03/30 11:28:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wal-Mart
[2006/11/15 23:47:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/10/09 10:34:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Adobe
[2006/11/15 22:58:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\AdobeUM
[2008/08/27 11:32:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\AskDS
[2007/02/14 15:53:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Autodesk
[2007/01/19 11:35:41 | 00,000,000 | R--D | M] -- C:\Documents and Settings\quote_admin\Application Data\Brother
[2009/05/15 09:56:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Bullzip
[2007/10/11 10:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\EDrawings
[2007/10/24 14:09:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Google
[2008/07/25 12:53:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Help
[2006/10/27 06:42:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Identities
[2006/11/15 22:25:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Lenovo
[2006/11/22 10:39:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Macromedia
[2010/01/04 17:12:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Malwarebytes
[2008/09/04 07:41:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\quote_admin\Application Data\Microsoft
[2009/09/02 05:47:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Research In Motion
[2007/03/05 14:31:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Sun
[2006/10/27 07:03:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Symantec
[2006/10/27 07:13:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\ThinkVantage
[2008/06/23 08:20:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\Wal-Mart
[2009/03/24 05:45:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\quote_admin\Application Data\WeatherBug
[2004/08/04 06:00:00 | 00,000,065 | ---- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2010/01/04 18:02:12 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2010/01/04 18:02:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >
  • 0

#4
Rorschach112
Posted 05 January 2010 - 02:35 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O3 - HKLM\..\Toolbar: (WeatherBug Browser Bar - powered by MyWebSearch) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (My Web Search)
O3 - HKCU\..\Toolbar\WebBrowser: (WeatherBug Browser Bar - powered by MyWebSearch) - {8EAB99C9-F9EC-4B64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (My Web Search)
O33 - MountPoints2\{530d4112-fff6-11dc-8cbc-00016c90aa36}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
[2010/01/04 15:02:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\quote_admin\Local Settings\Application Data\scgecm
[2010/01/04 15:01:32 | 00,024,064 | ---- | C] (TJbFla) -- C:\WINDOWS\System32\winupdate86.exe
[2010/01/04 15:01:32 | 00,024,064 | ---- | C] (TJbFla) -- C:\WINDOWS\System32\winlogon86.exe
[2010/01/04 15:01:29 | 00,024,064 | ---- | C] (TJbFla) -- C:\khkil.exe
[2010/01/04 18:08:28 | 00,767,488 | ---- | M] () -- C:\WINDOWS\System32\drivers\doiuze.sys
[2010/01/04 17:25:35 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2010/01/04 17:25:34 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\AVR10.exe
[2010/01/04 17:25:31 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\winhelper86.dll
[2010/01/04 16:58:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2010/01/04 16:38:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2010/01/04 16:18:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2010/01/04 15:55:16 | 00,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/01/04 15:06:42 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_729068707099.b1k
[2010/01/04 15:06:31 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_35369478725.b1k
[2010/01/04 15:06:10 | 00,002,954 | ---- | M] () -- C:\WINDOWS\System32\t1p0_692073889395.b1k
[2010/01/04 15:02:09 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\bwsb.gio
[2010/01/04 15:01:40 | 00,626,688 | ---- | M] () -- C:\WINDOWS\System32\ntll.dll
[2010/01/04 15:01:35 | 00,000,001 | ---- | M] () -- C:\s
[2010/01/04 15:01:32 | 00,174,080 | ---- | M] () -- C:\qfhtgw.exe
[2010/01/04 15:01:32 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\yutojjos8.dll
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\WINDOWS\System32\winupdate86.exe
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\WINDOWS\System32\winlogon86.exe
[2010/01/04 15:01:30 | 00,024,064 | ---- | M] (TJbFla) -- C:\khkil.exe
[2010/01/04 16:58:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2010/01/04 16:38:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2010/01/04 16:18:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/04 15:06:42 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_729068707099.b1k
[2010/01/04 15:06:31 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_35369478725.b1k
[2010/01/04 15:06:10 | 00,002,954 | ---- | C] () -- C:\WINDOWS\System32\t1p0_692073889395.b1k
[2010/01/04 15:05:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2010/01/04 15:05:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\AVR10.exe
[2010/01/04 15:05:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\winhelper86.dll
[2010/01/04 15:03:09 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\bwsb.gio
[2010/01/04 15:01:58 | 00,767,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\doiuze.sys
[2010/01/04 15:01:40 | 00,626,688 | ---- | C] () -- C:\WINDOWS\System32\ntll.dll
[2010/01/04 15:01:35 | 00,000,001 | ---- | C] () -- C:\s
[2010/01/04 15:01:32 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\yutojjos8.dll
[2010/01/04 15:01:28 | 00,174,080 | ---- | C] () -- C:\qfhtgw.exe
[2009/07/14 07:28:54 | 00,019,028 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sumuc.dl
[2009/07/14 07:28:54 | 00,016,435 | ---- | C] () -- C:\Documents and Settings\quote_admin\Application Data\ewyvan.xxx
[2009/07/14 07:28:54 | 00,016,389 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\diqokyji.bat
[2009/07/14 07:28:54 | 00,015,851 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xoku._dl
[2009/07/14 07:28:54 | 00,014,521 | ---- | C] () -- C:\Program Files\Common Files\asymanave.exe
[2009/07/14 07:28:54 | 00,014,135 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ticocun.ban
[2009/07/14 07:28:54 | 00,010,197 | ---- | C] () -- C:\Documents and Settings\quote_admin\Application Data\hyguxejxxx.pif

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#5
mutex
Posted 05 January 2010 - 03:24 PM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I renamed some of the bad files before I received your response in an attempt to make some progress. After I got your response I ran OTL with the code you gave me. Everything seemed to go fine. I then ran ComboFix. The log file is below. My main problem now seems to be that I can't uninstall or reinstall the drivers for my network card. It says a "An error occurred during the installation of the device. The specified module could not be found".


ComboFix 10-01-04.01 - randy 01/05/2010 14:58:16.1.2 - x86
Running from: c:\documents and settings\quote_admin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\quote_admin\Cookies\lenypumyko.lib
c:\recycler\S-1-5-21-3676350805-742796205-198340458-500
c:\windows\system32\drivers\doiuze.sys
c:\windows\system32\etoka.bat
c:\windows\system32\winsts.sys
c:\windows\ycotuti.bat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_WINSTS
-------\Service_winsts
-------\Legacy_doiuze
-------\Service_doiuze


((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 20:56 . 2010-01-05 21:03 256 ----a-w- c:\windows\system32\pool.bin
2010-01-05 20:54 . 2010-01-05 20:54 -------- d-----w- C:\_OTL
2010-01-05 19:12 . 2010-01-05 19:12 84666 ----a-w- C:\proxy.reg
2010-01-05 18:54 . 2010-01-05 18:54 624 ----a-w- C:\dmg0110.reg
2010-01-05 18:53 . 2010-01-05 18:53 1908 ----a-w- C:\dmg010510.reg
2010-01-05 00:11 . 2010-01-05 00:16 -------- d-----w- C:\tools
2010-01-04 23:12 . 2010-01-04 23:12 -------- d-----w- c:\documents and settings\quote_admin\Application Data\Malwarebytes
2010-01-04 23:12 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 23:12 . 2010-01-04 23:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 23:12 . 2010-01-04 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-04 23:12 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 21:01 . 2010-01-04 21:01 8704 ----a-w- c:\windows\system32\sporder.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 19:58 . 2006-10-27 13:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-05 19:58 . 2006-11-16 05:07 -------- d-----w- c:\program files\Symantec
2010-01-05 19:58 . 2006-10-27 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-05 13:33 . 2008-05-22 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-29 07:45 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-04-30 06:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-04-30 06:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-04-30 06:55 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 23:16 . 2009-10-12 23:16 760 ----a-w- C:\dmg1009.reg
2009-10-12 13:38 . 2006-04-30 06:55 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-04-30 06:55 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-5-30 1508624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-04-18 17:05 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 TukarooNT;TukarooNT;c:\windows\system32\DRIVERS\TukarooNT.sys --> c:\windows\system32\DRIVERS\TukarooNT.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 17:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 15:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\IPSSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Windows Media Player\WMPNetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-05 15:06:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 21:06

Pre-Run: 60,729,774,080 bytes free
Post-Run: 60,613,570,560 bytes free

- - End Of File - - A3CE36DFBD2F040D0177E3C86A0BA7C7


THANKS FOR YOUR HELP!!!
  • 0

#6
Rorschach112
Posted 06 January 2010 - 08:14 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
mutex
Posted 06 January 2010 - 09:38 AM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Unfortunately, I can't update MBAM or run an online scan at the Kaspersky web site because Device Manger says the network card isn't configured properly (yellow exclamation point) and I therefor have no access to the Internet. I can't uninstall it, reinstall or update the drivers. When I try I get the message: "An error occurred during the installation of the device. The specified module could not be found"...even in Safe Mode.

I also can't look at the properties for the network connection and I believe I can't delete the network connection. I just noticed that System Restore is also disabled.

Here is my plan when I go back to where this computer is located this afternoon:

1. I'm going to run SFC /scannow
2. I'm going to check the setupapi log file for clues to what's happening
3. I'm going to compare the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\PCI network card registry key with one on a working computer with the same card (Do you think I should delete this registry key?)
4. I will rerun TFC and MBAM (without updates) as you suggested
5. I downloaded two programs (Driver Sweeper and Driver Manager from the Major Geeks site) and will see if either can uninstall the network card drivers

Given that I don't currently have Internet access on this computer do you have any other suggestions?

I appreciate all your help. This web site is doing a great public service!
  • 0

#8
Rorschach112
Posted 06 January 2010 - 09:43 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I would recommend posting in the Windows XP forum, they can help you restore your internet connection. Then run those scans
  • 0

#9
mutex
Posted 06 January 2010 - 10:30 AM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The network card was working fine until I got this virus. I noticed that when I unplugged the network cable I would stop getting all the popup error messages and Symantec AV scan boxes. I then disabled the Symantec AV in msconfig and when I rebooted the computer I noticed I had lost Internet access. I tried to 'repair' my Network Connection but I still had no access. I then reset the router and the cable modem. When I tried to right-click on the Network Connection to view the properties it gave me an error message (an unkown error has occurred). Then in desperation I decided to uninstall the network card. I got a message that the card couldn't be uninstalled but when I clicked okay the card was no longer listed in Device Manager. When I rebooted and tried to reinstall the drivers for the card the installation fails. I even went to the manufacturers web site and downloaded new drivers but nothing works.

It seems the virus either corrupted a necessary file or disabled my ability to install drivers. As I mentioned, when I try to start System Restore I get a message saying its been disabled. I went into gpedit and enabled the System Restore 'turn off' and 'configuration' options but this didn't help.

Am I stuck in a loop where you can't help me because of the driver issue and the Windows XP forum can't help me because of the virus issue?
  • 0

#10
Rorschach112
Posted 06 January 2010 - 03:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
The Windows XP forum deal with the tech issues, there is no point me trying to fix your malware problem with no net access ( I don't even know how to )

Once they fix you up, return here, it wont take long to sort out


This doesn't fix it does it ?

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
  • 0

#11
mutex
Posted 06 January 2010 - 05:37 PM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I am sure this isn't a Windows XP or hardware issue. The guy I'm helping has a 2nd computer which is identical to the infected computer (except for the software installed on it) so I exported the reg key for the network card on that computer (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\PCI) and tried to import it on the infected computer. It wouldn't let me do it and said the files were in use even though the card was disabled and I was in safe mode.

I also was able to boot with a linux boot disk (kubuntu) and access the Internet so I know the network card is working.

Booting into safe mode with networking doesn't work either.

I ran TFC and MBAM as you suggested. The MBAM log was clean except for this line:

Files Infected:
C:\WINDOWS\Installer\592a502.msi (Rootkit.Agent) -> No action taken.

Does this give you any idea what's happening?

I would just format the hard drive and reinstall eveything but this guy has no disks. I might have an extra copy of XP around somewhere but I would still need to download all the drivers, software and updates which could take days. Not only that but I've heard some rootkits are not even eliminated by formatting the hd. Is this correct?

Anyway, I would appreciate hearing any ideas you might have. I don't know how I get myself into stuff like this. I don't even know the guy that well!
  • 0

#12
Rorschach112
Posted 06 January 2010 - 05:42 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Like I said, you need to post in the Windows XP forum to fix the net issue
  • 0

#13
mutex
Posted 06 January 2010 - 06:41 PM

mutex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I posted to the Windows XP forum. They had me download some linux software to scan for viruses. Unfortunately I can't get the linux boot disk to load the virus scanner gui on my computer.

Do you think buying a new network card would help?

http://www.geekstogo...nd-t264172.html
  • 0

#14
Rorschach112
Posted 06 January 2010 - 06:42 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You would be best off asking that tech helper, this is their forte, not mine


I am going to close this, when they fix your net connection, PM me to re-open it
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP