View Full Version : MIRAR and a lot more
Harold Raby
2012-11-28, 01:50
This is a Compaq Presario 2100. It was given to me for a trip. I am running it in safe mode. Windows xp pro Service pack 1. As far as I can see when they bought it they did no upgrades or updates. No A/V at all. What ever is in here won't let me go to Windows Update site. I tried to fomat the H/D but it won't let me do that either.ERUNT ran but SpyBot freezes when asked to repair things and gives me this Msg - "failed to load C\programfiles\spybot-search_destroy\DelZip179.dll". DSS, both links lead to bad places on this computer. I went to my desktop and both links worked. One led to a screensaver that freeez the computer and the other says it is scanning but is just jamming things up and then it freezes. The aswMBR seems to have worked. Here is what I have to give you, Thank you for doing what you do. Harold ( just looked at the aswMBR file and I want to take this out in the yard and burn it.)
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-27 14:44:45
-----------------------------
14:44:45.882 OS Version: Windows 5.1.2600 Service Pack 1
14:44:45.882 Number of processors: 1 586 0xA00
14:44:45.892 ComputerName: YOUR-SGZ3XPNGO4 UserName: Administrator
14:44:47.664 Initialize success
14:48:40.629 AVAST engine defs: 12112701
14:49:35.238 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:49:35.258 Disk 0 Vendor: HITACHI_DK23FA-60 00M4A0A2 Size: 57231MB BusType: 3
14:49:35.318 Disk 0 MBR read successfully
14:49:35.338 Disk 0 MBR scan
14:49:35.608 Disk 0 unknown MBR code
14:49:35.628 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57231 MB offset 63
14:49:35.658 Disk 0 scanning sectors +117210240
14:49:35.809 Disk 0 scanning C:\WINDOWS\System32\drivers
14:49:50.149 Service scanning
14:50:14.825 Modules scanning
14:50:20.713 Disk 0 trace - called modules:
14:50:20.803 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys aliide.sys PCIIDEX.SYS
14:50:20.833 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x843d0030]
14:50:22.366 3 CLASSPNP.SYS[f75a0022] -> nt!IofCallDriver -> \Device\00000074[0x843d1c58]
14:50:22.486 5 ACPI.sys[f750812d] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x843d1700]
14:50:23.167 AVAST engine scan C:\WINDOWS
14:50:24.669 File: C:\WINDOWS\fsclient32.dll **INFECTED** Win32:Trojan-gen
14:50:26.802 File: C:\WINDOWS\mcithread.dll **INFECTED** Win32:Trojan-gen
14:50:27.323 File: C:\WINDOWS\netcfgx32.exe **INFECTED** Win32:Trojan-gen
14:50:28.174 File: C:\WINDOWS\poolsv.exe **INFECTED** Win32:VB-EPY [Trj]
14:50:28.945 File: C:\WINDOWS\retadpu572.exe.tmp **INFECTED** Win32:Agent-MAT [Trj]
14:50:29.246 File: C:\WINDOWS\retadpu77.exe.tmp **INFECTED** Win32:Agent-HKI [Trj]
14:50:29.997 File: C:\WINDOWS\svhost.exe **INFECTED** Win32:Trojan-gen
14:50:30.467 File: C:\WINDOWS\tsitra1000106.exe **INFECTED** Win32:Malware-gen
14:50:30.758 File: C:\WINDOWS\tsitra572.exe **INFECTED** Win32:Agent-MFL [Trj]
14:50:31.018 File: C:\WINDOWS\tsitra77.exe **INFECTED** Win32:Malware-gen
14:50:31.879 File: C:\WINDOWS\WebAssist.dll **INFECTED** Win32:Adware-gen [Adw]
14:50:32.400 File: C:\WINDOWS\winshow.exe **INFECTED** Win32:Trojan-gen
14:50:32.771 File: C:\WINDOWS\xhelper.dll **INFECTED** Win32:Trojan-gen
14:50:33.041 File: C:\WINDOWS\xmlhelper2.dll **INFECTED** Win32:Adware-gen [Adw]
14:50:33.321 File: C:\WINDOWS\xmlhelper4.dll **INFECTED** Win32:Agent-XRS [Trj]
14:50:34.133 AVAST engine scan C:\WINDOWS\system32
14:50:37.367 File: C:\WINDOWS\system32\apfslinl.dll **INFECTED** Win32:Agent-RY [Trj]
14:50:42.354 File: C:\WINDOWS\system32\bcckrtwx.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:50:42.615 File: C:\WINDOWS\system32\bgofqhil.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:50:43.065 File: C:\WINDOWS\system32\bnmfpkxq.dll **INFECTED** Win32:Susn-AA [Trj]
14:50:44.167 File: C:\WINDOWS\system32\bsw.dll **INFECTED** Win32:Agent-RY [Trj]
14:50:49.144 File: C:\WINDOWS\system32\cljpbyax.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:50:57.937 File: C:\WINDOWS\system32\daaaxwyr.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:03.074 File: C:\WINDOWS\system32\dliybfej.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:09.423 File: C:\WINDOWS\system32\dugggsfh.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:11.717 File: C:\WINDOWS\system32\emakdvwb.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:11.977 File: C:\WINDOWS\system32\emohyklt.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:13.449 File: C:\WINDOWS\system32\etlrsxle.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:14.711 File: C:\WINDOWS\system32\FAUU77dx.dll **INFECTED** Win32:Adware-gen [Adw]
14:51:17.585 File: C:\WINDOWS\system32\fuvvqmxg.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:17.936 File: C:\WINDOWS\system32\gchugtqs.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:18.987 File: C:\WINDOWS\system32\gebyvwt.dll **INFECTED** Win32:TratBHO [Trj]
14:51:22.041 File: C:\WINDOWS\system32\hperfqge.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:22.422 File: C:\WINDOWS\system32\hphmon05.exe **INFECTED** Win32:Patched-FK [Trj]
14:51:22.913 File: C:\WINDOWS\system32\hrlbyvrr.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:25.156 File: C:\WINDOWS\system32\idikuryj.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:26.999 File: C:\WINDOWS\system32\iifdbba.dll **INFECTED** Win32:Virtumonde-DK [Adw]
14:51:27.279 File: C:\WINDOWS\system32\ijskjhol.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:33.107 File: C:\WINDOWS\system32\irmtexxr.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:35.060 File: C:\WINDOWS\system32\jbxxhcde.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:35.461 File: C:\WINDOWS\system32\jdppqgkc.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:35.721 File: C:\WINDOWS\system32\jeewprvc.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:51:36.342 File: C:\WINDOWS\system32\jfkbyqge.dll **INFECTED** Win32:Vundo-gen49 [Adw]
14:51:37.333 File: C:\WINDOWS\system32\jhmunnyk.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:38.245 File: C:\WINDOWS\system32\jtonnofo.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:38.575 File: C:\WINDOWS\system32\jxowalvi.dll **INFECTED** Win32:Susn-AA [Trj]
14:51:46.246 File: C:\WINDOWS\system32\khaoeops.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:46.557 File: C:\WINDOWS\system32\khfffge.dll **INFECTED** Win32:Vundo-gen46 [Adw]
14:51:46.917 File: C:\WINDOWS\system32\kictpbyv.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:47.318 File: C:\WINDOWS\system32\kN2kn73i.exe **INFECTED** Win32:Patched-DM [Trj]
14:51:47.668 File: C:\WINDOWS\system32\kreupdfl.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:51:48.159 File: C:\WINDOWS\system32\l3acdb.dll **INFECTED** Win32:BHO-IA [Trj]
14:51:50.633 File: C:\WINDOWS\system32\ljjhiii.dll **INFECTED** Win32:Virtumonde-DK [Adw]
14:51:58.934 File: C:\WINDOWS\system32\mhaiswrp.exe **INFECTED** Win32:Tiny-JC [Trj]
14:51:59.956 File: C:\WINDOWS\system32\mldrtput.exe **INFECTED** Win32:Tiny-JC [Trj]
14:52:04.182 File: C:\WINDOWS\system32\mrkirmjx.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:52:27.766 File: C:\WINDOWS\system32\nclkyvtx.ex_ **INFECTED** Win32:HotBar-C [Adw]
14:52:35.537 File: C:\WINDOWS\system32\nucitqas.dll **INFECTED** Win32:Susn-AA [Trj]
14:52:39.072 File: C:\WINDOWS\system32\ofofqkge.exe **INFECTED** Win32:Tiny-JC [Trj]
14:52:41.085 File: C:\WINDOWS\system32\oppnm.dll **INFECTED** Win32:Vundo-gen49 [Adw]
14:52:48.125 File: C:\WINDOWS\system32\qpbynrkd.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:52:52.542 File: C:\WINDOWS\system32\rdcrdawy.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:52:56.708 File: C:\WINDOWS\system32\rqronli.dll_old **INFECTED** Win32:Vundo-gen46 [Adw]
14:52:57.158 File: C:\WINDOWS\system32\rsfcltav.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:52:58.250 File: C:\WINDOWS\system32\rsxlwhhq.exe **INFECTED** Win32:Tiny-JC [Trj]
14:52:59.441 File: C:\WINDOWS\system32\rwkrgnhk.dll **INFECTED** Win32:Susn-AA [Trj]
14:52:59.752 File: C:\WINDOWS\system32\S3K8V6G1.dll **INFECTED** Win32:Adware-gen [Adw]
14:53:02.636 File: C:\WINDOWS\system32\seaxgwfd.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:13.612 File: C:\WINDOWS\system32\ssqonkl.dll **INFECTED** Win32:Susn-AA [Trj]
14:53:21.794 File: C:\WINDOWS\system32\uehenovx.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:28.493 File: C:\WINDOWS\system32\vinmjucx.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:53:29.575 File: C:\WINDOWS\system32\vturpnk.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:53:29.845 File: C:\WINDOWS\system32\vtuvurp.dll **INFECTED** Win32:Susn-AA [Trj]
14:53:30.136 File: C:\WINDOWS\system32\vvmjbeiy.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:53:45.227 File: C:\WINDOWS\system32\wnqmyetx.exe **INFECTED** Win32:Tiny-JC [Trj]
14:53:45.518 File: C:\WINDOWS\system32\wnskcupa.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:47.501 File: C:\WINDOWS\system32\wpnqivti.exe **INFECTED** Win32:Tiny-JC [Trj]
14:53:49.764 File: C:\WINDOWS\system32\wX36655H.dll **INFECTED** Win32:Adware-gen [Adw]
14:53:50.074 File: C:\WINDOWS\system32\wydycmqs.exe **INFECTED** Win32:Tiny-JC [Trj]
14:53:50.345 File: C:\WINDOWS\system32\wyjmkyvd.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:53:51.126 File: C:\WINDOWS\system32\xegknqwj.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:51.576 File: C:\WINDOWS\system32\xgvdflbc.dll **INFECTED** Win32:Vundo-gen47 [Adw]
14:53:51.937 File: C:\WINDOWS\system32\xpjnuhkr.exe **INFECTED** Win32:Tiny-JC [Trj]
14:53:52.618 File: C:\WINDOWS\system32\xqhukiww.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:53.019 File: C:\WINDOWS\system32\ydvtfbxl.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:53:53.309 File: C:\WINDOWS\system32\yeplcura.dll **INFECTED** Win32:Vundo-gen48 [Adw]
14:53:53.659 File: C:\WINDOWS\system32\yohalaci.exe **INFECTED** Win32:Agent-AEYQ [Trj]
14:54:07.349 AVAST engine scan C:\WINDOWS\system32\drivers
14:54:30.162 AVAST engine scan C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4
14:54:51.873 AVAST engine scan C:\Documents and Settings\All Users
14:55:08.397 Scan finished successfully
14:58:17.198 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\MBR.dat"
14:58:17.258 The log file has been saved successfully to "C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\aswMBR.txt"
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
This is one heavily infected computer, This is what you need to do, if you cant download Malwarebytes then you need to download it from a known clean computer and transfer by disk to this one, lets give it a shot.
Want to point out that with the amount of infections on this system a format and reinstall may be the only answer, please dont use this computer at this point for any banking or purchasing from websites
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
If Malwarebytes gives you problems, try running it in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Harold Raby
2012-11-30, 02:36
Ken545; Hi, Thank you for being there and doing what you do. This computer will only run in safe mode. I did as you said and MBAM really wants me (as I do) to up date to at least sp2 but I am unable to do that at this time. I started to rerun MBAM but thought not as you have not said. Here is the log. By the way, I am doing most of this on my other computer, a desktop with good A/V stuff :-)
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.29.11
Windows XP Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 6.0.2800.1106
Administrator :: YOUR-SGZ3XPNGO4 [administrator]
11/29/2012 5:12:24 PM
mbam-log-2012-11-29 (17-12-24).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198165
Time elapsed: 4 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 2
C:\WINDOWS\system32\l3acdb.dll (IPH.GenericBHO) -> Delete on reboot.
C:\WINDOWS\system32\oppnm.dll (IPH.GenericBHO) -> Delete on reboot.
Registry Keys Detected: 31
HKCR\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{7DCC6A98-C6B0-4418-B037-5695078AF8E4} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DCC6A98-C6B0-4418-B037-5695078AF8E4} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oppnm (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKCR\UWAP7.PCheck.1 (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3} (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKCR\TypeLib\{09DC28C6-BCE2-42B1-B3EA-8AB82F0F3B0A} (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKCR\Interface\{9CA1536D-5689-40CA-B92A-F646301517D7} (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKCR\bho_adw.BHOAd.1 (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKCR\bho_adw.BHOAd (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3} (Trojan.Unclassified) -> Quarantined and deleted successfully.
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCR\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{09F1ADAC-76D8-4D0F-99A5-5C907DADB988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8C875948-9C60-4381-9248-0DF180542D53} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109FD3D-D891-4f80-8339-50A4913ACE6F} (Adware.Zango) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90B5A95A-AFD5-4d11-B9BD-A69D53D22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/DOWNLOADED PROGRAM FILES/CONFLICT.2/UWA7P_0001_N91M0809NETINSTALLER.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/DOWNLOADED PROGRAM FILES/CONFLICT.3/UWA7P_0001_N91M0809NETINSTALLER.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
HKCR\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Detected: 13
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler|{53B5F2B1-94DD-43E5-8187-EB4E31F00701} (IPH.GenericBHO) -> Data: za -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingA1173 (IPH.GenericBHO) -> Data: command.com /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingC8496 (IPH.GenericBHO) -> Data: cmd.exe /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingA7771 (IPH.GenericBHO) -> Data: command.com /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingC594 (IPH.GenericBHO) -> Data: cmd.exe /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingB1527 (IPH.GenericBHO) -> Data: command.com /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingD8296 (IPH.GenericBHO) -> Data: cmd.exe /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingB5924 (IPH.GenericBHO) -> Data: command.com /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|SpybotDeletingD4890 (IPH.GenericBHO) -> Data: cmd.exe /c del "C:\WINDOWS\system32\oppnm.dll" -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{53B5F2B1-94DD-43E5-8187-EB4E31F00701} (Trojan.Vundo) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWA7P_0001_N91M0809NETINSTALLER.EXE (Rogue.Installer) -> Data: 1 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\UWA7P_0001_N91M0809NETINSTALLER.EXE (Rogue.Installer) -> Data: 1 -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Control\Session Manager|BootStera (Rogue.WinAntiVirus) -> Data: \??\C:\WINDOWS\System32\stera.job -> Quarantined and deleted successfully.
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 10
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007 (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiVirus Pro 2007 (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\poolsv (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\svhost (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Detected: 43
C:\WINDOWS\system32\l3acdb.dll (IPH.GenericBHO) -> Delete on reboot.
C:\WINDOWS\system32\oppnm.dll (IPH.GenericBHO) -> Delete on reboot.
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\S3K8V6G1.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jfkbyqge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtuvurp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\svhost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\syshkvd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\sysivpn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\syskzxm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\sysoaei.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\systdbc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\syswelf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stera.job (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\SpamBlockerUtility.inf (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\poolsv.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\retadpu572.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\retadpu77.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiVirus Pro 2007\err.log (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\poolsv\k11u72.exe (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\poolsv\svhost.exe (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\poolsv\wr-1-0000077.exe (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\poolsv\YazzleBundle-1549.exe (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\svhost\wr-1-0000077.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\svhost\wr-1-77.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
(end)
Good Morning,
Lets not worry about the service packs just yet as you could have problems with your system if you install SP3 on an infected system.
I have been at this for many years and this is most likely one of the most heavily infected computers that I have come Accross
Lets rerun Malwarebytes again, check for updates first and then run the Full scan and post the log.
Then lets run Combofix, safemode is fine if you still cant get into normal windows and again transfer by disk to this one if thats the only option. If it gives you problems about the Recovery Console than just skip that step
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Harold Raby
2012-11-30, 16:09
Hi, Ken545; OK, I tried combofix while not in safe mode and it froze just as it started the scan. I let it run for 30 minutes anyway and had to use the power button to shut it down. I went to safe mode and did it again. It ran for a few minutes before it froze up. Again I let it run for half an hour and had to use the power button to shut it down. I then loaded combofix on a thumb drive and tried it that way and it froze up. So here is the Malwarebytes log. Should I try Spybot again? I think that that earlier Malwarebytes scan wiped out a lot of stuff as when not in safe mode the 'home page' that had been imposed on it was gone, I got Google search as the home page. I should also point out that formatting is on the table, as a matter of fact I tried to do that before contacting you and it would not let me.
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.30.06
Windows XP Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 6.0.2800.1106
Administrator :: YOUR-SGZ3XPNGO4 [administrator]
11/30/2012 6:54:39 AM
mbam-log-2012-11-30 (06-54-39).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220085
Time elapsed: 3 minute(s), 54 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Lets put Combofix aside for the moment, do you by chance have your windows XP disk ?
--RogueKiller--
Download & SAVE to your Desktop RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) or from here (http://tigzy.geekstogo.com/Tools/RogueKiller.exe)
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+
Harold Raby
2012-11-30, 18:27
Hey Ken545; Well (insert curse word here) Yes I have the xp home edition sp1 disc that came with. I tried to use it before contacting you and it would not work. Roguekiller won't either. I skipped straight to D/L to this computer and onto the thumb drive and on to the Compaq. Failed so I opened Roguekiller on this computer just to see and it opened and no I didn't run it. So, I cleared off the Compaq and opened it in safe mode and D/L Roguekiller and it still wouldn't work. Through all this I had disconnected all usb stuff, that would be the usb hub with the mouse. I am retired and have more time than money and this is fun but, Damn(to quote Will Smith). You know, Ken545, there is nothing on this computer that I want to save and I think that Wondows itself may be damaged beyond repair and Iknow that as much as you want to spend the next few days figuring this out maybe we should try to get it to format to this disc. If we do I may print out that first log just to show around as the reason I was defeated :-)
Nice about you being retired, I am going to retire myself the last week in April.
Before we go on and see if we can fix this computer by formatting and reinstalling windows, see if this program will run
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Harold Raby
2012-11-30, 19:50
Ken545; I am on the Compaq and in safe mode and it seems to be running faster. Here are the three logs.
exeHelper by Raktor
Build 20100414
Run at 10:26:44 on 11/30/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
OTL logfile created on: 11/30/2012 10:32:07 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop
Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
446.48 Mb Total Physical Memory | 314.82 Mb Available Physical Memory | 70.51% Memory free
1.03 Gb Paging File | 0.98 Gb Available in Paging File | 95.31% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 50.76 Gb Free Space | 90.83% Space Free | Partition Type: NTFS
Computer Name: YOUR-SGZ3XPNGO4 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
MOD - C:\WINDOWS\system32\tsd32.dll ()
========== Services (SafeList) ==========
SRV - (xmlprov) -- %SystemRoot%\System32\xmlprov.dll File not found
SRV - (wscsvc) -- %SYSTEMROOT%\system32\wscsvc.dll File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (PEVSystemStart) -- C:\ComboFix\pev.3XE ()
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
SRV - (AOL TopSpeedMonitor) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
SRV - (GEARSecurity) -- C:\WINDOWS\system32\gearsec.exe (GEAR Software)
SRV - (WANMiniportService) -- C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)
SRV - (HPWirelessMgr) -- C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe (Hewlett-Packard Co.)
SRV - (HPConfig) -- C:\WINDOWS\system32\HPConfig.exe (Hewlett-Packard)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Hal\LOCALS~1\Temp\catchme.sys File not found
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Sonic Solutions)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (HPCI) -- C:\WINDOWS\system32\drivers\hpci.sys (Hewlett-Packard)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (dvd_2K) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys (Roxio)
DRV - (mmc_2K) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys (Roxio)
DRV - (pwd_2k) -- C:\WINDOWS\System32\drivers\pwd_2K.sys (Roxio)
DRV - (UdfReadr_xp) -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys (Roxio)
DRV - (DP83815) -- C:\WINDOWS\system32\drivers\DP83815.sys (National Semiconductor Corp.)
DRV - (cdudf_xp) -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys (Roxio)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems)
DRV - (HSFHWALI) -- C:\WINDOWS\system32\drivers\HSFHWALI.sys (Conexant Systems)
DRV - (StreamDispatcher) -- C:\WINDOWS\system32\drivers\strmdisp.sys (Conexant Systems)
DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (CALIAUD) -- C:\WINDOWS\system32\drivers\caliaud.sys (Conexant Systems Inc.)
DRV - (CALIHALA) -- C:\WINDOWS\system32\drivers\calihal.sys (Conexant Systems Inc.)
DRV - (caboagp) -- C:\WINDOWS\system32\drivers\atisgkaf.SYS (ATI Technologies Inc.)
DRV - (wlluc48) -- C:\WINDOWS\system32\drivers\wlluc48.sys (Lucent Technologies)
DRV - (CE3) -- C:\WINDOWS\system32\drivers\CE3N5.SYS (Xircom, Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/?rlz=1W4CHBB_enUS512
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1: C:\Program Files\Yahoo!\Shared\npYVerInfo.dll File not found
Hosts file not found
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {49BC054F-7A54-40B6-8B5A-DB50B72F87C2} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {9F827460-4594-41E5-96CE-A06CFB00280E} - \ File not found
O2 - BHO: (Reg Error: Value error.) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\rqronli.dll File not found
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O2 - BHO: (Reg Error: Value error.) - {FD0B6F9A-845C-AEAC-0C20-F99AF4FF4CC5} - C:\WINDOWS\System32\kkf.dll File not found
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB3727] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB4854] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6437] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6692] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6958] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD2036] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD2534] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD3002] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD447] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD8753] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1412A347-1AA2-42AE-A313-1FB7C32F139B}: DhcpNameServer = 192.168.0.1 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{873AB70F-CCE3-401D-B770-EF2F727766CD}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\System32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\rqronli: DllName - (rqronli.dll) - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Amber Flow.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Amber Flow.bmp
O28 - HKLM ShellExecuteHooks: {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\rqronli.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (stera)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/11/30 10:28:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\OTL.exe
[2012/11/30 09:02:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/11/30 06:11:38 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/11/30 06:08:58 | 005,009,213 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\ComboFix.exe
[2012/11/30 04:17:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/11/30 04:16:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/11/30 04:16:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/11/30 04:16:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/11/30 04:16:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/11/30 04:15:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/29 17:10:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Application Data\Malwarebytes
[2012/11/29 17:09:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/11/29 17:09:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/11/29 17:09:46 | 000,020,552 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/11/29 17:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/11/29 17:07:17 | 010,669,952 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\mbam-setup-1.65.1.1000.exe
[2012/11/27 14:36:37 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\aswMBR.exe
[2012/11/27 09:29:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\Unused Desktop Shortcuts
[2012/11/26 22:21:11 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/11/26 22:21:11 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\My Documents\My Videos
[2012/11/26 22:21:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Start Menu\Programs\Administrative Tools
[5 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/11/30 10:28:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\OTL.exe
[2012/11/30 10:25:25 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\exeHelper.com
[2012/11/30 10:15:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/30 09:05:30 | 000,752,128 | ---- | M] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\RogueKiller.exe
[2012/11/30 06:10:55 | 005,009,213 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\ComboFix.exe
[2012/11/30 04:17:24 | 000,000,310 | RHS- | M] () -- C:\boot.ini
[2012/11/30 04:16:39 | 000,231,424 | ---- | M] () -- C:\WINDOWS\fsclient32.dll
[2012/11/30 04:01:21 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/11/30 03:49:39 | 000,013,824 | ---- | M] () -- C:\WINDOWS\mcithread.dll
[2012/11/29 22:09:54 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/11/29 22:09:54 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/11/29 22:09:50 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/11/29 18:01:28 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2012/11/29 17:49:20 | 000,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2012/11/29 17:19:44 | 001,862,139 | -HS- | M] () -- C:\WINDOWS\System32\mnppo.ini2
[2012/11/29 17:09:49 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/29 16:49:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/29 16:46:32 | 010,669,952 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\mbam-setup-1.65.1.1000.exe
[2012/11/27 15:47:47 | 000,000,645 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/11/27 14:58:17 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\MBR.dat
[2012/11/27 14:36:37 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\aswMBR.exe
[5 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/11/30 10:25:24 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\exeHelper.com
[2012/11/30 09:05:23 | 000,752,128 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\RogueKiller.exe
[2012/11/30 04:17:24 | 000,000,194 | ---- | C] () -- C:\Boot.bak
[2012/11/30 04:17:20 | 000,245,920 | RHS- | C] () -- C:\cmldr
[2012/11/30 04:16:06 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/11/30 04:16:06 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/11/30 04:16:06 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/11/30 04:16:06 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/11/30 04:16:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/11/29 17:09:49 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/27 14:58:17 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\MBR.dat
[2007/06/14 01:22:13 | 000,002,231 | ---- | C] () -- C:\Program Files\folder.js
========== ZeroAccess Check ==========
[2003/05/03 10:39:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2004/01/21 15:15:50 | 001,339,904 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2003/03/30 18:00:00 | 000,565,248 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2003/03/30 18:00:00 | 000,259,072 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2009/11/18 20:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/07/26 16:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/11/18 20:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
========== Purity Check ==========
========== Files - Unicode (All) ==========
[2007/10/14 19:03:11 | 000,000,000 | ---D | M](C:\WINDOWS\?racle) -- C:\WINDOWS\Οracle
[2007/10/14 19:03:11 | 000,000,000 | ---D | C](C:\WINDOWS\?racle) -- C:\WINDOWS\Οracle
[2007/09/29 13:41:28 | 000,000,000 | ---D | M](C:\WINDOWS\?dobe) -- C:\WINDOWS\Αdobe
[2007/09/29 13:41:28 | 000,000,000 | ---D | C](C:\WINDOWS\?dobe) -- C:\WINDOWS\Αdobe
[2007/09/21 14:51:52 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?racle) -- C:\WINDOWS\System32\Оracle
[2007/09/21 14:51:52 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?racle) -- C:\WINDOWS\System32\Оracle
[2007/09/05 18:17:48 | 000,000,000 | ---D | M](C:\Program Files\Common Files\T?sks) -- C:\Program Files\Common Files\Tаsks
[2007/09/05 18:17:48 | 000,000,000 | ---D | M](C:\Program Files\Common Files\T?sks) -- C:\Program Files\Common Files\Tаsks
[2007/09/03 14:35:20 | 000,000,000 | ---D | M](C:\Program Files\??stem) -- C:\Program Files\ѕуstem
[2007/09/03 14:35:20 | 000,000,000 | ---D | M](C:\Program Files\??stem) -- C:\Program Files\ѕуstem
[2007/08/19 14:17:50 | 000,000,000 | ---D | M](C:\Program Files\?ymantec) -- C:\Program Files\Ѕymantec
[2007/08/19 14:17:50 | 000,000,000 | ---D | M](C:\Program Files\?ymantec) -- C:\Program Files\Ѕymantec
[2007/08/13 20:07:27 | 000,000,000 | ---D | M](C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\Fοnts
[2007/08/13 20:07:27 | 000,000,000 | ---D | M](C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\Fοnts
[2007/07/27 10:50:55 | 000,000,000 | ---D | M](C:\Program Files\?racle) -- C:\Program Files\Οracle
[2007/07/27 10:50:55 | 000,000,000 | ---D | M](C:\Program Files\?racle) -- C:\Program Files\Οracle
[2007/07/16 15:09:55 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\Мicrosoft
[2007/07/16 15:09:55 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\Мicrosoft
(C:\Program Files\Common Files\T?sks) -- C:\Program Files\Common Files\Tаsks
(C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\Fοnts
(C:\Program Files\?ymantec) -- C:\Program Files\Ѕymantec
(C:\Program Files\?racle) -- C:\Program Files\Οracle
(C:\Program Files\??stem) -- C:\Program Files\ѕуstem
< End of report >
OTL Extras logfile created on: 11/30/2012 10:32:07 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop
Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
446.48 Mb Total Physical Memory | 314.82 Mb Available Physical Memory | 70.51% Memory free
1.03 Gb Paging File | 0.98 Gb Available in Paging File | 95.31% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 50.76 Gb Free Space | 90.83% Space Free | Partition Type: NTFS
Computer Name: YOUR-SGZ3XPNGO4 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6
"{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}" = HP Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7BBD57D6-09B1-4CC3-9664-A0D53EE25247}" = PSShortcutsP
"{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}" = iTunes
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A8F2DCDE-AE4E-4AC9-BECD-496FB80FBF6A}" = Notebook Utilities
"{AC76BA86-7AD7-1033-7B44-000000000001}" = Adobe Reader 6.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C" = Conexant 56K ACLink Modem
"Conexant PCI Audio" = Conexant AC-Link Audio
"ERUNT_is1" = ERUNT 1.1j
"ieupdate" = Internet Explorer Q832894
"InstallShield_{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}" = iTunes
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"oeupdate" = Outlook Express Q837009
"Q811114" = Windows XP Hotfix (SP2) Q811114
"Q814995" = Windows XP Hotfix (SP2) Q814995
"Q819696" = Windows XP Hotfix (SP2) Q819696
"QT4HPOT" = One-Touch Buttons
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime
"Yahoo! Applications" = AT&T Yahoo! Applications
"Yahoo! Toolbar" = Yahoo! Toolbar
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 11/30/2012 9:12:39 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/30/2012 9:12:39 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/30/2012 10:06:23 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/30/2012 10:06:23 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/30/2012 10:51:39 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/30/2012 10:51:39 AM | Computer Name = YOUR-SGZ3XPNGO4 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/30/2012 12:57:29 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/30/2012 12:57:29 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/30/2012 2:15:50 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/30/2012 2:15:51 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
[ System Events ]
Error - 11/30/2012 12:59:09 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK7 cdudf_xp Fips
Error - 11/30/2012 12:59:09 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Terminal Services service
to connect.
Error - 11/30/2012 12:59:09 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7000
Description = The Terminal Services service failed to start due to the following
error: %%1053
Error - 11/30/2012 1:28:40 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 11/30/2012 2:15:50 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 11/30/2012 2:17:08 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 11/30/2012 2:17:26 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK7 cdudf_xp Fips
Error - 11/30/2012 2:17:26 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Terminal Services service
to connect.
Error - 11/30/2012 2:17:26 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = Service Control Manager | ID = 7000
Description = The Terminal Services service failed to start due to the following
error: %%1053
Error - 11/30/2012 2:18:57 PM | Computer Name = YOUR-SGZ3XPNGO4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
< End of report >
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/cust...search/ie.html
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
IE - HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/cust...search/ie.html
O2 - BHO: (no name) - {49BC054F-7A54-40B6-8B5A-DB50B72F87C2} - No CLSID value found.
O2 - BHO: (no name) - {9F827460-4594-41E5-96CE-A06CFB00280E} - \ File not found
O2 - BHO: (Reg Error: Value error.) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\rqronli.dll File not found
O2 - BHO: (Reg Error: Value error.) - {FD0B6F9A-845C-AEAC-0C20-F99AF4FF4CC5} - C:\WINDOWS\System32\kkf.dll File not found
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB3727] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB4854] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6437] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6692] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingB6958] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD2036] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD2534] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD3002] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD447] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2410815248-1412881139-3060410368-500..\RunOnce: [SpybotDeletingD8753] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
[2012/11/30 04:01:21 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/11/29 22:09:54 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/11/29 22:09:54 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/11/29 22:09:50 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/11/29 18:01:28 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Harold Raby
2012-12-01, 00:15
Hi Ken545; Sorry that took so long but I was out hunting and gathering. Here is the log.
All processes killed
========== PROCESSES ==========
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!
HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
HKU\S-1-5-21-2410815248-1412881139-3060410368-500\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49BC054F-7A54-40B6-8B5A-DB50B72F87C2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49BC054F-7A54-40B6-8B5A-DB50B72F87C2}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F827460-4594-41E5-96CE-A06CFB00280E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F827460-4594-41E5-96CE-A06CFB00280E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD0B6F9A-845C-AEAC-0C20-F99AF4FF4CC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD0B6F9A-845C-AEAC-0C20-F99AF4FF4CC5}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingB3727 deleted successfully.
C:\WINDOWS\system32\command.com moved successfully.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingB4854 deleted successfully.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingB6437 deleted successfully.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingB6692 deleted successfully.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingB6958 deleted successfully.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingD2036 deleted successfully.
C:\WINDOWS\system32\cmd.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingD2534 deleted successfully.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingD3002 deleted successfully.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingD447 deleted successfully.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_USERS\S-1-5-21-2410815248-1412881139-3060410368-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingD8753 deleted successfully.
File C:\WINDOWS\System32\cmd.exe not found.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
No captured output from command...
C:\Documents and Settings\Administrator.YOUR-SGZ3XPNGO4\Desktop\cmd.bat deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\Αdobe folder moved successfully.
C:\WINDOWS\Οracle folder moved successfully.
C:\WINDOWS\System32\Мicrosoft folder moved successfully.
C:\WINDOWS\System32\Оracle folder moved successfully.
C:\Program Files\Οracle folder moved successfully.
C:\Program Files\Ѕymantec folder moved successfully.
C:\Program Files\ѕуstem folder moved successfully.
C:\Program Files\Common Files\Fοnts folder moved successfully.
C:\Program Files\Common Files\Tаsks folder moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temporary Internet Files folder emptied: 32768 bytes
User: Administrator.YOUR-SGZ3XPNGO4
->Temp folder emptied: 82948659 bytes
->Temporary Internet Files folder emptied: 82415447 bytes
->Flash cache emptied: 598 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
User: Hal
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3338695 bytes
->Flash cache emptied: 348 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 65536 bytes
%systemroot%\System32 .tmp files removed: 1853724 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82368 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 801410 bytes
RecycleBin emptied: 800042 bytes
Total Files Cleaned = 164.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 11302012_145728
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Great, give both RogueKiller and Combofix another shot, you can run them in Safemode it need be
Run this tool first, it may stop the malware from running so that you can run the above programs
Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.
1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
Run rkill repeatedly until it's able to do it's job. This may take a few tries.
You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.
Harold Raby
2012-12-01, 03:23
Hi; Ken545; Well, Damn. None will work. rkill gives me a black screen and that an error window marked 'rkill.exe - entry point not found' and in the window it says 'The procedure entry point Encodepointer could not be located in the dynamic link library KERNEL32.dll.' Combofix freezes during scan and Roguekiller is just ignoring me. I cleared everything and D/Led new copies of Combofix and Roguekiller.
Lets see if you can run a free online virus scanner, if not than I will refer you to another forum that can help you reinstall windows as we just do malware removal on this one.
You said in your original post that this computer was given to you for a trip, is it yours now or do you have to return it. Whoever gave you this really trashed it, I am feeling now that with the amount of infections on this system that it may have corrupted the operating system.
There is a way of taking your windows cd with sp1 and downloading sp3 and creating a new disk combining both, its called slipstreem but I will let the other forum decide if it can be done.
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
Harold Raby
2012-12-01, 14:05
Good morning Ken545; I followed your instructions to the letter. Your instructions were open on one computer and I did what you said to the infected laptop. Everything worked as expected right up to the 'export to txt file' part. The save button appears to work but nothing happens. I tried the desktop and a new folder on the desk top and 'my documents'. I tried to highlight and copy but nothing works. I am keeping the computer on and everything is at the save point, any ideas? Harold.. I am going to change my mind as I remembered that I closed the browser page that was open to this forum. While waiting for your reply I am going to clear it all, do a restart and start from scratch. Later, H.
Harold Raby
2012-12-01, 15:02
OK, Got it. I overlooked you words 'using a unique name', I think that was the problem. anyway, there is 128 listed problems.Here they are...
C:\command.exe probably a variant of Win32/TrojanDownloader.Agent.EXXKCAT trojan
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Win32/Pecutex.A virus
C:\Program Files\Common Files\AOL\1122428264\EE\AOLSoftware.exe Win32/Pecutex.A virus
C:\Program Files\Common Files\Companion Wizard\compwiz.exe a variant of Win32/Adware.WinAntiVirus.AA application
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe Win32/Pecutex.A virus
C:\Program Files\HPQ\Default Settings\cpqset.exe Win32/Pecutex.A virus
C:\Program Files\HPQ\One-Touch\OneTouch.EXE Win32/Pecutex.A virus
C:\Program Files\iTunes\iTunesHelper.exe Win32/Pecutex.A virus
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Win32/Pecutex.A virus
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Win32/Pecutex.A virus
C:\WINDOWS\mcithread.dll a variant of Win32/Small.OR trojan
C:\WINDOWS\tsitra1000106.exe a variant of Win32/TrojanDownloader.Agent.BLS trojan
C:\WINDOWS\tsitra572.exe Win32/TrojanDownloader.Agent.BLS trojan
C:\WINDOWS\tsitra77.exe a variant of Win32/TrojanDownloader.Agent.BLS trojan
C:\WINDOWS\WebAssist.dll probably a variant of Win32/Adware.BHO.NLSVSMI application
C:\WINDOWS\winshow.exe probably a variant of Win32/VB.GORZMMQ trojan
C:\WINDOWS\xmlhelper4.dll Win32/Adware.Agent.DB application
C:\WINDOWS\system32\apfslinl.dll a variant of Win32/Adware.PurityScan.AC application
C:\WINDOWS\system32\aruclpey.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\aufdrlgo.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\bcckrtwx.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\bgofqhil.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\bnmfpkxq.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\bsw.dll a variant of Win32/Adware.PurityScan.AC application
C:\WINDOWS\system32\cljpbyax.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\daaaxwyr.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\dliybfej.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\dugggsfh.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\emakdvwb.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\emohyklt.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\etlrsxle.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\euqlwtov.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\FAUU77dx.dll probably a variant of Win32/Adware.BHO.EHHYPVY application
C:\WINDOWS\system32\fuvvqmxg.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\gchugtqs.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\gebyvwt.dll Win32/Adware.Virtumonde application
C:\WINDOWS\system32\hcoooqju.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\hfsgggud.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\hperfqge.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\hphmon05.exe Win32/Pecutex.A virus
C:\WINDOWS\system32\hrlbyvrr.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\idikuryj.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\iifdbba.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\ijskjhol.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\ijyknmrm.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\ikubiybb.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\irmtexxr.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\ivlawoxj.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\iyainriu.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\jbxxhcde.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\jdppqgkc.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\jeewprvc.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\jhmunnyk.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\jtonnofo.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\jxowalvi.dll Win32/Adware.Virtumonde application
C:\WINDOWS\system32\khaoeops.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\khfffge.dll Win32/Adware.Virtumonde application
C:\WINDOWS\system32\khngrkwr.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\kictpbyv.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\kN2kn73i.exe probably unknown NewHeur_PE virus
C:\WINDOWS\system32\kqwcxlgq.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\kreupdfl.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\lbwufjpw.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\ldnjrbdh.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\lecrrlnu.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\ljjhiii.dll Win32/TrojanDownloader.ConHook trojan
C:\WINDOWS\system32\mhaiswrp.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\mldrtput.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\mnppo.bak1 Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\mnppo.bak2 Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\mnppo.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\mnppo.ini2 Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\mqrrggjf.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\mrkirmjx.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\myhrprmn.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\nclkyvtx.ex_ probably a variant of Win32/Adware.HotBar application
C:\WINDOWS\system32\nucitqas.dll Win32/Adware.Virtumonde application
C:\WINDOWS\system32\ofofqkge.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\pvfkeekv.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\qbtvtoaa.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\qoriatnx.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\qpbynrkd.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\qxkpfmnb.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\rdcrdawy.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\reqpmmam.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\rsfcltav.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\rsxlwhhq.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\rwkrgnhk.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\saqticun.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\seaxgwfd.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\skpoltax.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\ssqonkl.dll Win32/Adware.Virtumonde application
C:\WINDOWS\system32\trscewng.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\uehenovx.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\vinmjucx.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\vryoqena.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\vturpnk.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\vvmjbeiy.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\wnqmyetx.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\wnskcupa.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\woipnusa.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\wojjwexd.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\wpnqivti.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\wX36655H.dll probably a variant of Win32/Adware.BHO.CXVZWNL application
C:\WINDOWS\system32\wydycmqs.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\wyjmkyvd.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\xcujmniv.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\xegknqwj.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\xgvdflbc.dll Win32/BHO.BD trojan
C:\WINDOWS\system32\xpjnuhkr.exe Win32/TrojanDownloader.Tiny.ID trojan
C:\WINDOWS\system32\xqhukiww.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\ydvtfbxl.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\yeplcura.dll a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\system32\yiebjmvv.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\yohalaci.exe Win32/Adware.Ezula application
C:\WINDOWS\system32\ywfsltmv.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\bo2\ivdwnll2.exe Win32/TrojanDownloader.Small.BUY trojan
C:\WINDOWS\system32\cp1\dode83122.exe Win32/Adware.Agent.TTC application
C:\WINDOWS\system32\F2\mwspasrt83122.exe a variant of Win32/Adware.Agent.NDE application
C:\WINDOWS\system32\F3\626wr.exe Win32/TrojanDownloader.Small.EQN trojan
C:\WINDOWS\system32\F4\wen2.exe probably a variant of Win32/TrojanDropper.Agent.LMNGCTK trojan
C:\WINDOWS\system32\ib1\rwv12drv.exe Win32/TrojanDownloader.Small.GCI trojan
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe Win32/TrojanDownloader.VB.AWJ trojan
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe Win32/TrojanDownloader.VB.AWJ trojan
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe a variant of Win32/TrojanDownloader.VB.AWJ trojan
I know this is a pain for you but go ahead and run ESET again and this time do this
Make sure that the option "Remove found threats" is CHECKED
Harold Raby
2012-12-01, 19:30
Ken545; You didn't ask but here is the list of 126 items fixed. I forgot to answer your question earlier, yes it was given to me. I am going to Lake Charles LA this coming year and to New Hampshire later in the year. I love Amtrak. I gave my laptop I bought for this purpose to my niece for her start up business. I also plan on a brief seminar, for the young lady that gave me this, on the pros and cons of on line gaming and A/V programs. Harold
Harold Raby
2012-12-01, 19:31
C:\command.exe probably a variant of Win32/TrojanDownloader.Agent.EXXKCAT trojan cleaned by deleting - quarantined
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application cleaned by deleting - quarantined
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\Common Files\AOL\1122428264\EE\AOLSoftware.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\Common Files\Companion Wizard\compwiz.exe a variant of Win32/Adware.WinAntiVirus.AA application cleaned by deleting - quarantined
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\HPQ\Default Settings\cpqset.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\HPQ\One-Touch\OneTouch.EXE Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\iTunes\iTunesHelper.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Win32/Pecutex.A virus cleaned - quarantined
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Win32/Pecutex.A virus cleaned - quarantined
C:\WINDOWS\mcithread.dll a variant of Win32/Small.OR trojan cleaned by deleting - quarantined
C:\WINDOWS\tsitra1000106.exe a variant of Win32/TrojanDownloader.Agent.BLS trojan cleaned by deleting - quarantined
C:\WINDOWS\tsitra572.exe Win32/TrojanDownloader.Agent.BLS trojan cleaned by deleting - quarantined
C:\WINDOWS\tsitra77.exe a variant of Win32/TrojanDownloader.Agent.BLS trojan cleaned by deleting - quarantined
C:\WINDOWS\WebAssist.dll probably a variant of Win32/Adware.BHO.NLSVSMI application cleaned by deleting - quarantined
C:\WINDOWS\winshow.exe probably a variant of Win32/VB.GORZMMQ trojan cleaned by deleting - quarantined
C:\WINDOWS\xmlhelper4.dll Win32/Adware.Agent.DB application cleaned by deleting - quarantined
C:\WINDOWS\system32\apfslinl.dll a variant of Win32/Adware.PurityScan.AC application cleaned by deleting - quarantined
C:\WINDOWS\system32\aruclpey.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\aufdrlgo.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\bcckrtwx.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\bgofqhil.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\bnmfpkxq.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\bsw.dll a variant of Win32/Adware.PurityScan.AC application cleaned by deleting - quarantined
C:\WINDOWS\system32\cljpbyax.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\daaaxwyr.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\dliybfej.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\dugggsfh.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\emakdvwb.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\emohyklt.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\etlrsxle.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\euqlwtov.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\FAUU77dx.dll probably a variant of Win32/Adware.BHO.EHHYPVY application cleaned by deleting - quarantined
C:\WINDOWS\system32\fuvvqmxg.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\gchugtqs.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\gebyvwt.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\hcoooqju.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\hfsgggud.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\hperfqge.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\hphmon05.exe Win32/Pecutex.A virus cleaned - quarantined
C:\WINDOWS\system32\hrlbyvrr.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\idikuryj.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\iifdbba.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\ijskjhol.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\ijyknmrm.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ikubiybb.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\irmtexxr.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\ivlawoxj.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\iyainriu.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\jbxxhcde.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\jdppqgkc.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\jeewprvc.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\jhmunnyk.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\jtonnofo.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\jxowalvi.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\khaoeops.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\khfffge.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\khngrkwr.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\kictpbyv.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\kN2kn73i.exe probably unknown NewHeur_PE virus deleted - quarantined
C:\WINDOWS\system32\kqwcxlgq.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\kreupdfl.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\lbwufjpw.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ldnjrbdh.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\lecrrlnu.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ljjhiii.dll Win32/TrojanDownloader.ConHook trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\mhaiswrp.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\mldrtput.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\mnppo.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\mnppo.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\mnppo.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\mnppo.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\mqrrggjf.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\mrkirmjx.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\myhrprmn.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\nclkyvtx.ex_ probably a variant of Win32/Adware.HotBar application cleaned by deleting - quarantined
C:\WINDOWS\system32\nucitqas.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\ofofqkge.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\pvfkeekv.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\qbtvtoaa.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\qoriatnx.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\qpbynrkd.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\qxkpfmnb.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rdcrdawy.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\reqpmmam.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rsfcltav.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\rsxlwhhq.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\rwkrgnhk.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\saqticun.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\seaxgwfd.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\skpoltax.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ssqonkl.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\trscewng.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\uehenovx.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\vinmjucx.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\vryoqena.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\vturpnk.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\vvmjbeiy.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\wnqmyetx.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\wnskcupa.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\woipnusa.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\wojjwexd.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\wpnqivti.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\wX36655H.dll probably a variant of Win32/Adware.BHO.CXVZWNL application cleaned by deleting - quarantined
C:\WINDOWS\system32\wydycmqs.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\wyjmkyvd.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\xcujmniv.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\xegknqwj.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\xgvdflbc.dll Win32/BHO.BD trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\xpjnuhkr.exe Win32/TrojanDownloader.Tiny.ID trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\xqhukiww.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\ydvtfbxl.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\yeplcura.dll a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\WINDOWS\system32\yiebjmvv.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\yohalaci.exe Win32/Adware.Ezula application cleaned by deleting - quarantined
C:\WINDOWS\system32\ywfsltmv.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\bo2\ivdwnll2.exe Win32/TrojanDownloader.Small.BUY trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\cp1\dode83122.exe Win32/Adware.Agent.TTC application cleaned by deleting - quarantined
C:\WINDOWS\system32\F2\mwspasrt83122.exe a variant of Win32/Adware.Agent.NDE application cleaned by deleting - quarantined
C:\WINDOWS\system32\F3\626wr.exe Win32/TrojanDownloader.Small.EQN trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\F4\wen2.exe probably a variant of Win32/TrojanDropper.Agent.LMNGCTK trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\ib1\rwv12drv.exe Win32/TrojanDownloader.Small.GCI trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe Win32/TrojanDownloader.VB.AWJ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe Win32/TrojanDownloader.VB.AWJ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe a variant of Win32/TrojanDownloader.VB.AWJ trojan cleaned by deleting - quarantined
WOW, you need to take this young lady and give her a good talking to. muha:
Harold, with all thats been removed lets see if you can run RKill, RougeKiller and Combofix
Harold Raby
2012-12-01, 20:46
No change! Combo fix runs right up to giving me log then freezes. RougeKiller won't run at all as does all 5 of the others. It is about time for your day to be over, do you want me to start from the beginning and run everything right from the start? Later, Harold
Give this a shot
Physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire code in RED (Including the "" marks and the Symbols) into the run box.
Go to http://www.techsupportforum.com/sectools/tetonbob/StartBtn.gif Then Run
"%userprofile%\desktop\combofix.exe" /killall
http://www.techsupportforum.com/sectools/tetonbob/killall.JPG
Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply .
Harold Raby
2012-12-01, 21:56
Ken545; I am beginning to think the problem is PEBKAC. I must be doing something wrong. I did what you said, as a matter of fact about 5 times. windows open and close to fast for me to understand what it says. It says that it is putting something in drivw c>windows>ERDNT>Hiv-backup. But what is in there appears to be the program itself. I stopped just now and ran it again and what I just told you about happens while the progress bar is about half way across, it then continues the scan and freezes up at the end. Please, look and see if I have missed some monitoring programs (Antivirus/Antispyware, Guards and Shields) and left it on. I can't find anything myself, but that's not sayin' much :-). Are we having fun yet... Harold
Well Harold, i think this computer is pretty well shot as far as malware and possibly a corrupted Operating System. I forgot to mention before but even if we cleaned this systems so it was operational , with the amount and type of malware on it it would leave this computer compromised, what that means is even after its cleaned it could not be trusted to do any personal choirs like banking online or purchase goods from a website using a credit card. I think at this point it would be best to format and do a clean install of windows this way you will be 100% guaranteed that the malware is gone and you have an operational computer.
You can post here for help with this, you can also link them to this thread if you wish so they can see what we have done and go from there.
This site like Safer is free but you will need to register. After you sign up than go to the windows forum, tell them you got this computer from a friend that did no updates and had no antivirus programs installed and that the computer is so infected it will hardly run and it was suggested by a helper at Safer that a format and reinstall of windows would be a better option
http://forums.whatthetech.com/index.php?showforum=119
Good luck Harold, I am a member of WhattheTech and after you post I will find you and follow along offering my 2 cents if its needed. Be sure to use the same user name ( Harold Raby ) so I can find you
Ken :)
Harold Raby
2012-12-02, 01:24
OK, Ken; I was afraid it would come to this, even if we got it all out. I just hate to let the bastards win. Sorry, only word I know for them. The young lady that gave me this is a sweetie, really. She was just not informed. She does better now, she lives with, by, and for an Android phone but she will get the lecture anyway. I traveled once with the laptop I gave away and loved the convenience but I spent way to much time worrying about losing it or breaking it. this one will be much better, if anything happens it would be no big loss. I carry everything on little USB external hard drives. I am going to copy a couple of the logs and some of our conversations to notepad and put on a thumb drive and keep it like you might keep a picture of a boil on your butt :-). Thank you Ken for being there and all of your help, time, and effort. By the way, I have never been there but Stamford is one of my favorite cities for two reasons, There was (and may still be) a place there that sells new and used OEM parts for 1954 Austen-Healey 100's (I had one back around 1980) and that is the place where at least some of the cross country races that became known as 'Cannonball runs' started. If you haven't seen "Gumball Rally" then you should. I am off to whatthetech, I will check back here until the thread is closed. Thanks again, Harold
OK, Harold, I will keep this thread open for you for about a week in case you have anymore questions.
Stamford is nice, actually not now as the temp is in the low 30s and we have some light snow and freezing rain on the horizon.
Take care my friend, feel free to post back with any questions and I will do my best to answer them if I can.
Harold Raby
2012-12-02, 03:21
Ken; I have posted over there and am waiting. I won't moan about our misting rain and 61 degree weather :-). My sister who lived here for decades now lives up near Keene, NH. She loves the weather. Late, H.
I see that your being helped at WTT, great, lets see what they can accomplish
Harold Raby
2012-12-02, 14:31
Yeah, we are still working on communication. Figuring out what my problem is and what will fix my problem. At this point I still can't get the Compaq to open on their website. We'll get there.
Harold Raby
2012-12-04, 19:57
Hey, Ken; We are making progress. He finally figured out what I was doing wrong, and we scanned the disc to make sure it is not damaged. I am now waiting to be told what to do next. I'll keep you posted, Harold
Been following along, your in good hands with Paws, been working with him for many years and your doing well yourself, this is going to be a great learning experience for you
Harold Raby
2012-12-05, 23:36
And it was, Thanks Ken.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.