[RESOLVED]Infected with something, can't get on the internet

Author

All Replies

kkempker7

join:2007-03-18
Holts Summit, MO

Working on the same machine that I worked on earlier this year, some symptoms, not able to get online. I've ran just about everything I know, winsock fix and reset the tcp/ip, rKill. I had to reformat last time, thinking I'm going to have to do it again. I did have MSE installed, when I got it back, the service was not running and was unable to get the service started, couldn't uninstall it through add/remove programs. Had to remove it via .bat from MS site. Now I can't even install it again, says it's looking for for some file. Since I am unable to get online, I was unable to do the online scans. Below are the log files.

to forum · permalink · 2012-06-02 20:57:24 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

Re: Infected with something, can't get on the internet

First Malwarebytes log

Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brian :: HOME [administrator]

6/2/2012 1:39:47 PM
mbam-log-2012-06-02 (13-39-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228335
Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\5qUninstall Zwinky.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

(end)

to forum · permalink · 2012-06-02 20:58:13 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

reply to kkempker7
Second Malwarebytes Log

Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.28.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brian :: HOME [administrator]

6/2/2012 6:10:02 PM
mbam-log-2012-06-02 (18-10-02).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 298566
Time elapsed: 31 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 20
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP93\A0012282.exe (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018468.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018467.exe (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018469.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018474.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018475.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018476.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018477.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018481.exe (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018485.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018489.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018490.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018493.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018496.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018497.exe (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018499.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018501.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP125\A0018512.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP127\A0018539.dll (PUP.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{0DC0EEF5-A99A-447A-8594-BC1D60249EBA}\RP127\A0018538.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

(end)

to forum · permalink · 2012-06-02 20:58:53 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

reply to kkempker7

OTL logfile created on: 6/2/2012 7:42:07 PM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\PC Security
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.85 Mb Total Physical Memory | 655.42 Mb Available Physical Memory | 64.14% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 89.26% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 192.24 Gb Free Space | 83.67% Space Free | Partition Type: NTFS
Drive J: | 1.87 Gb Total Space | 1.44 Gb Free Space | 77.15% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: Brian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/01/03 08:10:44 | 001,494,424 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
PRC - [2011/05/26 18:21:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\PC Security\OTL.exe
PRC - [2008/04/13 18:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/24 10:20:00 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2011/05/26 18:21:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\PC Security\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (Zwinky_5qService)
SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2006/07/24 10:20:00 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/06/07 18:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\5qffxtbr@Zwinky_5q.com: C:\Program Files\Zwinky_5q\bar\1.bin

Hosts file not found
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [MSC] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} »download.macromedia.com/pub/shoc···r/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} »download.microsoft.com/download/···trol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/02/06 21:24:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/06/02 19:40:07 | 000,000,000 | ---D | C] -- C:\b8394a2882d574699c
[2012/06/02 19:40:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/06/02 19:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/06/02 19:23:11 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/06/02 19:23:11 | 000,000,000 | ---D | C] -- C:\6d7eafbce8c2c236b0de0ee19bdb
[2012/06/02 19:23:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brian\Start Menu\Programs\Administrative Tools
[2012/06/02 19:23:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/06/02 19:10:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/06/02 15:58:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/06/02 14:51:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Local Settings\Application Data\PCHealth
[2012/06/02 14:42:15 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brian\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/02 14:34:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/02 14:34:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brian\My Documents\My Videos
[2012/06/02 14:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Local Settings\Application Data\Temp
[2012/06/02 14:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Local Settings\Application Data\Adobe
[2012/06/02 13:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Application Data\Malwarebytes
[2012/06/02 13:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/02 13:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/06/02 13:39:10 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/02 13:39:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/09 04:31:07 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/05/09 04:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/05/06 23:33:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/05/06 19:43:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/05/06 19:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/05/06 19:09:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/05/06 18:56:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55EDB000025EF000022A1D151FC4E
[2012/05/06 07:56:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/06/02 19:41:09 | 000,002,039 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/06/02 19:40:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/02 19:40:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3FAD947B-4DB5-46A7-94AE-767185F3CA61}.job
[2012/06/02 19:37:10 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/02 19:37:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/02 19:35:10 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1214440339-1417001333-1003UA.job
[2012/06/02 19:32:20 | 000,002,500 | ---- | M] () -- C:\Documents and Settings\Brian\Desktop\New Text Document (2).bat
[2012/06/02 18:37:11 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/02 18:37:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1214440339-1417001333-1004UA.job
[2012/06/02 15:58:11 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/06/02 15:35:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1214440339-1417001333-1003Core.job
[2012/06/02 14:42:30 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/02 14:39:18 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brian\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/02 14:14:57 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\Brian\Desktop\Shortcut to PC Security.lnk
[2012/06/01 02:37:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1214440339-1417001333-1004Core.job
[2012/05/27 07:00:42 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2012/05/27 02:27:21 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/05/25 21:58:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/05/23 15:12:01 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/08 17:28:06 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/05/06 19:55:28 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/06/02 19:32:42 | 000,002,500 | ---- | C] () -- C:\Documents and Settings\Brian\Desktop\New Text Document (2).bat
[2012/06/02 15:58:11 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/06/02 14:14:57 | 000,000,398 | ---- | C] () -- C:\Documents and Settings\Brian\Desktop\Shortcut to PC Security.lnk
[2012/06/02 13:39:11 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/09 04:01:35 | 000,174,000 | ---- | C] () -- C:\Program Files\5qres.dll
[2012/05/06 19:55:28 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/05/06 18:58:11 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/03/30 16:16:24 | 000,151,608 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/02/14 19:51:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/11 20:58:05 | 000,050,200 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/02/11 14:12:01 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/07 19:20:20 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2012/02/07 19:19:17 | 000,129,112 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2012/02/07 18:50:41 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2012/02/06 22:31:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/02/06 21:26:18 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/02/06 21:22:33 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/02/06 15:16:27 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/02/06 15:15:40 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/13 18:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/13 18:00:00 | 000,432,784 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/13 18:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/13 18:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/13 18:00:00 | 000,067,740 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/13 18:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/13 18:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/13 18:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/13 18:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/13 18:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/13 18:00:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pdiddcci.dll
[2005/04/14 22:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/14 22:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[color=#E56717]========== LOP Check ==========[/color]

[2012/06/02 19:40:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/05/08 19:57:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D55EDB000025EF000022A1D151FC4E
[2012/06/02 19:40:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/05/06 07:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2012/02/07 08:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2012/02/06 22:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/02/21 21:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\.minecraft
[2012/05/27 07:00:42 | 000,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Robot.job
[2012/06/02 19:40:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3FAD947B-4DB5-46A7-94AE-767185F3CA61}.job

[color=#E56717]========== Purity Check ==========[/color]

to forum · permalink · 2012-06-02 20:59:32 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

reply to kkempker7
There was no Extras file

to forum · permalink · 2012-06-02 20:59:45 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

reply to kkempker7
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
[u]Antivirus/Firewall Check:[/u]
Antivirus up to date!
```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u]
CCleaner
Java(TM) 6 Update 30
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u]
``````````End of Log````````````

to forum · permalink · 2012-06-02 21:00:07 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

reply to kkempker7
Also, when I do ipconfig /all I get:
Windows IP Configuration, an internal error occured: The request is not supported Contact Microsoft Product Support, Additional information: Unable to query host name

to forum · permalink · 2012-06-02 21:36:05 · (locked)

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to kkempker7
Sound like you have a broken NIC. You might try installing a new one.

THere are a few items in the log that need attention, but we are also back at missing OS files.

Formatting would be your best option but it appears there are hardware issues involved as well. If this is an older computer, you may want to consider replacing it.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-06-03 10:37:15 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

I did get it online, the Ipsec.sys was missing. Eset scan didn't find anything. What missing OS files are there?

to forum · permalink · 2012-06-03 12:09:03 · (locked)

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to kkempker7
The OTL log showed HidServ was missing. That may be a false statement.

I would like to see the Extras log. It is only produced on the first run of OTL. Log you posted was the second run.

To force the Extra on, start OTL, and select 'Use Safelist' in the Extra Registry setting. All other settings are as defaulted. Then run the scan. There is no need to post the main OTL log, just the Extras.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-06-03 14:01:24 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

OTL Extras logfile created on: 6/3/2012 4:47:25 PM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = C:\PC Security
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.85 Mb Total Physical Memory | 539.84 Mb Available Physical Memory | 52.83% Memory free
2.40 Gb Paging File | 2.05 Gb Available in Paging File | 85.33% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 191.78 Gb Free Space | 83.47% Space Free | Partition Type: NTFS
Drive J: | 1.87 Gb Total Space | 1.44 Gb Free Space | 77.13% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: Brian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[color=#E56717]========== System Restore Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE 10.3
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{20110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java(TM) 6 Update 32
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6913FBE5-1B4B-4308-8DDD-2944F9C91E06}" = ATI Catalyst Control Center
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE 10.3
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROSet" = Intel(R) PRO Network Connections Drivers
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

[color=#E56717]========== HKEY_CURRENT_USER Uninstall List ==========[/color]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 6/2/2012 8:39:24 PM | Computer Name = HOME | Source = JavaQuickStarterService | ID = 1
Description =

Error - 6/2/2012 8:41:08 PM | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 6/2/2012 8:41:09 PM | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 6/2/2012 8:41:09 PM | Computer Name = HOME | Source = Microsoft Security Client Setup | ID = 100
Description = HRESULT:0x8007064C Description:. 0x8007064C. The installation source
for this product is not available. Verify that the source exists and that you
can access it.

Error - 6/3/2012 9:39:24 AM | Computer Name = HOME | Source = JavaQuickStarterService | ID = 1
Description =

Error - 6/3/2012 10:07:40 AM | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 6/3/2012 10:07:43 AM | Computer Name = HOME | Source = Microsoft Security Client Setup | ID = 100
Description = HRESULT:0x8007064C Description:. 0x8007064C. The installation source
for this product is not available. Verify that the source exists and that you
can access it.

Error - 6/3/2012 10:07:43 AM | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 6/3/2012 10:08:39 AM | Computer Name = HOME | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 6/3/2012 10:08:39 AM | Computer Name = HOME | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 6/2/2012 8:37:28 PM | Computer Name = HOME | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 6/2/2012 9:17:57 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The IPSEC driver service failed to start due to the following error:
%%2

Error - 6/2/2012 9:17:57 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The TCP/IP Protocol Driver service depends on the IPSEC driver service
which failed to start because of the following error: %%2

Error - 6/2/2012 9:28:16 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The IPSEC driver service failed to start due to the following error:
%%2

Error - 6/3/2012 9:37:22 AM | Computer Name = HOME | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 6/3/2012 9:37:22 AM | Computer Name = HOME | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 6/3/2012 9:39:27 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 6/3/2012 9:39:27 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 6/3/2012 9:39:27 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 6/3/2012 9:39:27 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

to forum · permalink · 2012-06-03 17:56:42 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

I'm having problems getting MSE reinstalled. I took a screenshot of the message I'm getting. The default location it's looking for doesn't even exist. When I browse to the location of the file it's asking for (the installer extracted files to this location), that is when I get the message about being not an invalid installation package.

to forum · permalink · 2012-06-03 17:59:11 · (locked)

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

reply to kkempker7
Try downloading the MSE installation package again. Put it on the Desktop and try to install from there.

Thanks for the OTL Extras log. The logs themselves are clean.

to forum · permalink · 2012-06-04 11:15:46 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

I've tried downloading several times, doesn't work. I did get AVG installed, might try to installed AVAST instead.

Thanks.

to forum · permalink · 2012-06-04 12:01:58 · (locked)

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

reply to kkempker7
ok, as long as you have an AV installed. You might want to do a full scan with it and see what it shows.

to forum · permalink · 2012-06-04 12:34:05 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

Shows nothing. Lately I've not really cared for AVG, I'd rather use Avast or MSE.

to forum · permalink · 2012-06-04 12:35:40 · (locked)

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to kkempker7
Let check for rootkits to be safe,

Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found.

You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-06-04 12:44:50 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

Here are 3 of the logs. I'll post the Sophos log tonight. It locked up overnight running and had to start it back up. The first scan with Sophos did find 2 threats, I believe it was one of the fake AV worms. I removed them, then scanned a second time, that is when it locked up.

to forum · permalink · 2012-06-05 09:15:50 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

GMER 1.0.15.15641 - »www.gmer.net
Rootkit scan 2012-06-04 21:27:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 ST325082 rev.3.AD
Running: gmer.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\pxtdipow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xA16F5004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xA16F50D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA16F4D76]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA7407640]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA16F4EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA16F4F56]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3740] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[252] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB17418$\2121815625 0 bytes
File C:\WINDOWS\$NtUninstallKB17418$\3309797709 0 bytes
File C:\WINDOWS\$NtUninstallKB17418$\3309797709\L 0 bytes
File C:\WINDOWS\$NtUninstallKB17418$\3309797709\U 0 bytes

---- EOF - GMER 1.0.15 ----

to forum · permalink · 2012-06-05 09:16:13 · (locked)

kkempker7

join:2007-03-18
Holts Summit, MO

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2012/06/04 21:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA36FC000 Size: 888832 File Visible: No Signed: -
Status: -

Name: pxtdipow.sys
Image Path: C:\DOCUME~1\Brian\LOCALS~1\Temp\pxtdipow.sys
Address: 0x9F62C000 Size: 100864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0D8C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtUninstallKB17418$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB2079403$:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\AVG2012\Chjw\e8705d39705d1024.dat:c473a837-b9c9-4728-ab5a-a10a8ab5cd3f
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f5004

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f50d4

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f4d76

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa7407640

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f4eba

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f4f56

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f559e

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f550a

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f554a

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys" at address 0xa16f549c

==EOF==

to forum · permalink · 2012-06-05 09:16:27 · (locked)

Broadband Tech > Security > Security Cleanup > [RESOLVED]Infected with something, can't get on the internet

[RESOLVED]Infected with something, can't get on the internet

Re: Infected with something, can't get on the internet