Jump to content

Recommended Posts

I'm IT guy at company and one computer started running slow. Tried to install the pro version of mbam.exe, it installs but then mbam.exe gets deleted. If I copy the file from a good computer and rename it something else, it runs but gives an error MBAM_ERROR_EXPANDING_VARIABLES( 0, 453 ). MBAM_ERROR_MISSING_FILE( 3, 0, mbamswissarmy.sys ). Help, the hard drive is running constantly. DDS does not ask for reboot when I run it

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:03 on 03/06/2010 (kkrebeck)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Thanks

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

I'm IT guy at company and one computer started running slow. Tried to install the pro version of mbam.exe, it installs but then mbam.exe gets deleted. If I copy the file from a good computer and rename it something else, it runs but gives an error MBAM_ERROR_EXPANDING_VARIABLES( 0, 453 ). MBAM_ERROR_MISSING_FILE( 3, 0, mbamswissarmy.sys ). Help, the hard drive is running constantly. DDS does not ask for reboot when I run it

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:03 on 03/06/2010 (kkrebeck)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Thanks

I was able to zip mbam directory files from a "clean" computer and unzip them to the infected computer, then I did an install. Error when start mbam - wrong database. So copy database file manually from "clean" computer. mbam started, found 35, mostly trogans and tried to remove some at reboot. Now System is better, but cannot update database from system. Also get an error message at reboot about rundll missing for some program. Still Need help.

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites

Elise, thanks. When we started up again ( we are in STL, MO usa ) his system once again ran slow. We reran the mbam and found 10 trojans, and upon reboot once again we got some error messages.

RUNDLL bogerijo.dll Specified module could not be found

RUNDLL botajida.dll Specified module could not be found.

When we try to update mbam we get MBAM_ERROR_UPDATING(0,0,SHRegGetPath )

Running the logs as requested, GMER did find rootkit stuff:

OTListIt.txt

===============

OTL logfile created on: 6/4/2010 8:49:30 AM - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\kkrebeck\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 569.00 Mb Available Physical Memory | 56.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 227.87 Gb Total Space | 217.26 Gb Free Space | 95.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 14.93 Gb Total Space | 13.99 Gb Free Space | 93.69% Space Free | Partition Type: NTFS

Drive O: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive P: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive U: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive W: | 253.45 Gb Total Space | 234.88 Gb Free Space | 92.67% Space Free | Partition Type: NTFS

Drive Y: | 83.72 Gb Total Space | 43.72 Gb Free Space | 52.22% Space Free | Partition Type: NTFS

Drive Z: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Computer Name: WORKSTATION502

Current User Name: kkrebeck

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

PRC - [2010/04/07 07:41:07 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

PRC - [2009/11/06 15:19:58 | 006,515,784 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe

PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

PRC - [2009/11/06 12:00:22 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/03/26 12:03:00 | 000,618,496 | ---- | M] (Discrete Technologies, Inc.) -- C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe

PRC - [2004/11/03 19:23:28 | 000,680,007 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe

PRC - [2004/11/03 19:22:40 | 000,188,473 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe

PRC - [2004/11/03 19:22:02 | 000,172,102 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe

PRC - [2004/10/14 10:43:34 | 000,458,838 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe

========== Modules (SafeList) ==========

MOD - [2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (myAgtSvc)

SRV - File not found [Auto | Stopped] -- -- (McAfee SiteAdvisor Enterprise Service)

SRV - File not found [Auto | Stopped] -- -- (EngineServer)

SRV - [2010/04/07 07:41:07 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)

SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)

SRV - [2004/11/03 19:22:02 | 000,172,102 | ---- | M] (Citrix Online) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)

SRV - [1999/10/12 04:50:00 | 000,051,472 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)

========== Driver Services (SafeList) ==========

DRV - [2010/01/07 16:07:04 | 000,019,160 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2009/11/06 12:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv)

DRV - [2009/11/06 12:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)

DRV - [2009/11/06 12:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)

DRV - [2009/05/15 18:15:14 | 000,055,336 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/03/26 11:54:16 | 000,041,856 | ---- | M] (Discrete Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SCDFilter.sys -- (SCDFilter)

DRV - [2006/05/09 13:13:53 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)

DRV - [2005/07/28 08:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)

DRV - [2005/07/18 18:40:40 | 001,019,064 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2005/03/31 13:04:52 | 000,180,736 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®

DRV - [2004/10/08 06:51:08 | 001,270,540 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2003/07/16 01:27:40 | 000,043,264 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)

DRV - [2000/12/05 16:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-201682921-800487625-538272213-1210\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

IE - HKU\S-1-5-21-201682921-800487625-538272213-1210\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009/09/25 15:19:32 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.

O2 - BHO: (no name) - {c58ddb82-788d-412c-b1af-4eb326e53116} - File not found

O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O3 - HKU\S-1-5-21-201682921-800487625-538272213-1210\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O4 - HKLM..\Run: [Client Access Check Version] C:\Program Files\IBM\Client Access\cwbckver.exe (IBM Corporation)

O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\IBM\Client Access\cwbinhlp.exe (IBM Corporation)

O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\CwbSvStr.Exe (IBM Corporation)

O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online)

O4 - HKLM..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe File not found

O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe File not found

O4 - HKLM..\Run: [sCDClient] C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe (Discrete Technologies, Inc.)

O4 - HKLM..\Run: [spySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)

O4 - HKLM..\Run: [yumuwitozi] File not found

O4 - HKU\S-1-5-21-201682921-800487625-538272213-1210..\Run: [sAV] C:\Documents and Settings\All Users\Application Data\a6cc8eb\LivePCGuard.exe File not found

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)

O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] http in Trusted sites)

O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] https in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ceridian.webex.com/client/T25L/webex/ieatgpc.cab (GpcContainer Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.7 192.168.1.6

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = USPaint.com

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.604.dll File not found

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O20 - AppInit_DLLs: (c:\windows\system32\vonahoyo.dll) - C:\WINDOWS\System32\vonahoyo.dll File not found

O20 - AppInit_DLLs: (lejorude.dll) - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\GoToMyPC: DllName - G2WinLogon.dll - C:\WINDOWS\System32\G2WinLogon.dll (Citrix Online)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O21 - SSODL: lidedozaj - {e6ec5a1f-9d4f-4aff-a040-da4b82f5d394} - C:\WINDOWS\System32\vonahoyo.dll File not found

O21 - SSODL: zihugurel - {a3c615d8-e1aa-4fba-9904-cf79c9c19fa3} - C:\WINDOWS\System32\nofukeve.dll File not found

O22 - SharedTaskScheduler: {a3c615d8-e1aa-4fba-9904-cf79c9c19fa3} - gahurihor - C:\WINDOWS\System32\nofukeve.dll File not found

O22 - SharedTaskScheduler: {e6ec5a1f-9d4f-4aff-a040-da4b82f5d394} - gahurihor - C:\WINDOWS\System32\vonahoyo.dll File not found

O30 - LSA: Authentication Packages - (OWS\S) - File not found

O30 - LSA: Security Packages - (settings...) - File not found

O30 - LSA: Security Packages - (ages settings...) - File not found

O30 - LSA: Security Packages - ® - File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/04/25 14:22:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2004/03/18 12:21:14 | 000,000,000 | ---D | M] - P:\Automotive -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/04 08:48:45 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

[2010/06/03 14:06:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/03 14:06:22 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/03 12:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/04 08:45:25 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\ktr3ge16.exe

[2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

[2010/06/04 08:43:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/04 08:42:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\TempFile

[2010/06/04 08:42:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/04 08:42:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/04 08:42:15 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\kkrebeck\NTUSER.DAT

[2010/06/04 08:42:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kkrebeck\ntuser.ini

[2010/06/04 08:35:37 | 000,000,656 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/06/04 08:32:32 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Microsoft Office Outlook 2003 (2).lnk

[2010/06/04 08:01:01 | 000,000,240 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2010/06/03 14:06:33 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/03 13:06:12 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\dds.scr

[2010/06/03 13:03:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\kkrebeck\defogger_reenable

[2010/06/03 12:48:14 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Defogger.exe

[2010/06/03 12:39:05 | 000,000,487 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Shortcut to gmer_4mn18x46.exe.lnk

[2010/06/03 11:26:59 | 000,001,366 | ---- | M] () -- C:\WINDOWS\Flx.ini

[2010/06/03 08:25:31 | 000,002,048 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN

[2010/06/02 05:00:04 | 000,001,692 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_C2FF322FF6EB47CBA57B04031F09A2ED.job

[2010/05/21 13:25:59 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\725mcggl.exe

[2010/05/20 10:32:53 | 000,064,751 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Georgia notice.pdf

[2010/05/13 09:35:06 | 000,068,938 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\5-13-10 Cobra form.pdf

[2010/05/12 08:15:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/04 08:48:52 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\ktr3ge16.exe

[2010/06/03 14:06:33 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/03 13:06:05 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\dds.scr

[2010/06/03 13:03:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\kkrebeck\defogger_reenable

[2010/06/03 12:47:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Defogger.exe

[2010/06/03 12:40:00 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\725mcggl.exe

[2010/06/03 12:39:05 | 000,000,487 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Shortcut to gmer_4mn18x46.exe.lnk

[2010/05/20 10:32:53 | 000,064,751 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Georgia notice.pdf

[2010/05/13 09:35:06 | 000,068,938 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\5-13-10 Cobra form.pdf

[2009/11/06 12:00:28 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll

[2007/06/14 09:44:03 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys

[2006/05/19 14:57:51 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\DTCTRACE.DLL

[2006/05/19 14:57:36 | 000,001,366 | ---- | C] () -- C:\WINDOWS\Flx.ini

[2006/05/09 13:13:53 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys

[2006/05/02 08:30:24 | 000,000,785 | ---- | C] () -- C:\WINDOWS\alchemy.ini

[2006/05/01 11:00:08 | 000,320,000 | ---- | C] () -- C:\WINDOWS\System32\VBTBrowser.dll

[2006/04/26 09:31:10 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHealr.dll

[2006/04/25 15:23:36 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.sys

[2006/04/25 15:23:11 | 000,199,952 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll

[2006/04/25 15:23:11 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ldap.dll

[2006/04/25 15:23:11 | 000,007,440 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll

[2006/04/25 15:20:02 | 000,000,601 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/12/08 20:46:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2001/08/31 15:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll

[1999/11/04 10:15:24 | 000,000,928 | ---- | C] () -- C:\WINDOWS\bti.ini

[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >

Extra.txt

================

OTL Extras logfile created on: 6/4/2010 8:49:35 AM - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\kkrebeck\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 569.00 Mb Available Physical Memory | 56.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 227.87 Gb Total Space | 217.26 Gb Free Space | 95.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 14.93 Gb Total Space | 13.99 Gb Free Space | 93.69% Space Free | Partition Type: NTFS

Drive O: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive P: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive U: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Drive W: | 253.45 Gb Total Space | 234.88 Gb Free Space | 92.67% Space Free | Partition Type: NTFS

Drive Y: | 83.72 Gb Total Space | 43.72 Gb Free Space | 52.22% Space Free | Partition Type: NTFS

Drive Z: | 410.18 Gb Total Space | 258.60 Gb Free Space | 63.05% Space Free | Partition Type: NTFS

Computer Name: WORKSTATION502

Current User Name: kkrebeck

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)

"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- File not found

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)

"C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe" = C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe:*:Enabled:SCDHelper -- (Discrete Technologies, Inc.)

"C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" = C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe:*:Enabled:SpySweeperUI -- (Webroot Software, Inc.)

"C:\WINDOWS\LMIB.tmp\lmi_rescue.exe" = C:\WINDOWS\LMIB.tmp\lmi_rescue.exe:*:Enabled:LogMeIn Rescue -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional

"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Webroot AntiVirus with Spy Sweeper

"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core

"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC

"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser

"{8214CC02-6271-4DC8-B8DD-779933450264}" = HP RecordNow

"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package

"{845C5F13-069B-4F6F-8954-6BD82B98EEA7}" = Plus 32 Software

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver

"{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003

"{96963F83-7F17-4941-B16C-1E790455E93A}" = McAfee SiteAdvisor Enterprise Plus

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{F44EAEB2-332B-48B9-B1B7-E25EAB628124}" = PowerBuilder Client Runtime

"ActiveTouchMeetingClient" = WebEx

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem

"Ceridian" = Ceridian HR/Payroll

"ClientAccessExpress" = IBM AS/400 Client Access Express for Windows

"hp LaserJet 2300 Uninstaller" = hp LaserJet 2300 Uninstaller

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"McAfee Managed Firewall" = McAfee Firewall Protection Service

"McAfeeBrowserProtection" = McAfee Browser Protection Service

"MICR Calibration Wizard" = MICR Calibration Wizard

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MVS" = McAfee Virus and Spyware Protection Service

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PROSet" = Intel® PRO Network Connections Drivers

"SCDClient" = SecureDisc Client

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"GoToMeeting" = GoToMeeting 4.1.0.366

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 3/15/2010 8:41:13 AM | Computer Name = WORKSTATION502 | Source = Application Error | ID = 1000

Description = Faulting application plus32.exe, version 0.0.0.0, faulting module

kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 4/1/2010 3:39:00 PM | Computer Name = WORKSTATION502 | Source = Application Error | ID = 1000

Description = Faulting application plus32.exe, version 0.0.0.0, faulting module

plus32.exe, version 0.0.0.0, fault address 0x002f1ff1.

Error - 4/6/2010 1:54:38 PM | Computer Name = WORKSTATION502 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/10/2010 9:49:12 AM | Computer Name = WORKSTATION502 | Source = Application Error | ID = 1000

Description = Faulting application plus32.exe, version 0.0.0.0, faulting module

plus32.exe, version 0.0.0.0, fault address 0x002f1ff1.

Error - 5/19/2010 9:50:28 AM | Computer Name = WORKSTATION502 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/1/2010 1:22:14 PM | Computer Name = WORKSTATION502 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/2/2010 12:59:55 PM | Computer Name = WORKSTATION502 | Source = Application Hang | ID = 1002

Description = Hanging application OUTLOOK.EXE, version 11.0.5510.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/2/2010 12:59:55 PM | Computer Name = WORKSTATION502 | Source = Application Hang | ID = 1002

Description = Hanging application OUTLOOK.EXE, version 11.0.5510.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/2/2010 1:08:09 PM | Computer Name = WORKSTATION502 | Source = Microsoft Office 11 | ID = 2000

Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 6/3/2010 1:38:27 PM | Computer Name = WORKSTATION502 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, stamp 48025c30,

faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address

0x030d23ac.

[ System Events ]

Error - 6/4/2010 8:39:08 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The EngineServer service failed to start due to the following error:

%%3

Error - 6/4/2010 8:39:08 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee SiteAdvisor Enterprise Service service failed to start

due to the following error: %%3

Error - 6/4/2010 8:39:08 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee Virus and Spyware Protection Service service failed to

start due to the following error: %%3

Error - 6/4/2010 9:26:40 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The EngineServer service failed to start due to the following error:

%%3

Error - 6/4/2010 9:26:40 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee SiteAdvisor Enterprise Service service failed to start

due to the following error: %%3

Error - 6/4/2010 9:26:40 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee Virus and Spyware Protection Service service failed to

start due to the following error: %%3

Error - 6/4/2010 9:43:10 AM | Computer Name = WORKSTATION502 | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring

the volume.

Error - 6/4/2010 9:44:37 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The EngineServer service failed to start due to the following error:

%%3

Error - 6/4/2010 9:44:37 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee SiteAdvisor Enterprise Service service failed to start

due to the following error: %%3

Error - 6/4/2010 9:44:37 AM | Computer Name = WORKSTATION502 | Source = Service Control Manager | ID = 7000

Description = The McAfee Virus and Spyware Protection Service service failed to

start due to the following error: %%3

< End of report >

gmer.log

==================

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-04 09:38:19

Windows 5.1.2600 Service Pack 3

Running: ktr3ge16.exe; Driver: C:\DOCUME~1\kkrebeck\LOCALS~1\Temp\ffrorpoc.sys

---- System - GMER 1.0.15 ----

SSDT 86B8BE40 ZwAllocateVirtualMemory

SSDT 86BE6158 ZwCreateKey

SSDT 86B34BA0 ZwCreateProcess

SSDT 86B34B28 ZwCreateProcessEx

SSDT 86B34948 ZwCreateThread

SSDT 86BE5C48 ZwDeleteKey

SSDT 86B34C18 ZwDeleteValueKey

SSDT 86B8BEB8 ZwQueueApcThread

SSDT 86B8BD50 ZwReadVirtualMemory

SSDT 86BC70A8 ZwRenameKey

SSDT 86B8BFA8 ZwSetContextThread

SSDT 86B34D08 ZwSetInformationKey

SSDT 86B34A38 ZwSetInformationProcess

SSDT 86B8B020 ZwSetInformationThread

SSDT 86B34C90 ZwSetValueKey

SSDT 86B349C0 ZwSuspendProcess

SSDT 86B8BF30 ZwSuspendThread

SSDT 86B34AB0 ZwTerminateProcess

SSDT 86B348D0 ZwTerminateThread

SSDT 86B8BDC8 ZwWriteVirtualMemory

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AA96B16D

INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AA96AFC2

---- Kernel code sections - GMER 1.0.15 ----

? crsfxc.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAA653400, 0x7960C, 0xE8000020]

.protect

Link to post
Share on other sites

Elise,

I noticed that lejorude.dll showed up under gmer output.

I searched the forums and a previous solution said to

use combofix.exe. I had used that on another computer

so I used it on the current problem. It ran ok, then

I was able to re-install mbam. It now allows update

of the database and active protection ( both of which

I was unable to get to work ) on mbam. Also, the rundll problems

are not there upon startup.

I'd like you to leave this issue open until Monday because

I'm not sure it might not come back. :)

Link to post
Share on other sites

mabm is still catching these type of files:

botajida.dll, revulazo.dll, bubeguto.dll, pajohebu.dll

Thanks,

here is the log:

ComboFix 10-06-03.01 - kkrebeck 06/04/2010 11:08:02.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.699 [GMT -5:00]

Running from: c:\documents and settings\kkrebeck\Desktop\Combo-Fix.exe

AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\lejorude.dll

c:\windows\system32\VB40032.DLL

c:\windows\system32\gotomon.log . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))

.

2010-06-03 19:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-03 19:06 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-03 17:14 . 2010-06-03 20:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 22:01 . 2010-04-07 12:41 -------- d-----w- c:\program files\Ask.com

2010-04-07 12:39 . 2009-09-25 20:12 164 ----a-w- c:\windows\install.dat

2010-03-11 12:38 . 2005-11-01 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2005-11-01 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2005-11-01 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2005-11-01 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"Client Access Service"="c:\program files\IBM\Client Access\CwbSvStr.Exe" [1999-10-12 6928]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [1999-10-12 15632]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [1999-10-12 47888]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2004-11-04 172102]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SCDClient"="c:\program files\Discrete Technologies\SecureDisc Client\SCDHelper.exe" [2008-03-26 618496]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2004-11-04 00:22 24576 ----a-w- c:\windows\system32\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [9/25/2009 3:17 PM 1201640]

R3 SCDFilter;SCDFilter;c:\windows\system32\drivers\SCDFilter.sys [3/26/2008 11:54 AM 41856]

S2 EngineServer;EngineServer;"c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe" --> c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [?]

S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;"c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [?]

S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [?]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/3/2010 2:06 PM 19160]

.

Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]

2010-06-02 c:\windows\Tasks\wrSpySweeper_C2FF322FF6EB47CBA57B04031F09A2ED.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-09-25 20:19]

2010-06-02 c:\windows\Tasks\wrSpySweeper_C2FF322FF6EB47CBA57B04031F09A2ED.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-09-25 20:19]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

Trusted Zone: siteadvisor.com\www

.

- - - - ORPHANS REMOVED - - - -

BHO-{c58ddb82-788d-412c-b1af-4eb326e53116} - pajohebu.dll

HKCU-Run-SAV - c:\documents and settings\All Users\Application Data\a6cc8eb\LivePCGuard.exe

HKLM-Run-MVS Splash - c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe

HKLM-Run-McAfee Managed Services Tray - c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe

HKLM-Run-yumuwitozi - bogerijo.dll

SharedTaskScheduler-{e6ec5a1f-9d4f-4aff-a040-da4b82f5d394} - c:\windows\system32\vonahoyo.dll

SharedTaskScheduler-{a3c615d8-e1aa-4fba-9904-cf79c9c19fa3} - c:\windows\system32\nofukeve.dll

SSODL-lidedozaj-{e6ec5a1f-9d4f-4aff-a040-da4b82f5d394} - c:\windows\system32\vonahoyo.dll

SSODL-zihugurel-{a3c615d8-e1aa-4fba-9904-cf79c9c19fa3} - c:\windows\system32\nofukeve.dll

AddRemove-McAfee Managed Firewall - c:\program files\McAfee\Managed VirusScan\Agent\myInx.exe

AddRemove-McAfee Personal Firewall Plus API - c:\program files\Common Files\McAfee\Installer\mcinst.exe

AddRemove-McAfeeBrowserProtection - c:\program files\McAfee\Managed VirusScan\Agent\myinx.exe

AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-04 11:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]

@Denied: (Read) (Administrators)

@Denied: (B E 1 4 5) (Administrators)

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"vidc.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"vidc.iyuv"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"vidc.uyvy"="msyuv.dll"

"vidc.yuy2"="msyuv.dll"

"vidc.yvu9"="tsbyuv.dll"

"vidc.yvyu"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="c:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="c:\\WINDOWS\\system32\\l3codeca.acm"

"wave"="serwvdrv.dll"

"wave1"="wdmaud.drv"

"midi"="wdmaud.drv"

"mixer"="wdmaud.drv"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\windows\system32\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2100)

c:\windows\system32\WININET.dll

c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\Webroot\WebrootSecurity\SpySweeper.exe

c:\windows\AGRSMMSG.exe

.

**************************************************************************

.

Completion time: 2010-06-04 11:23:42 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-04 16:23

Pre-Run: 233,232,982,016 bytes free

Post-Run: 233,769,594,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 421E4D21109A0DD28F04004B271551D6

Link to post
Share on other sites

Hello again,

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Thanks. I had uninstalled combofix, so when I dragged the file to the icon, it asked if I wanted the latest version, I said yes. But when it updated it went thru its whole normal routine. I'll wait for it to finish then move the script file to the icon again. Then send you that log file.

Link to post
Share on other sites

Elise,

Here is the log file from combofix

ComboFix 10-06-03.01 - kkrebeck 06/04/2010 16:24:59.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.659 [GMT -5:00]

Running from: c:\documents and settings\kkrebeck\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\kkrebeck\Desktop\CFScript.txt

AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gotomon.log

.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))

.

2010-06-04 20:27 . 2010-06-04 20:27 -------- d-----w- C:\Combo-Fix

2010-06-03 19:06 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-03 19:06 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-03 17:14 . 2010-06-04 17:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 22:01 . 2010-04-07 12:41 -------- d-----w- c:\program files\Ask.com

2010-04-07 12:39 . 2009-09-25 20:12 164 ----a-w- c:\windows\install.dat

2010-03-11 12:38 . 2005-11-01 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2005-11-01 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2005-11-01 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2005-11-01 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"Client Access Service"="c:\program files\IBM\Client Access\CwbSvStr.Exe" [1999-10-12 6928]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [1999-10-12 15632]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [1999-10-12 47888]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2004-11-04 172102]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SCDClient"="c:\program files\Discrete Technologies\SecureDisc Client\SCDHelper.exe" [2008-03-26 618496]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2004-11-04 00:22 24576 ----a-w- c:\windows\system32\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/29/2010 3:39 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/3/2010 2:06 PM 20952]

R3 SCDFilter;SCDFilter;c:\windows\system32\drivers\SCDFilter.sys [3/26/2008 11:54 AM 41856]

S2 EngineServer;EngineServer;"c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe" --> c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [?]

S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;"c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [?]

S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

Trusted Zone: siteadvisor.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-04 16:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]

@Denied: (Read) (Administrators)

@Denied: (B E 1 4 5) (Administrators)

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"vidc.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"vidc.iyuv"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"vidc.uyvy"="msyuv.dll"

"vidc.yuy2"="msyuv.dll"

"vidc.yvu9"="tsbyuv.dll"

"vidc.yvyu"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="c:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="c:\\WINDOWS\\system32\\l3codeca.acm"

"wave"="serwvdrv.dll"

"wave1"="wdmaud.drv"

"midi"="wdmaud.drv"

"mixer"="wdmaud.drv"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

c:\windows\system32\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2820)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\windows\AGRSMMSG.exe

.

**************************************************************************

.

Completion time: 2010-06-04 16:34:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-04 21:34

ComboFix2.txt 2010-06-04 21:22

ComboFix3.txt 2010-06-04 16:23

Pre-Run: 235,850,616,832 bytes free

Post-Run: 235,819,769,856 bytes free

- - End Of File - - 710FC0CF8A30E25EED21C7CEDC34BE20

Link to post
Share on other sites

Hello again, could you please list the malware MBAM detected earlier?

Please click Start > Control Panel > Add/Remove Programs and uninsall Ask Toolbar

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Elise, we are on weekend now in USA. Will return Monday and run the tests

Here is an early scan from yesterday:

=================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4161

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

6/4/2010 8:40:14 AM

mbam-log-2010-06-04 (08-40-14).txt

Scan type: Quick scan

Objects scanned: 160667

Time elapsed: 13 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\botajida.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{61b676a5-5134-40df-9deb-3023d09809e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zepifoyay (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{61b676a5-5134-40df-9deb-3023d09809e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dagezifam (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yumuwitozi (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\botajida.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\botajida.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\botajida.dll (Trojan.Vundo.H) -> Delete on reboot.

Link to post
Share on other sites

Elise, here is the latest log:

OTL logfile created on: 6/7/2010 10:19:45 AM - Run 2

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\kkrebeck\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 582.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 227.87 Gb Total Space | 219.52 Gb Free Space | 96.33% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 14.93 Gb Total Space | 6.95 Gb Free Space | 46.54% Space Free | Partition Type: NTFS

Drive O: | 410.18 Gb Total Space | 258.38 Gb Free Space | 62.99% Space Free | Partition Type: NTFS

Drive P: | 410.18 Gb Total Space | 258.38 Gb Free Space | 62.99% Space Free | Partition Type: NTFS

Drive U: | 410.18 Gb Total Space | 258.38 Gb Free Space | 62.99% Space Free | Partition Type: NTFS

Drive W: | 253.45 Gb Total Space | 234.92 Gb Free Space | 92.69% Space Free | Partition Type: NTFS

Drive Y: | 83.72 Gb Total Space | 44.49 Gb Free Space | 53.14% Space Free | Partition Type: NTFS

Drive Z: | 410.18 Gb Total Space | 258.38 Gb Free Space | 62.99% Space Free | Partition Type: NTFS

Computer Name: WORKSTATION502

Current User Name: kkrebeck

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 60 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/03/26 12:03:00 | 000,618,496 | ---- | M] (Discrete Technologies, Inc.) -- C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe

PRC - [2004/11/03 19:23:28 | 000,680,007 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe

PRC - [2004/11/03 19:22:40 | 000,188,473 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe

PRC - [2004/11/03 19:22:02 | 000,172,102 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe

PRC - [2004/10/14 10:43:34 | 000,458,838 | ---- | M] (Citrix Online) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe

========== Modules (SafeList) ==========

MOD - [2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (myAgtSvc)

SRV - File not found [Auto | Stopped] -- -- (McAfee SiteAdvisor Enterprise Service)

SRV - File not found [Auto | Stopped] -- -- (EngineServer)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2004/11/03 19:22:02 | 000,172,102 | ---- | M] (Citrix Online) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)

SRV - [1999/10/12 04:50:00 | 000,051,472 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)

========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2009/05/15 18:15:14 | 000,055,336 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/03/26 11:54:16 | 000,041,856 | ---- | M] (Discrete Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SCDFilter.sys -- (SCDFilter)

DRV - [2006/05/09 13:13:53 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)

DRV - [2005/07/28 08:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)

DRV - [2005/07/18 18:40:40 | 001,019,064 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2005/03/31 13:04:52 | 000,180,736 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®

DRV - [2004/10/08 06:51:08 | 001,270,540 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2003/07/16 01:27:40 | 000,043,264 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)

DRV - [2000/12/05 16:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-201682921-800487625-538272213-1210\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/06/04 16:29:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.

O3 - HKU\S-1-5-21-201682921-800487625-538272213-1210\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O4 - HKLM..\Run: [Client Access Check Version] C:\Program Files\IBM\Client Access\cwbckver.exe (IBM Corporation)

O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\IBM\Client Access\cwbinhlp.exe (IBM Corporation)

O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\CwbSvStr.Exe (IBM Corporation)

O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [sCDClient] C:\Program Files\Discrete Technologies\SecureDisc Client\SCDHelper.exe (Discrete Technologies, Inc.)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-201682921-800487625-538272213-1210\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-201682921-800487625-538272213-1210\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)

O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)

O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] http in Trusted sites)

O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] https in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ceridian.webex.com/client/T25L/webex/ieatgpc.cab (GpcContainer Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.7 192.168.1.6

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = USPaint.com

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.604.dll File not found

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\GoToMyPC: DllName - G2WinLogon.dll - C:\WINDOWS\System32\G2WinLogon.dll (Citrix Online)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O30 - LSA: Security Packages - (settings...) - File not found

O30 - LSA: Security Packages - (kages settings...) - File not found

O30 - LSA: Security Packages - ® - File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/04/25 14:22:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2004/03/18 12:21:14 | 000,000,000 | ---D | M] - P:\Automotive -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 60 Days ==========

[2010/06/07 10:19:11 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

[2010/06/07 08:39:06 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/06/04 16:34:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2010/06/04 16:08:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/06/04 16:08:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/06/04 16:08:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/06/04 16:08:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/06/04 16:07:14 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/06/04 15:27:40 | 000,000,000 | ---D | C] -- C:\Combo-Fix

[2010/06/04 11:06:56 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/06/04 11:04:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/06/03 14:06:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/03 14:06:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/03 12:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

[2010/06/07 09:48:33 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Microsoft Office Outlook 2003 (2).lnk

[2010/06/07 09:48:26 | 000,001,366 | ---- | M] () -- C:\WINDOWS\Flx.ini

[2010/06/07 08:02:16 | 000,002,048 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN

[2010/06/07 07:42:23 | 000,000,656 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/06/07 07:40:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/07 07:37:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\TempFile

[2010/06/07 07:37:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/07 07:37:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/04 16:38:34 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\kkrebeck\NTUSER.DAT

[2010/06/04 16:38:34 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kkrebeck\ntuser.ini

[2010/06/04 16:30:04 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/04 16:29:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/06/04 16:07:35 | 003,702,826 | R--- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Combo-Fix.exe

[2010/06/04 14:32:32 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Defogger.exe

[2010/06/04 11:13:27 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\tajahida

[2010/06/04 11:07:01 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/06/04 09:53:11 | 000,509,574 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/04 09:53:11 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/04 09:53:11 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/04 09:52:38 | 000,000,601 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010/06/04 08:44:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kkrebeck\Desktop\OTL.exe

[2010/06/03 14:06:33 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/03 13:06:12 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\dds.scr

[2010/05/20 10:32:53 | 000,064,751 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Georgia notice.pdf

[2010/05/13 09:35:06 | 000,068,938 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\5-13-10 Cobra form.pdf

[2010/05/12 08:15:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/29 10:50:43 | 000,069,357 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\4-29-10 Cobra Subsidy Form.pdf

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2010/04/12 10:45:58 | 000,060,426 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\D2XCHANGE FORM.pdf

[2010/04/09 13:32:18 | 000,157,669 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Ceridian qtrly SUI forms.pdf

[2010/04/08 10:39:19 | 000,291,943 | ---- | M] () -- C:\Documents and Settings\kkrebeck\Desktop\Munroe Handling.pdf

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/04 16:08:16 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/06/04 16:08:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/06/04 16:08:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/06/04 16:08:16 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/06/04 16:08:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/06/04 16:06:34 | 003,702,826 | R--- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Combo-Fix.exe

[2010/06/04 14:32:25 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Defogger.exe

[2010/06/04 11:07:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/06/04 11:06:57 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/06/03 14:06:33 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/03 13:06:05 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\dds.scr

[2010/05/20 10:32:53 | 000,064,751 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Georgia notice.pdf

[2010/05/13 09:35:06 | 000,068,938 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\5-13-10 Cobra form.pdf

[2010/04/29 10:50:43 | 000,069,357 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\4-29-10 Cobra Subsidy Form.pdf

[2010/04/12 10:45:58 | 000,060,426 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\D2XCHANGE FORM.pdf

[2010/04/09 13:32:18 | 000,157,669 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Ceridian qtrly SUI forms.pdf

[2010/04/08 10:39:19 | 000,291,943 | ---- | C] () -- C:\Documents and Settings\kkrebeck\Desktop\Munroe Handling.pdf

[2007/06/14 09:44:03 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys

[2006/05/19 14:57:51 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\DTCTRACE.DLL

[2006/05/19 14:57:36 | 000,001,366 | ---- | C] () -- C:\WINDOWS\Flx.ini

[2006/05/09 13:13:53 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys

[2006/05/02 08:30:24 | 000,000,785 | ---- | C] () -- C:\WINDOWS\alchemy.ini

[2006/05/01 11:00:08 | 000,320,000 | ---- | C] () -- C:\WINDOWS\System32\VBTBrowser.dll

[2006/04/26 09:31:10 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHealr.dll

[2006/04/25 15:23:36 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.sys

[2006/04/25 15:23:11 | 000,199,952 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll

[2006/04/25 15:23:11 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ldap.dll

[2006/04/25 15:23:11 | 000,007,440 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll

[2006/04/25 15:20:02 | 000,000,601 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/12/08 20:46:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2001/08/31 15:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll

[1999/11/04 10:15:24 | 000,000,928 | ---- | C] () -- C:\WINDOWS\bti.ini

[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >

Link to post
Share on other sites

Please run the following fix and after a reboot, let me know if the error messages still come up. If so, can you please list the exact content of each message?

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :otlO15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafee.com (
  3. http in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafee.com (
  4. https in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
    O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: siteadvisor.com ([www] https in Trusted sites)
    O30 - LSA: Security Packages - (settings...) - File not found
    O30 - LSA: Security Packages - (kages settings...) - File not found
    O30 - LSA: Security Packages -
Link to post
Share on other sites

Holy Cats! when it asked to reboot, I said yes. Now I cannot logon to the machine, even in safe mode. Its says "network not available", or if I try to logon to the machine name it says "workstation502 not available".

Sending this reply from my machine.

Link to post
Share on other sites

Ouch, that was not what we intended ;)

Luckily we have a registry backup, so lets use that. First of all, did you try Last Known Good Configuration (tap f8 on boot up)?

If that doesn't work either, we'll use the registry backup from the Recovery Console.

Link to post
Share on other sites

Elise, Last known configuration worked. Here is the file:

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//about.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Exclude.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//FWEvent.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//LanguageSelection.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Message.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyAgttryCmd.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyAgttryNag.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyNotification.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//NOCLessUpdate.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//quarantine.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//ScanNow.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//strings.vbs/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Template.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Update.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//VirFound.htm/\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\*\ deleted successfully.

Invalid CLSID key: *

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\*\ not found.

Invalid CLSID key: *

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\betavscan\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\betavscan\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\vs\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\vs\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\www\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\www\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\siteadvisor.com\www\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\siteadvisor.com\www\ not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:settings... deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:kages settings... deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator.USPAINT

->Temp folder emptied: 570945 bytes

->Temporary Internet Files folder emptied: 8074147 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: kkrebeck

->Temp folder emptied: 36318760 bytes

->Temporary Internet Files folder emptied: 52945177 bytes

->Flash cache emptied: 365165 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: McAfeeMVSUser

->Temp folder emptied: 49600 bytes

->Temporary Internet Files folder emptied: 801294 bytes

User: McAfeeMVSUser.WORKSTATION502

->Temp folder emptied: 49632 bytes

->Temporary Internet Files folder emptied: 104198 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2162283 bytes

%systemroot%\System32 .tmp files removed: 3594257 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.00 mb

OTL by OldTimer - Version 3.2.5.3 log created on 06072010_111204

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\kkrebeck\Local Settings\Temp\~DF560D.tmp not found!

File\Folder C:\Documents and Settings\kkrebeck\Local Settings\Temp\~DF5618.tmp not found!

C:\Documents and Settings\kkrebeck\Local Settings\Temporary Internet Files\Content.IE5\WAK0Z2YR\index[4].htm moved successfully.

C:\Documents and Settings\kkrebeck\Local Settings\Temporary Internet Files\Content.IE5\4S3YNNCH\iframe[2].htm moved successfully.

C:\Documents and Settings\kkrebeck\Local Settings\Temporary Internet Files\Content.IE5\4S3YNNCH\index[5].htm moved successfully.

C:\Documents and Settings\kkrebeck\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.