Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

View previous topic View next topic Go down

Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 10th March 2010, 3:32 am

I am having the same problem as KyleNeedsHelp, however, mine may be more severe. I cannot open any programs, including IE or even msconfig. I have to operate in safe mode to be able to do anything. Upon trying to open a program, I receive the message "Application cannot be executed. The file (varies).exe is infected. Do you want to activate your antivirus software now?" I am accessing GeekPolice through my laptop. I was able to save OTL to a memory stick, and run on my PC while in safe mode.

Below is the OTL.txt file.

OTL logfile created on: 3/9/2010 9:22:47 PM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = E:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 20.09 Gb Free Space | 53.95% Space Free | Partition Type: FAT32
Drive D: | 37.27 Gb Total Space | 22.00 Gb Free Space | 59.04% Space Free | Partition Type: NTFS
Drive E: | 3.77 Gb Total Space | 2.42 Gb Free Space | 64.16% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AJHOFFM-DIALUP
Current User Name: ajhoffm
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/09 20:57:28 | 000,554,496 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2009/08/06 21:10:34 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 19:12:28 | 000,169,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\msconfig.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/15 18:16:42 | 000,454,784 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) -- C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
PRC - [2005/08/12 17:37:50 | 001,504,256 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe


========== Modules (SafeList) ==========

MOD - [2010/03/09 20:57:28 | 000,554,496 | ---- | M] (OldTimer Tools) -- E:\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [Disabled | Stopped] -- -- (EPSONStatusAgent2)
SRV - File not found [Disabled | Stopped] -- -- (EpsonBidirectionalService)
SRV - [2005/08/12 17:37:50 | 001,504,256 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2008/06/20 06:08:28 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys -- (Tcpip6)
DRV - [2008/04/13 13:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2007/12/10 22:41:04 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys -- (tmcomm)
DRV - [2007/03/22 12:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\elagopro.sys -- (elagopro)
DRV - [2007/03/22 12:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\elaunidr.sys -- (elaunidr)
DRV - [2007/02/26 22:53:52 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/08/12 17:35:56 | 000,305,739 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2005/07/25 20:35:26 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mcstrm.sys -- (MCSTRM)
DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CVirtA.sys -- (CVirtA)
DRV - [2005/01/26 05:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\vsdatant.sys -- (vsdatant)
DRV - [2004/10/27 13:32:02 | 000,146,888 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -- (DNE)
DRV - [2004/08/25 00:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/04 00:29:50 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:48 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:46 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys -- (iAimTV5)
DRV - [2004/08/04 00:29:46 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:44 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:44 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys -- (iAimTV6)
DRV - [2004/08/04 00:29:42 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:40 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys -- (iAimFP7)
DRV - [2004/08/04 00:29:40 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys -- (iAimFP6)
DRV - [2004/08/04 00:29:38 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:38 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:38 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys -- (iAimFP5)
DRV - [2004/08/04 00:29:38 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wADV05NT.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/04/13 20:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/03/12 00:33:54 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ltmdmnt.sys -- (ltmodem5)
DRV - [2004/03/11 23:43:50 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/10/07 10:42:40 | 000,067,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Rtlnic51.sys -- (RTL8023)
DRV - [2003/04/02 18:54:16 | 000,020,648 | R--- | M] (Thomson Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\netrcacm.sys -- (netrcacm)
DRV - [2003/01/13 10:19:26 | 000,249,344 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/01/13 10:19:26 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/01/13 10:19:26 | 000,118,422 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pwd_2K.sys -- (pwd_2k)
DRV - [2003/01/13 10:19:26 | 000,024,839 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys -- (Cdralw2k)
DRV - [2003/01/13 10:19:26 | 000,022,758 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/01/13 10:19:26 | 000,021,654 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Dvd_2k.sys -- (dvd_2K)
DRV - [2001/08/17 14:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ac97intc.sys -- (ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



O1 HOSTS File: ([2005/07/27 01:19:46 | 000,000,736 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SystemTray] C:\WINDOWS\System32\systray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} [You must be registered and logged in to see this link.] (Microsoft Office Template and Media Control)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} [You must be registered and logged in to see this link.] (Microsoft Data Collection Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {32564D57-9980-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} [You must be registered and logged in to see this link.] (InstallShield Setup Player 2K2)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} [You must be registered and logged in to see this link.] (DeviceEnum Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [You must be registered and logged in to see this link.] (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} [You must be registered and logged in to see this link.] (HpProductDetection Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} [You must be registered and logged in to see this link.] (Housecall ActiveX 6.5)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} [You must be registered and logged in to see this link.] (HP Download Manager)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} [You must be registered and logged in to see this link.] (Get_ActiveX Control)
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.3.1_04)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\awtrRIAs: DllName - awtrRIAs.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\ajhoffm\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ajhoffm\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {28D0EF2B-41FF-4E45-AB90-398BC0428896} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/11 16:18:42 | 000,000,194 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2003/10/11 16:18:42 | 000,000,194 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/09 20:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ajhoffm\Application Data\AVG8
[2010/03/09 20:21:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\ajhoffm\Recent
[2010/03/06 08:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ajhoffm\Application Data\ubxdiu
[2010/03/04 20:36:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe Systems
[2010/03/04 20:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe Systems Shared
[2010/03/04 20:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Adobe PDF
[2010/02/23 19:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2010/02/15 19:29:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/02/15 19:29:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/02/15 19:27:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2007/11/15 11:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2007/11/14 09:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/10/06 10:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Apple
[2005/12/23 02:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2005/07/30 10:54:05 | 000,151,552 | R--- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[2003/10/11 16:53:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/10/11 16:53:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System\*.tmp files -> C:\WINDOWS\System\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/09 21:08:50 | 000,000,360 | ---- | M] () -- C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
[2010/03/09 21:08:02 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\Uninstall Expiration Reminder.job
[2010/03/09 21:06:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/09 20:48:02 | 000,432,412 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/09 20:48:02 | 000,374,982 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/09 20:48:02 | 000,051,258 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/09 20:44:40 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/09 20:43:40 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/09 20:43:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/09 20:43:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/09 20:43:26 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/09 20:42:40 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\ajhoffm\ntuser.dat
[2010/03/09 20:42:40 | 000,000,248 | -HS- | M] () -- C:\Documents and Settings\ajhoffm\ntuser.ini
[2010/03/09 20:42:34 | 000,003,040 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/09 20:42:34 | 000,001,124 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/09 20:42:34 | 000,000,213 | -HS- | M] () -- C:\boot.ini
[2010/03/08 20:02:04 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-2147065759-1202660629-1004Core1cab7502c58a3a0.job
[2010/03/06 18:07:50 | 000,071,320 | ---- | M] () -- C:\Documents and Settings\ajhoffm\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/06 16:59:32 | 000,001,649 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 7.0 Professional.lnk
[2010/03/06 16:54:06 | 000,255,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/06 09:00:02 | 000,000,502 | ---- | M] () -- C:\WINDOWS\tasks\Tune-up Application Start.job
[2010/03/04 21:04:14 | 000,001,644 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/28 16:54:28 | 000,000,522 | ---- | M] () -- C:\hpfr3420.xml
[2010/02/15 17:59:36 | 000,002,050 | ---- | M] () -- C:\Documents and Settings\ajhoffm\Desktop\Google Chrome.lnk
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System\*.tmp files -> C:\WINDOWS\System\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/09 20:19:05 | 535,351,296 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/04 20:27:44 | 000,001,649 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 7.0 Professional.lnk
[2010/02/26 19:57:10 | 000,000,904 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-2147065759-1202660629-1004Core1cab7502c58a3a0.job
[2010/02/15 19:52:33 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/15 19:52:31 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/15 19:40:54 | 000,001,644 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2008/09/25 15:58:38 | 000,952,683 | -HS- | C] () -- C:\WINDOWS\System32\pxlatxiv.ini
[2008/09/24 15:54:55 | 000,952,434 | -HS- | C] () -- C:\WINDOWS\System32\wikesjli.ini
[2008/09/22 15:06:23 | 000,942,793 | -HS- | C] () -- C:\WINDOWS\System32\rikvdlmp.ini
[2008/09/21 15:02:37 | 000,169,937 | -HS- | C] () -- C:\WINDOWS\System32\cnoebewq.ini
[2008/09/20 14:58:17 | 000,169,757 | -HS- | C] () -- C:\WINDOWS\System32\uahrcpdh.ini
[2007/08/22 22:19:42 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/08/15 11:08:47 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/06/20 20:40:08 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/04/21 21:38:02 | 000,181,176 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2006/01/20 20:14:24 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/01/20 20:14:24 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/01/20 20:14:24 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2005/11/16 21:03:50 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/07/29 23:36:38 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/07/04 23:40:51 | 000,189,440 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2005/05/03 11:44:44 | 000,025,157 | ---- | C] () -- C:\WINDOWS\RMAgentOutput.dll
[2005/05/03 11:43:44 | 000,126,976 | ---- | C] () -- C:\WINDOWS\dllTSCLIBMT.dll
[2005/03/03 16:16:42 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2005/03/01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005/01/09 00:22:47 | 000,000,098 | ---- | C] () -- C:\WINDOWS\TaxACT04.ini
[2004/10/01 17:33:46 | 000,000,680 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/08/25 00:27:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/05/30 12:15:50 | 000,000,047 | ---- | C] () -- C:\WINDOWS\InoSetup.ini
[2004/05/29 09:12:39 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/05/10 23:19:21 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\sysmwwod.dll
[2004/05/10 23:15:16 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2004/01/12 22:04:47 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2003/12/02 12:57:02 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2003/11/28 09:41:43 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EEBAPI.dll
[2003/11/28 09:41:43 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\EEBDSCVR.dll
[2003/11/28 09:41:43 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\EBAPI.dll
[2003/11/28 09:36:25 | 000,000,171 | ---- | C] () -- C:\WINDOWS\EPSON CX3200 Installer.ini
[2003/11/24 01:39:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MOTO.INI
[2003/11/10 12:59:53 | 000,000,472 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/10/24 06:32:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2003/10/13 10:02:02 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\ajhoffm\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/10/11 17:10:47 | 000,012,783 | ---- | C] () -- C:\WINDOWS\IOS.INI
[2003/10/11 17:10:47 | 000,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI
[2003/10/11 17:10:47 | 000,003,449 | ---- | C] () -- C:\WINDOWS\Hpmmkbd.ini
[2003/10/11 17:10:47 | 000,001,400 | ---- | C] () -- C:\WINDOWS\PSTUDIO.INI
[2003/10/11 17:10:47 | 000,001,396 | ---- | C] () -- C:\WINDOWS\CDPLAYER.INI
[2003/10/11 17:10:47 | 000,001,065 | ---- | C] () -- C:\WINDOWS\WINAMP.INI
[2003/10/11 17:10:47 | 000,001,019 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/11 17:10:47 | 000,000,877 | ---- | C] () -- C:\WINDOWS\MRUN32.INI
[2003/10/11 17:10:47 | 000,000,816 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2003/10/11 17:10:47 | 000,000,809 | ---- | C] () -- C:\WINDOWS\ChemDraw.ini
[2003/10/11 17:10:47 | 000,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI
[2003/10/11 17:10:47 | 000,000,630 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2003/10/11 17:10:47 | 000,000,390 | ---- | C] () -- C:\WINDOWS\EPSPMGR4.INI
[2003/10/11 17:10:47 | 000,000,285 | ---- | C] () -- C:\WINDOWS\Mmkeybd.ini
[2003/10/11 17:10:47 | 000,000,226 | ---- | C] () -- C:\WINDOWS\MSIOSD.INI
[2003/10/11 17:10:47 | 000,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI
[2003/10/11 17:10:47 | 000,000,220 | ---- | C] () -- C:\WINDOWS\ADMC800.INI
[2003/10/11 17:10:47 | 000,000,162 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2003/10/11 17:10:47 | 000,000,151 | ---- | C] () -- C:\WINDOWS\NPC3DN.INI
[2003/10/11 17:10:47 | 000,000,150 | ---- | C] () -- C:\WINDOWS\PHOTOPRN.INI
[2003/10/11 17:10:47 | 000,000,128 | ---- | C] () -- C:\WINDOWS\EPCONFIG.INI
[2003/10/11 17:10:47 | 000,000,118 | ---- | C] () -- C:\WINDOWS\GFSCORE.INI
[2003/10/11 17:10:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\AVIEWER.INI
[2003/10/11 17:10:47 | 000,000,060 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2003/10/11 17:10:47 | 000,000,050 | ---- | C] () -- C:\WINDOWS\FANTASY2.INI
[2003/10/11 17:10:47 | 000,000,032 | ---- | C] () -- C:\WINDOWS\SOL.INI
[2003/10/11 17:10:47 | 000,000,030 | ---- | C] () -- C:\WINDOWS\MAIN.INI
[2003/10/11 17:10:47 | 000,000,028 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/10/11 17:10:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI
[2003/10/11 17:10:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\Epsonpp.ini
[2003/10/11 17:10:47 | 000,000,011 | ---- | C] () -- C:\WINDOWS\OSA.INI
[2003/10/11 17:10:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SPECCHECK.INI
[2003/10/11 17:10:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROGMAN.INI
[2003/10/11 17:10:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NETSCAPE.INI
[2003/10/11 17:10:46 | 000,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI
[2003/10/11 17:10:46 | 000,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI
[2003/10/11 17:10:46 | 000,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2003/03/28 11:22:00 | 000,000,000 | ---- | C] () -- C:\Program Files\Settings.ini
[2003/03/09 21:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/02/17 00:23:23 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2003/02/17 00:23:23 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\TrackerNET.dll
[2003/01/13 14:21:58 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2002/09/08 18:51:35 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2002/08/24 11:15:55 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[2002/07/04 15:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2002/01/14 22:36:28 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\MP2enc.dll
[2001/12/22 20:12:08 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\VIEWDVI.DLL
[2001/12/14 13:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/08/16 19:10:36 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\EPASET32.DLL
[2000/11/01 15:51:20 | 000,023,357 | -H-- | C] () -- C:\Program Files\folder.htt
[2000/06/06 16:21:34 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1999/05/21 21:10:00 | 000,115,200 | ---- | C] () -- C:\WINDOWS\System32\UnzDll.dll
[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 08:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1997/06/18 00:00:00 | 001,672,976 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1997/06/18 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/06/18 00:00:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1980/01/01 00:00:00 | 000,249,921 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM15.dll
[1980/01/01 00:00:00 | 000,157,032 | ---- | C] () -- C:\WINDOWS\System32\TwnPRO20.dll
[1980/01/01 00:00:00 | 000,119,808 | ---- | C] () -- C:\WINDOWS\System32\MDMDVDIF.DLL
[1980/01/01 00:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\PCDRJNI.DLL
[1980/01/01 00:00:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes15.dll
[1980/01/01 00:00:00 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\TlxDlgUtil.dll
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIKBDSP.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIKBDMX.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIKBDFR.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIKBDFC.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIKBDCT.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIHRNSP.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIHRNMX.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIHRNFR.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIHRNFC.DLL
[1980/01/01 00:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MSIHRNCT.DLL
[1980/01/01 00:00:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\RDBIOS32.DLL
[1980/01/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\QUICK.DLL
[1980/01/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\URMCFG32.DLL
[1980/01/01 00:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\MSIOSD32.DLL
[1980/01/01 00:00:00 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\I81X329X.DLL
[1980/01/01 00:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\URMCLN32.DLL
[1980/01/01 00:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\BCBMM.DLL
[1980/01/01 00:00:00 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\IGFXDGPS.DLL
[1980/01/01 00:00:00 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\HpSocEx.dll
[1980/01/01 00:00:00 | 000,001,646 | ---- | C] () -- C:\WINDOWS\MSDOS.SYS
< End of report >

Will post the Extras.txt file in another thread.

Thank you very much for the help!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 10th March 2010, 3:32 am

OTL Extras logfile created on: 3/9/2010 9:22:48 PM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = E:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 20.09 Gb Free Space | 53.95% Space Free | Partition Type: FAT32
Drive D: | 37.27 Gb Total Space | 22.00 Gb Free Space | 59.04% Space Free | Partition Type: NTFS
Drive E: | 3.77 Gb Total Space | 2.42 Gb Free Space | 64.16% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AJHOFFM-DIALUP
Current User Name: ajhoffm
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:*:Enabled:SMB over TCP
"137:UDP" = 137:UDP:*:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:*:Enabled:NetBIOS Datagram Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:NetBIOS Session Service
"445:TCP" = 445:TCP:LocalSubNet:Disabled:SMB over TCP
"137:UDP" = 137:UDP:LocalSubNet:Disabled:NetBIOS Name Service
"138:UDP" = 138:UDP:LocalSubNet:Disabled:NetBIOS Datagram Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:SSDP
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:UPnP framework over TCP
"500:UDP" = 500:UDP:*:Enabled:VPN-500-UDP
"4500:UDP" = 4500:UDP:*:Enabled:VPN-4500-UDP
"10000:UDP" = 10000:UDP:*:Enabled:VPN-10000-UDP
"9420:TCP" = 9420:TCP:*:Enabled:RSP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Diablo\diablo.exe" = C:\Diablo\diablo.exe:*:Enabled:Diablo -- File not found
"C:\Program Files\FireFly Studios\Stronghold\Stronghold.exe" = C:\Program Files\FireFly Studios\Stronghold\Stronghold.exe:*:Enabled:Stronghold -- File not found
"C:\WINDOWS\System32\DPLAYSVR.EXE" = C:\WINDOWS\System32\DPLAYSVR.EXE:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe" = C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Disabled:lh -- File not found
"C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe:*:Disabled:LimeWire: The most advanced file sharing program on the planet. -- File not found
"C:\Program Files\Yahoo! Games\Blackhawk Striker 2\Blackhawk2.exe" = C:\Program Files\Yahoo! Games\Blackhawk Striker 2\Blackhawk2.exe:*:Enabled:Black Hawk Striker 2 -- File not found
"C:\Program Files\Valve\Steam\Steam.exe" = C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam -- File not found
"C:\Program Files\Valve\Steam\SteamApps\seanrocks8\team fortress classic\hl.exe" = C:\Program Files\Valve\Steam\SteamApps\seanrocks8\team fortress classic\hl.exe:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\Valve\Steam\SteamApps\seanrocks8\condition zero\HL.EXE" = C:\Program Files\Valve\Steam\SteamApps\seanrocks8\condition zero\HL.EXE:*:Enabled:Half-Life Launcher -- File not found
"C:\WINDOWS\EXPLORER.EXE" = C:\WINDOWS\EXPLORER.EXE:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Valve\Steam\SteamApps\seanrocks8\counter-strike\HL.EXE" = C:\Program Files\Valve\Steam\SteamApps\seanrocks8\counter-strike\HL.EXE:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\Valve\Steam\SteamApps\seanrocks8\day of defeat\HL.EXE" = C:\Program Files\Valve\Steam\SteamApps\seanrocks8\day of defeat\HL.EXE:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Valve\Steam\SteamApps\seanrocks8\condition zero deleted scenes\HL.EXE" = C:\Program Files\Valve\Steam\SteamApps\seanrocks8\condition zero deleted scenes\HL.EXE:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\RSSoft\RSEDNClient.exe" = C:\Program Files\RSSoft\RSEDNClient.exe:*:Disabled:RSEDNClient -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\Common Files\AOL\1150854192\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1150854192\ee\aolsoftware.exe:*:Enabled:AOL Services -- File not found
"C:\Program Files\Common Files\AOL\1150854192\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1150854192\ee\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\WINDOWS\FeedingFrenzy.scr" = C:\WINDOWS\FeedingFrenzy.scr:*:Disabled:Feeding Frenzy -- (Sprout Games, LLC)
"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe -- File not found
"C:\Documents and Settings\AJHOFFM\Local Settings\Temporary Internet Files\Content.IE5\4XQF8XYF\incredimail_install[1].exe" = C:\Documents and Settings\AJHOFFM\Local Settings\Temporary Internet Files\Content.IE5\4XQF8XYF\incredimail_install[1].exe:*:Enabled:IncrediMail Installer -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- File not found
"C:\Documents and Settings\AJHOFFM\Local Settings\Temp\7zS15.tmp\SymNRT.exe" = C:\Documents and Settings\AJHOFFM\Local Settings\Temp\7zS15.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0FD7D92D-81B7-11D5-9268-006097A63005}" = USB SmartMedia Reader
"{0FD7D92F-81B7-11D5-9268-006097A63005}" = USB CompactFlash Reader
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HydraVision
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{44635DD7-3F85-4368-8186-6A662A03714C}" = HP_WildTangent_Games
"{4F5CE18C-D97D-48FF-A510-A0D90C918294}" = iTunes
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6
"{6C5D7191-140A-11D6-B5A0-0050DA208A93}" = ArcSoft PhotoImpression
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9763E36A-08E9-4228-BBCE-12989A4EB1A8}" = QuickTime
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{A1960A82-DB70-474D-A86B-FA74466103C6}" = Drivers Install For Linksys Easylink Advisor
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{F8863EFF-DD77-44BA-8843-D2A7ECDD2CE3}" = SealedMedia Unsealer 5.2.24
"{F8D0829C-9C6F-11D3-8080-00C04FA329AA}" = Microsoft Works 6.0
"{FAF7F1D7-C0E7-47EA-8AAA-84E4F9EA3C94}" = Works Suite OS Pack
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adaptec UDF Reader" = Adaptec UDF Reader
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.0 Limited Edition" = Adobe Photoshop 5.0 Limited Edition
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.6 (0032)
"hp instant support" = hp instant support
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2F6A7F0C-DB12-4FCC-B002-0D31ECDCFD0E}" = psa256max
"InterVideo WinDVD" = InterVideo WinDVD
"JRE 1.3.1_04" = Java 2 Runtime Environment Standard Edition v1.3.1_04
"Links 2003 1.0" = Microsoft Links 2003
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"mini-player" = mini-player
"Mobile Application Link" = Mobile Link
"MSN Music Assistant" = MSN Music Assistant
"Napster v2.0 BETA 10.3" = Napster v2.0 BETA 10.3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"One-touch Multimedia Keyboard" = One-touch Multimedia Keyboard
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Surfbrd" = HP Internet Center
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2001Setup" = Microsoft Works and Money 2001 Setup Launcher
"XLViewer97" = Microsoft Excel Viewer 97

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/23/2010 9:30:30 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/2/2010 9:27:24 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

Error - 3/2/2010 9:27:25 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/2/2010 9:27:25 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/2/2010 9:27:25 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/2/2010 9:27:25 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/2/2010 9:27:25 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/2/2010 9:31:03 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

Error - 3/2/2010 9:31:03 PM | Computer Name = AJHOFFM-DIALUP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The specified server cannot perform the requested operation.

Error - 3/9/2010 8:28:07 PM | Computer Name = AJHOFFM-DIALUP | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 3/9/2010 10:17:30 PM | Computer Name = AJHOFFM-DIALUP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/9/2010 10:18:24 PM | Computer Name = AJHOFFM-DIALUP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/9/2010 10:19:21 PM | Computer Name = AJHOFFM-DIALUP | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 3/9/2010 10:19:35 PM | Computer Name = AJHOFFM-DIALUP | Source = Print | ID = 23
Description = Printer Lexmark Z25-Z35,0 failed to initialize because a suitable
Lexmark Z25-Z35 driver could not be found.

Error - 3/9/2010 10:21:29 PM | Computer Name = AJHOFFM-DIALUP | Source = DCOM | ID = 10005
Description = DCOM got error "%3" attempting to start the service iPod Service with
arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 3/9/2010 10:21:29 PM | Computer Name = AJHOFFM-DIALUP | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%3

Error - 3/9/2010 10:22:38 PM | Computer Name = AJHOFFM-DIALUP | Source = DCOM | ID = 10010
Description = The server {ABC01078-F197-4B0B-ADBC-CFE684B39C82} did not register
with DCOM within the required timeout.

Error - 3/9/2010 10:43:43 PM | Computer Name = AJHOFFM-DIALUP | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 3/9/2010 10:44:03 PM | Computer Name = AJHOFFM-DIALUP | Source = Print | ID = 23
Description = Printer Lexmark Z25-Z35,0 failed to initialize because a suitable
Lexmark Z25-Z35 driver could not be found.

Error - 3/9/2010 11:14:34 PM | Computer Name = AJHOFFM-DIALUP | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{FFD375F1-C63B-4296-B731-556D1ADC1D0D}
because another computer on the network has the same name. The server could not
start.


< End of report >

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 10th March 2010, 3:17 pm

Hello! We need to do some diagnostics to get started.

1. Please download [You must be registered and logged in to see this link.] by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. Please download [You must be registered and logged in to see this link.] by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)
  • Cheetah log (3)


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 10th March 2010, 7:57 pm

DMJay,

Thanks for responding. I am at work for four more hours. Once I get home, I will go through the steps you list and repost the logs.

Thank you!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 10th March 2010, 9:15 pm

ok. Post them when you are ready for me to review them. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 11th March 2010, 1:00 am

Profiles (1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-2147065759-1202660629-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\ajhoffm

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-2147065759-1202660629-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS


Win32kDiag log (2)

Running from: C:\Documents and Settings\ajhoffm\My Documents\GeekPolice.net\Win32kDiag.exe

Log file at : C:\Documents and Settings\ajhoffm\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


Cheetah log (3)

Cheetah-Anti-Rogue v1.3.23
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 03/10/2010 - Time: 18:55:11 - Arch.: x86


-- Malware removal tools check --
CCleaner
Trend Micro HijackThis 2.0.2


-- Known infection --



Extra message: Detection only.


EOF


DMJay, This is greatly appreciated!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 11th March 2010, 4:26 am

Hi again. Please do these steps in order.

1. Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


2. Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

[You must be registered and logged in to see this link.]

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


5. Post the following in your next reply:
  • MBAM log
  • SAS log
  • ESET log

And, please tell me how your computer is doing.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 12:14 am

1. MBAM Log
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/11/2010 6:55:55 AM
mbam-log-2010-03-11 (06-55-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178671
Time elapsed: 51 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6b221e01-f517-4959-8c41-81948e7f2f17} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 12:15 am

2. SAS log

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 03/11/2010 at 08:24 AM

Application Version : 4.34.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:54:09

Memory items scanned : 252
Memory threats detected : 0
Registry items scanned : 7409
Registry threats detected : 10
File items scanned : 20620
File threats detected : 1

Adware.Vundo/Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{28D0EF2B-41FF-4E45-AB90-398BC0428896}
HKU\S-1-5-21-1993962763-2147065759-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28D0EF2B-41FF-4E45-AB90-398BC0428896}

Adware.ClickSpring/Outer Info Network
HKU\S-1-5-21-1993962763-2147065759-1202660629-1004\Software\OINAnalytics

Rogue.Component/Trace
HKLM\Software\Microsoft\10550CF8
HKLM\Software\Microsoft\10550CF8#10550cf8
HKLM\Software\Microsoft\10550CF8#Version
HKLM\Software\Microsoft\10550CF8#1055a178
HKLM\Software\Microsoft\10550CF8#1055c89d

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1993962763-2147065759-1202660629-1004\SOFTWARE\Microsoft\fias4013

Rogue.AntivirusSoft
HKU\S-1-5-21-1993962763-2147065759-1202660629-1004\Software\avsoft
C:\DOCUMENTS AND SETTINGS\AJHOFFM\APPLICATION DATA\UBXDIU\NTSGSFTAV.EXE

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 12:15 am

3. ESET log

Cannot run this program, as the infected PC cannot access the internet.

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 3:53 am

Ok. Gave normal startup a try. No more pop ups or infection warnings, but now cannot access the internet.?.?

Thanks

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 12th March 2010, 3:21 pm

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 4:16 pm

DM Jay,

It looks like we cleared everything up. Except now Internet Explorer keeps giving me the "page cannot be displayed" message. I have heard bad things about Combo Fix. What will downloading and running Combo Fix do?

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 12th March 2010, 5:31 pm

It can be used to fix Internet issues, scan for rootkits, and remove hidden malware.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 12th March 2010, 6:00 pm

OK, I will have to do that when I get home. Thanks for being patient and working around my crazy work schedule.

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 13th March 2010, 12:01 am

"Microsoft Windows Recovery Console"

"This machine does not have the 'microsoft windows recovery console' installed

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes' to have ComboFix dowload/install it.

NOTE: this requires an active internet connection.

Yes/No"


However, the infected computer does not have an active working internet connection.

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 13th March 2010, 12:28 am

ComboFix 10-03-12.02 - ajhoffm 03/12/2010 18:05:13.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.185 [GMT -6:00]
Running from: e:\geekpolice.net\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\QMGR0.DAT
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\QMGR1.DAT
C:\Logo.sys
C:\Thumbs.db
c:\windows\bobsaver.scr
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\patch.exe
c:\windows\start.exe
c:\windows\system32\cnoebewq.ini
c:\windows\system32\pxlatxiv.ini
c:\windows\system32\rikvdlmp.ini
c:\windows\system32\uahrcpdh.ini
c:\windows\system32\wikesjli.ini
c:\windows\system32\windows.scr
c:\windows\Web\default.htt

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-12 03:43 . 2010-03-12 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-11 13:22 . 2010-03-11 13:23 52224 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-11 13:22 . 2010-03-11 13:22 117760 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-11 13:22 . 2010-03-11 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-11 13:17 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 13:16 . 2010-03-11 13:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 13:16 . 2010-03-11 13:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 13:16 . 2010-03-11 13:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 13:12 . 2010-03-11 13:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-11 03:25 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 03:25 . 2010-03-11 03:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 03:25 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 02:27 . 2010-03-10 02:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 02:27 . 2010-03-10 02:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 02:17 . 2010-03-10 02:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-03-06 14:50 . 2010-03-06 14:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-06 14:50 . 2010-03-06 14:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-05 02:36 . 2010-03-05 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-03-05 02:35 . 2010-03-05 02:35 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-24 01:31 . 2010-02-24 01:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-16 01:57 . 2010-02-16 01:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-16 01:43 . 2010-02-16 01:43 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-16 01:29 . 2010-02-16 01:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-16 01:27 . 2010-02-16 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-16 01:26 . 2010-02-16 01:26 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-15 23:58 . 2010-02-05 18:35 149488 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ca.dll
2010-02-15 23:58 . 2010-02-05 18:35 175600 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bn.dll
2010-02-15 23:58 . 2010-02-05 18:35 164848 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bg.dll
2010-02-15 23:58 . 2010-02-05 18:35 14492144 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\chrome.dll
2010-02-15 23:58 . 2010-02-05 18:35 61424 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avutil-50.dll
2010-02-15 23:58 . 2010-02-05 18:35 135152 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avformat-52.dll
2010-02-15 23:58 . 2010-02-05 18:35 80368 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\am.dll
2010-02-15 23:58 . 2010-02-05 18:35 176624 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ar.dll
2010-02-15 23:58 . 2010-02-05 18:35 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avcodec-52.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 23:57 . 2010-02-15 23:59 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Installer\setup.exe
2010-02-05 18:36 . 2010-01-21 03:12 527344 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\chrome.exe
2010-02-05 18:36 . 2010-02-15 23:59 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\zh-TW.dll
2010-02-05 18:36 . 2010-02-15 23:59 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\rlz.dll
2010-01-27 14:31 . 2010-01-27 14:32 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Installer\setup.exe
2010-01-21 07:24 . 2010-01-27 14:32 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-TW.dll
2010-01-21 07:24 . 2010-01-27 14:32 72176 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-CN.dll
2010-01-21 07:24 . 2010-01-27 14:32 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\rlz.dll
2010-01-21 07:22 . 2010-01-27 14:32 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\avcodec-52.dll
2010-01-21 03:10 . 2010-01-21 03:10 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Temp
2010-01-21 03:09 . 2010-01-21 03:09 135664 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe
2010-01-05 10:00 . 2004-02-07 00:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-05-29 15:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 18:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2001-08-23 18:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-05-29 15:13 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 18:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2003-03-28 17:22 . 2003-03-28 17:22 0 ----a-w- c:\program files\Settings.ini
2000-11-01 21:51 . 2000-11-01 21:51 23357 ---h--w- c:\program files\folder.htt
2003-01-28 16:22 . 2003-01-28 16:22 32 --sha-w- c:\windows\SYSTEM\{68CF359C-9ED8-4A9E-A10F-2CBBDEA89D88}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"Google Update"="c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-21 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\wcmdmgrl.exe" [2000-09-15 20480]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2007-04-03 296080]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-15 311350]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\System32\spool\migrate.dll" [2001-08-23 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-3-4 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Limeshop0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 19:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 22:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-07 03:10 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"hpsysdrv"=c:\windows\SYSTEM32\HPSYSDRV.EXE
"Delay"=c:\windows\delayrun.exe
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"LoadQM"=loadqm.exe
"LexStart"=Lexstart.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe"
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\DPLAYSVR.EXE"=
"c:\\WINDOWS\\FeedingFrenzy.scr"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:VPN-500-UDP
"4500:UDP"= 4500:UDP:VPN-4500-UDP
"10000:UDP"= 10000:UDP:VPN-10000-UDP
"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 7:52 PM 135664]
S3 gel90xne;gel90xne;\??\c:\docume~1\ajhoffm\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\ajhoffm\LOCALS~1\Temp\gel90xne.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 22:17 7168 ------w- c:\windows\SYSTEM32\UPDCRL.EXE
.
Contents of the 'Scheduled Tasks' folder

2010-03-12 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-29 01:12]

2008-02-09 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4193969839.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 23:56]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 01:52]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 01:52]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-2147065759-1202660629-1004Core1cab7502c58a3a0.job
- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe [2010-01-21 03:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-grqyraaa - c:\documents and settings\ajhoffm\Application Data\ubxdiu\ntsgsftav.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKU-Default-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
Notify-awtrRIAs - awtrRIAs.dll
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-Mobile Application Link - c:\program files\AvantGo\Mobile Link\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-12 18:11
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-12 18:14:14
ComboFix-quarantined-files.txt 2010-03-13 00:14

Pre-Run: 21,298,577,408 bytes free
Post-Run: 21,262,712,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 5
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS ="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 7FC93860D58099D2AD96AB8F569EB4E1
l

[ 2 0 0 5 / 0 7 / 0 4 2 3 : 4 0 : 5 1 | 0 0 0 , 1 8 9 , 4 4 0 | - - - - | C ] ( ) - - C : \ W I N D O W S \ S y s t e m 3 2 \ C S G i n a . d l l

[ 2 0 0 5 / 0 5 / 0 3 1 1 : 4 4 : 4 4 | 0 0 0 , 0 2 5 , 1 5 7 | - - - - | C ] ( ) - - C : \ W I N D O W S \ R M A g e n t O u t p u t . d l l

[ 2 0 0 5 / 0 5 / 0 3 1 1 : 4 3 : 4 4 | 0 0 0 , 1 2 6 , 9 7 6 | - - - - | C ] ( ) - - C : \ W I N D O W S \ d l l T S C L I B M T . d l l

[ 2 0 0 5 / 0 3 / 0 3 1 6 : 1 6 : 4 2 | 0 0 0 , 0 0 0 , 2 5 6 | - - - - | C ] ( ) - - C : \ W I N D O W S \ a u c f g . i n i

[ 2 0 0 5 / 0 3 / 0 1 1 5 : 3 0 : 2 0 | 0 0 0 , 0 0 0 , 4 5 3 | - - - - | C ] ( ) - - C : \ W I N D O W S \ b d o s c a n d e l l a n g . i n i

[ 2 0 0 5 / 0 1 / 0 9 0 0 : 2 2 : 4 7 | 0 0 0 , 0 0 0 , 0 9 8 | - - - - | C ] ( ) - - C : \ W I N D O W S \ T a x A C T 0 4 . i n i

[ 2 0 0 4 / 1 0 / 0 1 1 7 : 3 3 : 4 6 |

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 13th March 2010, 12:29 am

After I ran Combofix, a pop up showing that "Windows XP is updating." I tried IE, and it worked. Please let me know what you see from the log.

Thank you very much for all of this help!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 13th March 2010, 2:20 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    Rootkit::
    ADS::
    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 16th March 2010, 7:10 pm

DM Jay,

Sorry for the late response. Can't seem to figure out how to stop Norton Antivirus from running in the background so that I can run Combofix.?.?

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 17th March 2010, 1:38 am

Can it run without disabling NAV?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 17th March 2010, 3:46 am

Computer was running extremely slow today. Took a good five minutes to restart the computer each time. Uninstalled NAV, and everything got much quicker, including start up. am about to run Combofix according to your previous instructions. Will post that log soon hopefully.

Under my computer, properties, should the "Turn off System Restore on all drives" be checked or unchecked?

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 17th March 2010, 3:51 am

Unchecked.

Post the ComboFix log, if you are able to.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 17th March 2010, 4:26 am

ComboFix 10-03-16.03 - ajhoffm 03/16/2010 23:07:49.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.188 [GMT -5:00]
Running from: c:\documents and settings\ajhoffm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ajhoffm\Desktop\CFscript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 00:59 . 2010-03-16 00:59 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Tific
2010-03-16 00:59 . 2010-03-16 00:59 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Tific
2010-03-15 23:36 . 2010-03-15 23:36 -------- d-sh--w- c:\documents and settings\ajhoffm\PrivacIE
2010-03-14 20:59 . 2010-03-14 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-14 20:57 . 2010-03-14 20:57 -------- d-sh--w- c:\documents and settings\ajhoffm\IETldCache
2010-03-14 20:42 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-14 20:41 . 2010-03-14 20:41 -------- d-----w- c:\windows\ie8updates
2010-03-14 20:39 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-14 20:39 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-14 20:30 . 2010-03-14 20:30 -------- d--h--w- c:\windows\ie8
2010-03-12 23:45 . 2010-03-12 23:45 -------- d-----w- c:\program files\Windows Sidebar
2010-03-12 02:43 . 2010-03-12 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-11 12:22 . 2010-03-11 12:23 52224 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-11 12:22 . 2010-03-17 02:31 117760 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-11 12:22 . 2010-03-11 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-11 12:17 . 2009-10-23 14:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 12:12 . 2010-03-11 12:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-11 02:25 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 02:25 . 2010-03-11 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 02:25 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 01:27 . 2010-03-10 01:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 01:27 . 2010-03-10 01:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 01:17 . 2010-03-10 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-03-06 13:50 . 2010-03-06 13:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-06 13:50 . 2010-03-06 13:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-05 01:36 . 2010-03-05 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-03-05 01:35 . 2010-03-05 01:35 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-24 00:31 . 2010-02-24 00:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-16 00:57 . 2010-02-16 00:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-16 00:43 . 2010-02-16 00:43 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-16 00:29 . 2010-02-16 00:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-16 00:27 . 2010-02-16 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-16 00:26 . 2010-02-16 00:26 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-15 22:58 . 2010-02-05 17:35 149488 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ca.dll
2010-02-15 22:58 . 2010-02-05 17:35 175600 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bn.dll
2010-02-15 22:58 . 2010-02-05 17:35 164848 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bg.dll
2010-02-15 22:58 . 2010-02-05 17:35 14492144 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\chrome.dll
2010-02-15 22:58 . 2010-02-05 17:35 61424 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avutil-50.dll
2010-02-15 22:58 . 2010-02-05 17:35 135152 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avformat-52.dll
2010-02-15 22:58 . 2010-02-05 17:35 80368 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\am.dll
2010-02-15 22:58 . 2010-02-05 17:35 176624 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ar.dll
2010-02-15 22:58 . 2010-02-05 17:35 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avcodec-52.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 22:57 . 2010-02-15 22:59 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Installer\setup.exe
2010-02-05 17:36 . 2010-01-21 02:12 527344 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\chrome.exe
2010-02-05 17:36 . 2010-02-15 22:59 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\zh-TW.dll
2010-02-05 17:36 . 2010-02-15 22:59 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\rlz.dll
2010-01-27 13:31 . 2010-01-27 13:32 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Installer\setup.exe
2010-01-21 06:24 . 2010-01-27 13:32 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-TW.dll
2010-01-21 06:24 . 2010-01-27 13:32 72176 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-CN.dll
2010-01-21 06:24 . 2010-01-27 13:32 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\rlz.dll
2010-01-21 06:22 . 2010-01-27 13:32 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\avcodec-52.dll
2010-01-21 02:10 . 2010-01-21 02:10 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Temp
2010-01-21 02:09 . 2010-01-21 02:09 135664 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe
2009-12-31 15:50 . 2001-08-23 17:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2003-03-28 16:22 . 2003-03-28 16:22 0 ----a-w- c:\program files\Settings.ini
2000-11-01 20:51 . 2000-11-01 20:51 23357 ---h--w- c:\program files\folder.htt
2003-01-28 15:22 . 2003-01-28 15:22 32 --sha-w- c:\windows\SYSTEM\{68CF359C-9ED8-4A9E-A10F-2CBBDEA89D88}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Google Update"="c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-21 135664]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\wcmdmgrl.exe" [2000-09-15 20480]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2007-04-03 296080]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-15 311350]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\System32\spool\migrate.dll" [2001-08-23 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-3-4 25214]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-4-21 1385400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"hpsysdrv"=c:\windows\SYSTEM32\HPSYSDRV.EXE
"Delay"=c:\windows\delayrun.exe
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"LoadQM"=loadqm.exe
"LexStart"=Lexstart.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe"
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\DPLAYSVR.EXE"=
"c:\\WINDOWS\\FeedingFrenzy.scr"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:VPN-500-UDP
"4500:UDP"= 4500:UDP:VPN-4500-UDP
"10000:UDP"= 10000:UDP:VPN-10000-UDP
"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 7:52 PM 135664]
S3 gel90xne;gel90xne;\??\c:\docume~1\ajhoffm\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\ajhoffm\LOCALS~1\Temp\gel90xne.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 21:17 7168 ------w- c:\windows\SYSTEM32\UPDCRL.EXE
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-29 00:12]

2008-02-09 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4193969839.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 00:52]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 00:52]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-2147065759-1202660629-1004Core1cab7502c58a3a0.job
- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe [2010-01-21 02:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-16 23:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\wt\wcmdmgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2010-03-16 23:24:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 04:24
ComboFix2.txt 2010-03-12 23:14

Pre-Run: 20,718,288,896 bytes free
Post-Run: 20,697,300,992 bytes free

- - End Of File - - C7C7A4C7DD43E90144D71528009DBC31

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 17th March 2010, 4:55 am

Midnight here (central time zone). Eyes are shutting on their own. Will try to wake up early before work and look at what you post, or will look tomorrow after work.

Thanks again!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 17th March 2010, 8:28 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::
    DirLook::
    c:\documents and settings\ajhoffm\Application Data\ubxdiu

    File::
    c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    c:\WINDOWS\FeedingFrenzy.scr
    c:\documents and settings\ajhoffm\LOCAL SETTINGS\Temp\gel90xne.sys

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\FeedingFrenzy.scr"=-

    Driver::
    gel90xne

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1
    uInternet Settings,ProxyOverride = *.local

    Rootkit::
    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 17th March 2010, 9:57 pm

ComboFix 10-03-17.01 - ajhoffm 03/17/2010 16:39:52.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.237 [GMT -5:00]
Running from: c:\documents and settings\ajhoffm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ajhoffm\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\ajhoffm\LOCAL SETTINGS\Temp\gel90xne.sys"
"c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe"
"c:\windows\FeedingFrenzy.scr"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\windows\FeedingFrenzy.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEL90XNE
-------\Service_gel90xne


((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 00:59 . 2010-03-16 00:59 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Tific
2010-03-16 00:59 . 2010-03-16 00:59 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Tific
2010-03-15 23:36 . 2010-03-15 23:36 -------- d-sh--w- c:\documents and settings\ajhoffm\PrivacIE
2010-03-14 20:59 . 2010-03-14 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-14 20:57 . 2010-03-14 20:57 -------- d-sh--w- c:\documents and settings\ajhoffm\IETldCache
2010-03-14 20:42 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-14 20:41 . 2010-03-14 20:41 -------- d-----w- c:\windows\ie8updates
2010-03-14 20:39 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-14 20:39 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-14 20:30 . 2010-03-14 20:30 -------- d--h--w- c:\windows\ie8
2010-03-12 23:45 . 2010-03-12 23:45 -------- d-----w- c:\program files\Windows Sidebar
2010-03-12 02:43 . 2010-03-12 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-11 12:22 . 2010-03-11 12:23 52224 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-11 12:22 . 2010-03-17 02:31 117760 ----a-w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-11 12:22 . 2010-03-11 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-11 12:17 . 2009-10-23 14:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 12:16 . 2010-03-11 12:16 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\SUPERAntiSpyware.com
2010-03-11 12:12 . 2010-03-11 12:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-11 02:25 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 02:25 . 2010-03-11 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 02:25 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 01:27 . 2010-03-10 01:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 01:27 . 2010-03-10 01:27 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\AVG8
2010-03-10 01:17 . 2010-03-10 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-03-06 13:50 . 2010-03-06 13:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-06 13:50 . 2010-03-06 13:50 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\ubxdiu
2010-03-05 01:36 . 2010-03-05 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-03-05 01:35 . 2010-03-05 01:35 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-24 00:31 . 2010-02-24 00:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-16 00:57 . 2010-02-16 00:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-16 00:43 . 2010-02-16 00:43 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-16 00:29 . 2010-02-16 00:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-16 00:27 . 2010-02-16 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-15 22:58 . 2010-02-05 17:35 149488 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ca.dll
2010-02-15 22:58 . 2010-02-05 17:35 175600 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bn.dll
2010-02-15 22:58 . 2010-02-05 17:35 164848 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\bg.dll
2010-02-15 22:58 . 2010-02-05 17:35 14492144 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\chrome.dll
2010-02-15 22:58 . 2010-02-05 17:35 61424 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avutil-50.dll
2010-02-15 22:58 . 2010-02-05 17:35 135152 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avformat-52.dll
2010-02-15 22:58 . 2010-02-05 17:35 80368 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\am.dll
2010-02-15 22:58 . 2010-02-05 17:35 176624 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\ar.dll
2010-02-15 22:58 . 2010-02-05 17:35 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\avcodec-52.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 22:57 . 2010-02-15 22:59 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Installer\setup.exe
2010-02-05 17:36 . 2010-01-21 02:12 527344 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\chrome.exe
2010-02-05 17:36 . 2010-02-15 22:59 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\Locales\zh-TW.dll
2010-02-05 17:36 . 2010-02-15 22:59 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.89\rlz.dll
2010-01-27 13:31 . 2010-01-27 13:32 670704 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Installer\setup.exe
2010-01-21 06:24 . 2010-01-27 13:32 73200 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-TW.dll
2010-01-21 06:24 . 2010-01-27 13:32 72176 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\Locales\zh-CN.dll
2010-01-21 06:24 . 2010-01-27 13:32 109040 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\rlz.dll
2010-01-21 06:22 . 2010-01-27 13:32 1112560 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Chrome\Application\4.0.249.78\avcodec-52.dll
2010-01-21 02:10 . 2010-01-21 02:10 -------- d-----w- c:\documents and settings\ajhoffm\Application Data\Temp
2010-01-21 02:09 . 2010-01-21 02:09 135664 ----a-w- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe
2009-12-31 15:50 . 2001-08-23 17:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-02-06 23:05 916480 ------w- c:\windows\system32\wininet.dll
2003-03-28 16:22 . 2003-03-28 16:22 0 ----a-w- c:\program files\Settings.ini
2000-11-01 20:51 . 2000-11-01 20:51 23357 ---h--w- c:\program files\folder.htt
2003-01-28 15:22 . 2003-01-28 15:22 32 --sha-w- c:\windows\SYSTEM\{68CF359C-9ED8-4A9E-A10F-2CBBDEA89D88}.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\ajhoffm\Application Data\ubxdiu ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Google Update"="c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-21 135664]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\wcmdmgrl.exe" [2000-09-15 20480]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2007-04-03 296080]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-15 311350]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\System32\spool\migrate.dll" [2001-08-23 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-3-4 25214]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-4-21 1385400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"hpsysdrv"=c:\windows\SYSTEM32\HPSYSDRV.EXE
"Delay"=c:\windows\delayrun.exe
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"LoadQM"=loadqm.exe
"LexStart"=Lexstart.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe"
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\DPLAYSVR.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:VPN-500-UDP
"4500:UDP"= 4500:UDP:VPN-4500-UDP
"10000:UDP"= 10000:UDP:VPN-10000-UDP
"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 7:52 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 21:17 7168 ------w- c:\windows\SYSTEM32\UPDCRL.EXE
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-29 00:12]

2008-02-09 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4193969839.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 00:52]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 00:52]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-2147065759-1202660629-1004Core1cab7502c58a3a0.job
- c:\documents and settings\ajhoffm\Application Data\Google\Update\GoogleUpdate.exe [2010-01-21 02:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-17 16:49
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wt\wcmdmgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2010-03-17 16:54:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 21:54
ComboFix2.txt 2010-03-17 04:24
ComboFix3.txt 2010-03-12 23:14

Pre-Run: 20,693,237,760 bytes free
Post-Run: 20,568,637,440 bytes free

- - End Of File - - F85956351E2C0DF6A9F99BB32D7B0EEC

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 17th March 2010, 11:55 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 18th March 2010, 3:24 am

Malwarebytes' Anti-Malware 1.44
Database version: 3878
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 10:24:00 PM
mbam-log-2010-03-17 (22-24-00).txt

Scan type: Quick Scan
Objects scanned: 128504
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 18th March 2010, 1:55 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 19th March 2010, 3:00 am

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware Free Edition
CCleaner (remove only)
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.3.1
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 19th March 2010, 3:49 am

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=========

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

  • [You must be registered and logged in to see this link.]: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  • [You must be registered and logged in to see this link.]: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.


Firewall

  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version.
  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • [You must be registered and logged in to see this link.]: free and excellent firewall.


Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by ToneLoc8234 on 19th March 2010, 9:50 pm

I will update per all of your recommendations. Thank you very much for all of your help and patients. It has been much appreciated!!! Not sure if I can monitarily give, but I will post an excellent recommendation per first hand experience on this site. I will look into the process for donating as time provides over the weekend/next week.

Thank you very much!!!

ToneLoc8234
Novice
Novice

Posts Posts : 21
Joined Joined : 2010-03-10
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse Cryptic.Z win32/nuqel.E AntiVirus Soft Infection-Can't run program

Post by Dr Jay on 20th March 2010, 3:15 am

You're welcome! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum