Malware - Win32.Nuqel.E and Bankfox.A

View previous topic View next topic Go down

Malware - Win32.Nuqel.E and Bankfox.A

Post by GregY on Tue May 25, 2010 7:29 pm

Prior to the malware infection, I had downloaded and installed MalwareBytes Anti-Malware. I also run Trend Client/Server antivirus on my local computer.

In Safe Mode, I was able to run MalwareBytes and delete and quarantine the following:

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lpwdfxkk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

I re-booted the sytem and able to run in Normal Mode. I unchecked the box "System Restore". I ran both the MalwareBytes and Trend software to search for additional infections and they both came back clean.

THE PROBLEM THAT I HAVE ENCOUNTERED IS:

Everytime I try to go to the Internet, Trend gives me an error message of "Unauthorized URL Detected”, and it boots me out of the internet. This error message also occurs when I am not on the internet. The error message is long, but I think the URL is: CLKH71YHKS66.COM/EOGOG/NB4AJOHMAJX9XO+4UQBGVXQZ1WB. It is longer than that, but that is all I could get.

The following is the error message I get from Internet Explorer:

We were unable to return you to msn.com.

Internet Explorer has stopped trying to restore this website. It appears that the website continues to have a problem.
What you can do:
Go to your home page

Try to return to msn.com

More information

When a website causes a failure or crash, Internet Explorer attempts to restore the site. It stops after two tries to avoid an endless loop.



Any suggestions? Thank you for your time.

Greg

GregY
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2010-05-25
OS : Windows XP

View user profile

Back to top Go down

Re: Malware - Win32.Nuqel.E and Bankfox.A

Post by Belahzur on Tue May 25, 2010 8:59 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

OTL.txt - part 1 of 2

Post by GregY on Tue May 25, 2010 9:29 pm

OTL logfile created on: 5/25/2010 2:15:16 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\gyup\My Documents\Personal Folders\Family Folder\Greg Yup\Other\Software for viruses
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.83 Gb Total Space | 24.09 Gb Free Space | 43.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive K: | 758.06 Gb Total Space | 493.28 Gb Free Space | 65.07% Space Free | Partition Type: NTFS
Drive M: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive R: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive S: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive T: | 33.86 Gb Total Space | 5.42 Gb Free Space | 16.00% Space Free | Partition Type: NTFS

Computer Name: DELLLAPTOPD810
Current User Name: gyup
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 14:13:00 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\gyup\My Documents\Personal Folders\Family Folder\Greg Yup\Other\Software for viruses\OTL.exe
PRC - [2010/05/13 15:35:44 | 000,435,584 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
PRC - [2010/03/18 03:29:12 | 001,353,968 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2010/03/02 05:19:18 | 000,959,784 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2010/02/26 01:04:34 | 000,238,888 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTUpd.exe
PRC - [2010/02/26 01:04:02 | 001,312,040 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2009/12/01 04:13:12 | 000,345,352 | ---- | M] () -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 12:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/08/07 18:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/07/15 17:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
PRC - [2009/05/27 21:43:08 | 002,277,376 | ---- | M] (AltiGen) -- C:\Program Files\AltiGen\MaxCommunicator\MaxCommunicator.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/28 16:28:12 | 000,020,480 | ---- | M] ( ) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2004/12/28 19:18:24 | 001,794,048 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
PRC - [2004/12/24 18:22:30 | 000,479,232 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2004/11/30 03:09:34 | 000,253,952 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2004/11/10 12:54:48 | 000,598,016 | ---- | M] () -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2004/10/13 12:13:58 | 000,450,560 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2004/10/01 21:53:54 | 000,307,200 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
PRC - [2004/09/17 17:03:58 | 001,437,712 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2004/07/10 22:16:58 | 000,225,280 | ---- | M] (PFU LIMITED) -- C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe
PRC - [2003/12/19 11:26:16 | 000,212,992 | ---- | M] (PFU LIMITED) -- C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exe
PRC - [2003/05/15 02:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/04/24 15:35:18 | 000,126,976 | ---- | M] (FUJITSU LIMITED) -- C:\WINDOWS\twain_32\Fjscan32\FjtwSetup.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 14:13:00 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\gyup\My Documents\Personal Folders\Family Folder\Greg Yup\Other\Software for viruses\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 03:29:12 | 001,353,968 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (tmlisten)
SRV - [2010/02/26 01:04:02 | 001,312,040 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe -- (ntrtscan)
SRV - [2009/12/01 04:13:12 | 000,345,352 | ---- | M] () [On_Demand | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/08/07 18:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/07/15 17:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- (TmProxy)
SRV - [2006/11/28 16:28:12 | 000,020,480 | ---- | M] ( ) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2006/11/09 16:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2004/09/17 17:03:58 | 001,437,712 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2009/12/04 16:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2009/12/04 16:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 16:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys -- (VSApiNt)
DRV - [2009/07/15 10:37:40 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/07/06 07:11:50 | 000,059,920 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/07/06 07:11:46 | 000,050,704 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2009/07/06 07:11:12 | 000,158,224 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2005/01/11 14:18:22 | 000,800,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/08 02:15:40 | 000,051,582 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)
DRV - [2005/01/06 14:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/12/24 19:36:38 | 000,097,792 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)
DRV - [2004/12/21 12:38:12 | 000,034,816 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2004/12/15 18:30:14 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2004/12/06 16:12:18 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 23:51:54 | 000,050,048 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)
DRV - [2004/10/04 11:33:02 | 000,062,799 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2004/09/17 17:02:58 | 000,268,872 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2004/09/15 20:53:12 | 000,271,704 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/18 15:53:54 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2004/07/08 18:07:34 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2004/06/17 16:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 16:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 16:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 17:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2003/12/05 15:51:58 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2003/07/24 19:55:50 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2002/10/16 14:55:48 | 000,002,851 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BB A2 F6 A3 DF C2 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/02/12 16:33:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\Client Server Security Agent\bho\1007\FirefoxExtension [2010/05/14 13:08:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1007\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe (FUJITSU LIMITED)
O4 - HKLM..\Run: [FtLnSOP_setup] C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exe (PFU LIMITED)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Error Recovery Guide.lnk = C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MaxCommunicator.lnk = C:\Program Files\AltiGen\MaxCommunicator\MaxCommunicator.exe (AltiGen)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.3 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aqcpas.int
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1007\TmIEPlg.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\gyup\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\gyup\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/12 14:29:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/16 11:06:29 | 000,000,000 | ---D | M] - C:\AUTOUPGRADETEMP -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/24 18:32:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\gyup\Recent
[2010/05/24 12:32:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/24 12:32:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/24 12:21:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\gyup\Local Settings\Application Data\yjrvmvsad
[2010/05/12 11:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\gyup\Application Data\Malwarebytes
[2010/05/12 11:56:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/12 11:56:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/12 11:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/12 11:56:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/04 16:18:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2010/05/04 16:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 14:20:34 | 000,014,589 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2010/05/25 13:52:57 | 000,540,830 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/25 13:52:57 | 000,455,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/25 13:52:57 | 000,075,788 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/25 13:50:10 | 000,000,031 | ---- | M] () -- C:\tmuninst.ini
[2010/05/25 13:48:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/25 13:47:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/25 13:47:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/25 13:46:57 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\gyup\NTUSER.DAT
[2010/05/25 13:46:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\gyup\ntuser.ini
[2010/05/24 14:40:16 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Excel 2003.lnk
[2010/05/18 14:04:22 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\gyup\Desktop\Microsoft Office Outlook 2003.lnk
[2010/05/12 11:56:12 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/12 11:56:12 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 17:46:33 | 000,000,099 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2010/02/12 21:09:03 | 000,001,172 | ---- | C] () -- C:\WINDOWS\atb32.INI
[2010/02/12 19:59:15 | 000,000,185 | ---- | C] () -- C:\WINDOWS\ZENSESS.INI
[2010/02/12 19:59:14 | 000,000,823 | ---- | C] () -- C:\WINDOWS\ZENITH.INI
[2010/02/12 19:49:57 | 000,139,280 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2010/02/12 19:43:25 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2010/02/12 19:43:25 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2010/02/12 19:42:48 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\FsipDCBW.dll
[2010/02/12 19:42:48 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\FjDeskew.ini
[2010/02/12 19:35:54 | 000,000,671 | ---- | C] () -- C:\WINDOWS\FJTWSTI.INI
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0C0A.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0410.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex040C.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0407.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0C0A.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0410.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex040C.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0407.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0C0A.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0410.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex040C.dll
[2010/02/12 19:35:53 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0407.dll
[2010/02/12 19:35:53 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0409.dll
[2010/02/12 19:35:53 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0409.dll
[2010/02/12 19:35:53 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0409.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0804.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi5650ex0411.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0804.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi42202ex0411.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0804.dll
[2010/02/12 19:35:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi41202ex0411.dll
[2010/02/12 19:35:52 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex.dll
[2010/02/12 19:35:52 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex.dll
[2010/02/12 19:35:52 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0C0A.dll
[2010/02/12 19:35:52 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0410.dll
[2010/02/12 19:35:52 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex040C.dll
[2010/02/12 19:35:52 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0407.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0409.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0c0a.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0410.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex040C.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0409.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0407.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0C0A.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0410.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex040C.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0409.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0407.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0C0A.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0410.dll
[2010/02/12 19:35:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex040C.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0804.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi5750ex0411.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0804.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4530ex0411.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0804.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4220ex0411.dll
[2010/02/12 19:35:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0804.dll
[2010/02/12 19:35:51 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex.dll
[2010/02/12 19:35:51 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0409.dll
[2010/02/12 19:35:51 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0407.dll
[2010/02/12 19:35:51 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\fi4120ex0411.dll
[2010/02/12 19:18:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/02/12 16:41:45 | 000,014,589 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2010/02/12 16:37:13 | 000,158,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/02/12 16:37:13 | 000,059,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/02/12 16:37:13 | 000,050,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/02/12 15:17:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2010/02/12 14:43:15 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2006/09/18 15:37:50 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2006/09/18 15:37:48 | 000,667,280 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2004/12/02 16:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2004/09/22 11:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 18:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 15:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/07/29 16:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >

GregY
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2010-05-25
OS : Windows XP

View user profile

Back to top Go down

Extras.txt post 2 of 2

Post by GregY on Tue May 25, 2010 9:30 pm

OTL Extras logfile created on: 5/25/2010 2:15:16 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\gyup\My Documents\Personal Folders\Family Folder\Greg Yup\Other\Software for viruses
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.83 Gb Total Space | 24.09 Gb Free Space | 43.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive K: | 758.06 Gb Total Space | 493.28 Gb Free Space | 65.07% Space Free | Partition Type: NTFS
Drive M: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive R: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive S: | 683.10 Gb Total Space | 483.47 Gb Free Space | 70.78% Space Free | Partition Type: NTFS
Drive T: | 33.86 Gb Total Space | 5.42 Gb Free Space | 16.00% Space Free | Partition Type: NTFS

Computer Name: DELLLAPTOPD810
Current User Name: gyup
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"64878:TCP" = 64878:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5910:TCP" = 5910:TCP:*:Enabled:vnc5910

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\AltiGen\JLIB15\jre\bin\java.exe" = C:\Program Files\AltiGen\JLIB15\jre\bin\java.exe:*:Enabled:java -- (Sun Microsystems, Inc.)
"C:\Program Files\AltiGen\JLIB15\jre\bin\javaw.exe" = C:\Program Files\AltiGen\JLIB15\jre\bin\javaw.exe:*:Enabled:javaw -- (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Gregory Yup\Local Settings\Application Data\CrossLoop\vncviewer.exe" = C:\Documents and Settings\Gregory Yup\Local Settings\Application Data\CrossLoop\vncviewer.exe:*:Enabled:vncviewer.exe -- (UltraVNC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{10CE1EA2-12E9-11D3-825E-00C04F6843FE}" = Microsoft Office Sounds
"{13EB4BEC-7DB4-44C3-A46A-459E35999448}" = QuickScan 3.0
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{2C5F4884-62AB-4B32-ADB2-BD3D71760CD6}" = OutlookAccessAddInSetup
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36B98FCD-557C-48B0-98B8-60F8435D8492}" = Microsoft Office Word 2003 Redaction Add-in
"{52503B4E-149A-4731-A6FF-495067EABFDC}" = TI_Inst
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{580E9BBC-A51E-4AE9-A977-7B0939BEDAD3}" = Scanner Utility for Microsoft Windows
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7E545666-F423-45FD-B3DF-C0B99A1A579F}" = QuickBooks Premier: Accountant Edition 2007
"{8552FD97-5A8E-46F4-9AD8-72A275F1ACCB}" = Microsoft Unified Communications Client API SDK
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90240409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Resource Kit
"{90F80409-6000-11D3-8CFE-0150048383C9}" = Remove Hidden Data Tool
"{91208A47-5D08-4C79-986F-1931940F51BB}" = QuickBooks Product Listing Service
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{93B6A615-555D-49FD-95DE-D8B7192F9A85}" = AltiGenJLIB
"{9DD19562-CB7B-45E3-8041-58070274FB78}" = Error Recovery Guide
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A65F7CF8-6F76-40CE-B44D-D5A89D9881C7}" = MSN Toolbar Platform
"{AC76BA86-1033-F400-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard - English, Français, Deutsch
"{ADFBC522-0E15-4E35-B932-8CE2EE0DDEA3}" = Microsoft Office 2003 Desktop Language Settings
"{AEFF1CC5-2774-4EAE-A19F-8A86F2E9EFDB}" = ScandAll 21
"{B6828215-1469-43A2-8BEE-F5A970F98161}" = Microsoft Office 2003 International Character Toolbar
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C07C4A6B-8631-46B5-B53E-DEAEA0BA13E6}" = MaxCommunicator 6.0 Update2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{EC719582-B6B4-436A-922B-67094106AB81}" = Creative Commons Add-in for Microsoft Office
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATB for Windows 3.04 Workstation" = ATB for Windows 3.04 Workstation
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.9x Modem
"CrossLoop_is1" = CrossLoop 2.70
"Fujitsu ISIS Drivers" = Fujitsu ISIS Drivers
"ie8" = Windows Internet Explorer 8
"InstallShield_{52503B4E-149A-4731-A6FF-495067EABFDC}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"KEAVTV5.10" = KEAVT v5.10
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"Software Operation Panel" = Software Operation Panel
"TValue 5" = TValue 5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/24/2010 7:45:20 PM | Computer Name = DELLLAPTOPD810 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 5/24/2010 8:10:52 PM | Computer Name = DELLLAPTOPD810 | Source = ESENT | ID = 490
Description = svchost (356) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 5/24/2010 8:10:52 PM | Computer Name = DELLLAPTOPD810 | Source = ESENT | ID = 439
Description = Catalog Database (356) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\edb.chk. Error -1032.

Error - 5/24/2010 8:30:03 PM | Computer Name = DELLLAPTOPD810 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00262bd5.

Error - 5/24/2010 8:30:08 PM | Computer Name = DELLLAPTOPD810 | Source = Application Error | ID = 1001
Description = Fault bucket 1873847872.

Error - 5/24/2010 8:33:25 PM | Computer Name = DELLLAPTOPD810 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00262bd5.

Error - 5/25/2010 1:43:26 PM | Computer Name = DELLLAPTOPD810 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00262bd5.

Error - 5/25/2010 1:43:31 PM | Computer Name = DELLLAPTOPD810 | Source = Application Error | ID = 1001
Description = Fault bucket 1873847872.

Error - 5/25/2010 2:45:25 PM | Computer Name = DELLLAPTOPD810 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 5/25/2010 2:45:25 PM | Computer Name = DELLLAPTOPD810 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 5/24/2010 8:40:03 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/24/2010 8:40:03 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/24/2010 8:51:31 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/24/2010 8:51:31 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 12:30:06 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 12:30:06 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 3:47:03 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 3:47:03 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 4:47:54 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 4:47:54 PM | Computer Name = DELLLAPTOPD810 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

GregY
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2010-05-25
OS : Windows XP

View user profile

Back to top Go down

Re: Malware - Win32.Nuqel.E and Bankfox.A

Post by Belahzur on Tue May 25, 2010 10:49 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    [2010/05/24 12:21:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\gyup\Local Settings\Application Data\yjrvmvsad


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Copy of log after "run fix"

Post by GregY on Tue May 25, 2010 11:01 pm

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
C:\Documents and Settings\gyup\Local Settings\Application Data\yjrvmvsad folder moved successfully.

OTL by OldTimer - Version 3.2.5.0 log created on 05252010_155708

GregY
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2010-05-25
OS : Windows XP

View user profile

Back to top Go down

Re: Malware - Win32.Nuqel.E and Bankfox.A

Post by Belahzur on Tue May 25, 2010 11:05 pm

Hello.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware - Win32.Nuqel.E and Bankfox.A

Post by GregY on Tue May 25, 2010 11:22 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2010 4:18:37 PM
mbam-log-2010-05-25 (16-18-37).txt

Scan type: Quick scan
Objects scanned: 147401
Time elapsed: 13 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I still have the problem...............

GregY
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2010-05-25
OS : Windows XP

View user profile

Back to top Go down

Re: Malware - Win32.Nuqel.E and Bankfox.A

Post by Belahzur on Tue May 25, 2010 11:29 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum