TR/Kazy infection-OTL.txt/ addl logs in addl posts

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 12:37 am

No, thanks, format is a bit extreme, yet. I've seen this once before, I just don't remember exactly how to go about tracking down and re-setting the appropriate devices.

One thing I did notice, while just looking around on the pc, is there are a number of items in "Services" that are showing as stopped...among those stopped are IP configuration.

If you know more about "Services" settings, or can refer me to someone who might, your help would be appreciated. Meanwhile, I'll keep researching on this end, as time and talent permit.

Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 2:19 am

Hello.
I'm back with an idea.

Please download FSS from [You must be registered and logged in to see this link.]

Press the scan button, and it will make a log file when it's finished.
Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 3:08 am

I'm sorry, but "from where?" No link in previous message, not sure where to look-- I'll check back. Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 4:06 pm

Where it says "here" is a hyperlink.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 4:58 pm

Thanks, for no apparent reason, the link didn't activate when I moused over it, yesterday...got it now!

Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 5:02 pm

Here is the FSS log:

Farbar Service Scanner
Ran by HP_Administrator (administrator) on 14-11-2011 at 12:00:10
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to Google returned error: Google site is unreachable
Attemp to yahoo returend error: Yahoo site is unreachable

**** End of log ****

I'll wait for further advice...
Thanks,
Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 5:11 pm

I believe we found the problem. While I do some research, do you have your XP disc? a critical system file was deleted by the infection and needs replacing.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 5:12 pm

No, this pc did not come with an XP disc...sorry.

Thanks for your help,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 5:16 pm

Darn, lets hope the machine has a backup copy somewhere.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    /md5start
    netbt.sys
    /md5stop


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the pink Quick Scan button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 6:13 pm

Done! Here are the results of the current OTL scan:

OTL logfile created on: 11/14/2011 12:48:35 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.41 Mb Total Physical Memory | 541.24 Mb Available Physical Memory | 52.94% Memory free
2.40 Gb Paging File | 2.02 Gb Available in Paging File | 84.24% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 363.53 Gb Total Space | 113.62 Gb Free Space | 31.25% Space Free | Partition Type: NTFS
Drive D: | 9.05 Gb Total Space | 4.40 Gb Free Space | 48.56% Space Free | Partition Type: FAT32
Drive K: | 279.45 Gb Total Space | 227.87 Gb Free Space | 81.54% Space Free | Partition Type: NTFS
Drive L: | 245.72 Mb Total Space | 97.06 Mb Free Space | 39.50% Space Free | Partition Type: FAT

Computer Name: BOBSPC | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/14 12:45:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.com
PRC - [2010/11/17 13:22:57 | 000,329,096 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2010/10/29 15:12:22 | 001,652,736 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2010/09/28 13:09:05 | 000,557,056 | ---- | M] (BitLeader) -- C:\Program Files\lg_fwupdate\fwupdate.exe
PRC - [2010/09/24 13:19:08 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/09/24 13:19:08 | 000,057,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/06/03 19:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/04/15 22:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/12/02 11:21:20 | 001,503,306 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
PRC - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe
PRC - [2007/04/09 12:32:32 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2006/07/25 01:01:00 | 000,114,688 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic Shared\CineTray.exe
PRC - [2003/11/06 18:32:30 | 000,270,336 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\GA311.exe


========== Modules (No Company Name) ==========

MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/03/29 15:02:48 | 000,520,234 | ---- | M] () -- C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll
MOD - [2010/02/05 13:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2009/08/20 11:35:48 | 007,745,536 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2009/08/20 11:35:46 | 002,121,728 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll
MOD - [2009/08/20 11:35:46 | 000,135,168 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
MOD - [2009/06/03 19:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/06/03 19:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/08/28 01:59:00 | 001,478,656 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2007/08/28 01:59:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2005/03/16 01:17:28 | 000,204,800 | ---- | M] () -- c:\Program Files\HP\Digital Imaging\bin\HpqUtil.dll
MOD - [2003/11/06 18:32:30 | 000,270,336 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
MOD - [2003/11/06 14:40:32 | 000,049,152 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\Rtl8169LibC.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LightScribeService)
SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
SRV - File not found [Auto | Stopped] -- -- (Apple Mobile Device)
SRV - File not found [Auto | Stopped] -- -- (AntiVirService)
SRV - File not found [Auto | Stopped] -- -- (AntiVirSchedulerService)
SRV - [2011/10/23 08:41:12 | 000,060,416 | ---- | M] () [Auto | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2010/11/16 01:10:14 | 000,267,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2010/09/24 13:19:16 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/09/24 13:19:16 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/09/24 13:19:08 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) [Auto | Running] -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe -- (jswpsapi)


========== Driver Services (SafeList) ==========

DRV - [2009/11/25 11:19:02 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/10/01 16:45:52 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/09/30 03:24:36 | 000,453,120 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WN111v2.sys -- (WN111v2)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/12/14 04:31:00 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/05/23 04:15:00 | 000,547,744 | ---- | M] (D-Link Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\A3AB.sys -- (A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)
DRV - [2007/04/18 08:59:40 | 000,098,600 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2007/04/12 08:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2007/04/12 08:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2007/04/12 08:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2007/04/12 08:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2007/04/12 08:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2007/04/12 08:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2007/04/12 08:10:20 | 000,094,976 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2007/04/12 08:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2007/04/12 08:10:16 | 000,560,384 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2007/04/12 08:10:16 | 000,546,048 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2007/04/10 06:00:24 | 000,157,480 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2007/04/10 05:59:04 | 000,126,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2007/04/10 04:32:06 | 000,189,736 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2007/04/10 04:31:18 | 000,163,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2007/04/10 04:29:10 | 000,797,992 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2007/04/10 04:28:36 | 000,092,968 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2007/04/10 04:25:46 | 000,014,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2007/04/10 04:21:06 | 000,347,128 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2007/04/10 04:20:38 | 000,520,488 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2007/04/10 04:19:30 | 000,511,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/08/18 17:35:04 | 003,856,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/04/15 06:12:12 | 000,175,616 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2004/08/10 00:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/10 00:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/04 15:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/08/04 14:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/12/03 11:23:20 | 000,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/06 00:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)
DRV - [2001/08/17 12:19:20 | 000,096,256 | ---- | M] (Copyright (C) Creative Technology Ltd. 1994-2001) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlsb16.sys -- (ctlsb16) Creative SB16/AWE32/AWE64 Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://finance.yahoo.com/news/Burger-King-revamps-coffee-apf-1119327906.html?x=0&.v=6|http://www.facebook.com/home.php?|http://excite.com/|https://mail.google.com/mail/?shva=1#inbox"
FF - prefs.js..extensions.enabledItems: {a2adbb75-0c40-1c3b-68b2-6de799200d52}:4.6.6.3
FF - prefs.js..extensions.enabledItems: {776A7CC0-E1A0-4E46-982C-88A8754E5100}:1.9.1
FF - prefs.js..keyword.URL: "http://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-80-0-b3EH\n&q="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/01 08:18:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/19 22:42:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/01/11 18:41:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/12/11 11:22:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010/12/11 11:22:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/10/19 22:33:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\extensions
[2009/11/30 19:02:26 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/09/11 18:42:16 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2011/05/07 10:53:11 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\extensions\engine@conduit.com
[2010/01/23 22:28:20 | 000,002,180 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\searchplugins\bing-ff.xml
[2008/06/23 14:55:06 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ge13mt45.default\searchplugins\wikipedia.xml
[2011/10/19 23:51:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/07 18:30:31 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/02/01 14:54:22 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{a2adbb75-0c40-1c3b-68b2-6de799200d52}
[2010/02/01 14:54:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{a2adbb75-0c40-1c3b-68b2-6de799200d52}.del
[2010/12/05 11:20:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/10/19 23:51:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2007/02/28 12:36:51 | 000,000,000 | ---D | M] (Google Settings) -- C:\Program Files\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com
[2010/02/14 01:36:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/03/08 22:33:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/10/01 08:18:28 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/03/31 21:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2009/03/05 17:08:04 | 000,049,664 | ---- | M] () -- C:\Program Files\mozilla firefox\components\FFComm.dll
[2011/10/03 04:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/07 10:52:15 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========


O1 HOSTS File: ([2011/10/28 19:17:14 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [LGODDFU] C:\Program Files\lg_fwupdate\fwupdate.exe (BitLeader)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePPShortCut] C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CaSup.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe (TLC Productivity Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} [You must be registered and logged in to see this link.] (SysData Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} [You must be registered and logged in to see this link.] (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{201B7D01-482D-4862-846E-44904AD96B73}: DhcpNameServer = 10.10.5.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C72A36E4-3E1C-4AFE-896F-6225AD450C02}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/13 04:37:21 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/14 12:45:10 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.com
[2011/11/13 22:29:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/10/28 19:15:35 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\HP_Administrator\Desktop\WinsockxpFix.exe
[2011/10/27 15:30:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/10/27 14:58:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/27 14:58:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/27 14:58:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/27 14:58:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/27 14:55:26 | 004,274,802 | R--- | C] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2011/10/25 14:45:12 | 001,564,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2011/10/25 14:35:08 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2011/10/25 14:35:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
[2011/10/24 02:17:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\Kaspersky
[2011/10/24 02:17:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\New Folder
[2011/10/22 14:02:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\pics
[2011/10/21 13:43:11 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/10/21 13:42:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\eset
[2011/10/21 13:16:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\SysProt
[2011/10/20 21:57:32 | 000,467,028 | ---- | C] (Atheros) -- C:\WINDOWS\System32\acs.exe
[2011/10/20 20:45:50 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/20 15:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/10/20 00:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\Java
[2011/10/19 20:56:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/10/18 19:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2007/04/09 12:32:58 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2007/04/09 12:19:16 | 000,010,240 | ---- | C] ( ) -- C:\WINDOWS\System32\killapps.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/14 12:45:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.com
[2011/11/14 12:37:23 | 000,000,203 | ---- | M] () -- C:\WINDOWS\System32\mhncache.dat
[2011/11/14 11:56:36 | 000,324,319 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\FSS.exe
[2011/11/14 10:39:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job
[2011/11/14 00:46:19 | 000,000,336 | ---- | M] () -- C:\WINDOWS\lgfwup.ini
[2011/11/13 22:55:35 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/11/13 22:53:49 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job
[2011/11/13 22:35:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/13 22:35:00 | 1072,152,576 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/13 22:34:11 | 000,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000007-00001102-00000008-10221102}.rfx
[2011/11/13 22:34:11 | 000,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000007-00001102-00000008-10221102}.rfx
[2011/11/13 22:34:11 | 000,029,772 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000007-00001102-00000008-10221102}.rfx
[2011/11/13 22:34:11 | 000,029,772 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000007-00001102-00000008-10221102}.rfx
[2011/11/13 22:34:11 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000007-00001102-00000008-10221102}.rfx
[2011/11/13 22:33:40 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000007-00001102-00000008-10221102}.CDF
[2011/11/13 22:33:40 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000007-00001102-00000008-10221102}.BAK
[2011/11/10 16:57:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/11/09 13:36:12 | 000,465,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/09 13:36:12 | 000,080,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/02 22:10:28 | 000,000,086 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\look.bat
[2011/11/02 13:13:10 | 000,380,805 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MiniToolBox.exe
[2011/10/28 19:17:14 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/28 19:15:32 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\HP_Administrator\Desktop\WinsockxpFix.exe
[2011/10/27 15:22:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2011/10/27 14:55:18 | 004,274,802 | R--- | M] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2011/10/25 14:37:24 | 001,564,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2011/10/25 14:37:00 | 000,147,832 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\profiles.exe
[2011/10/24 02:41:31 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/20 15:16:19 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/20 00:37:44 | 000,286,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/20 00:06:56 | 048,324,552 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/10/19 22:40:42 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/10/19 14:32:56 | 001,916,416 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.exe
[2011/10/19 12:56:36 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/19 12:55:49 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/10/18 15:32:21 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/14 11:56:46 | 000,324,319 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\FSS.exe
[2011/11/09 13:29:09 | 1072,152,576 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/02 22:10:25 | 000,000,086 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\look.bat
[2011/11/02 13:13:19 | 000,380,805 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\MiniToolBox.exe
[2011/10/27 14:58:52 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/27 14:58:52 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/27 14:58:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/27 14:58:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/27 14:58:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/25 14:44:39 | 000,147,832 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\profiles.exe
[2011/10/19 22:40:42 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/10/19 22:40:42 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/10/19 14:32:43 | 001,916,416 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.exe
[2011/10/18 15:32:21 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2010/12/01 18:45:43 | 000,000,203 | ---- | C] () -- C:\WINDOWS\System32\mhncache.dat
[2010/11/03 20:19:53 | 000,000,421 | ---- | C] () -- C:\WINDOWS\DeDup.ini
[2010/09/28 13:08:21 | 000,000,336 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2010/03/09 14:29:05 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/08 19:43:50 | 048,324,552 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2010/03/08 15:44:02 | 000,110,602 | ---- | C] () -- C:\WINDOWS\System32\xcdsfx32.bin
[2010/02/05 17:07:27 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
[2010/01/23 22:30:34 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Vfidag.dat
[2010/01/23 22:30:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Sfoneciduwaton.bin
[2009/07/08 10:58:18 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/07/08 09:07:00 | 001,580,550 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/05/21 18:11:16 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2009/04/24 10:27:08 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/27 16:18:04 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/17 13:19:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcf.INI
[2008/03/28 20:27:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/03/24 13:26:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/02 12:17:44 | 000,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2007/08/30 14:20:35 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/08/17 17:52:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Unsetup.INI
[2007/05/14 10:59:34 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/12 08:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2007/04/09 12:55:14 | 000,097,785 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2007/04/09 12:55:14 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/04/09 12:33:50 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2007/04/09 12:32:32 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\psconv.exe
[2007/04/09 12:24:30 | 000,325,821 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2007/04/09 12:24:30 | 000,046,273 | ---- | C] () -- C:\WINDOWS\System32\ctdnlstr.dat
[2007/04/09 12:21:44 | 000,048,128 | ---- | C] () -- C:\WINDOWS\System32\regplib.exe
[2007/04/09 12:21:28 | 000,149,838 | ---- | C] () -- C:\WINDOWS\System32\ctbas2w.dat
[2007/04/09 12:19:44 | 000,274,587 | ---- | C] () -- C:\WINDOWS\System32\ctsbas2w.dat
[2007/04/09 12:19:20 | 000,313,207 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2007/04/09 12:19:20 | 000,053,932 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2007/04/09 12:19:18 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\enlocstr.exe
[2006/10/02 09:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2006/09/01 17:38:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\FWWipeALL.dll
[2006/08/11 23:57:12 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2006/08/11 23:56:58 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/08/11 23:56:51 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2006/05/13 21:20:28 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/05/13 19:38:17 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/04/27 21:02:50 | 000,005,717 | ---- | C] () -- C:\WINDOWS\hpdj6122.ini
[2006/04/27 21:02:28 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2006/03/14 18:14:55 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/02/27 22:58:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/12 16:14:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/12 16:14:13 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2006/02/12 16:14:06 | 000,003,892 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/01/27 11:16:59 | 000,034,304 | ---- | C] () -- C:\WINDOWS\PSCONV.EXE
[2006/01/27 11:12:31 | 000,134,144 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/13 04:56:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/13 04:39:32 | 000,014,317 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/01/13 04:39:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/01/13 04:24:05 | 000,112,873 | ---- | C] () -- C:\WINDOWS\hpoins07.dat
[2006/01/13 04:24:05 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat
[2006/01/13 04:18:40 | 000,080,418 | ---- | C] () -- C:\WINDOWS\HPHins08.dat
[2006/01/13 04:18:40 | 000,004,011 | ---- | C] () -- C:\WINDOWS\hphmdl08.dat
[2006/01/13 04:16:33 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
[2006/01/13 04:16:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpimdl01.dat
[2006/01/13 04:15:39 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/01/13 04:12:44 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/01/13 03:59:45 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/01/12 17:39:27 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/01/12 17:39:27 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/01/12 17:39:23 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/01/12 17:39:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/01/12 17:39:10 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/01/12 17:38:41 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/01/12 17:38:40 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/01/12 17:38:02 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/01/12 17:38:02 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\dwwin.exe
[2006/01/12 17:37:30 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 17:30:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/08/02 17:30:00 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/08/02 17:30:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/08/02 17:30:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/08/02 17:30:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/07/02 15:36:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/07/02 15:34:10 | 000,286,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/07/02 15:28:10 | 000,465,552 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/07/02 15:28:10 | 000,080,066 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/06/16 10:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2005/02/26 14:31:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/01/28 19:41:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/28 19:36:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/27 07:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/18 16:43:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/04/18 16:43:44 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2001/07/07 01:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/05/16 20:16:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2006/05/14 21:50:09 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/02/06 12:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/12/06 11:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2007/08/30 10:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2010/02/05 20:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NETGEAR
[2010/02/06 12:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/05/16 20:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSecurityShield
[2008/01/29 17:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2008/01/29 17:29:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
[2010/02/14 20:40:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2007/09/07 10:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2008/03/30 19:20:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Systweak
[2010/09/28 13:08:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/06 12:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/04/11 20:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/05/31 08:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{B7A015B7-4802-4678-8CEC-700380BA9AFD}
[2011/11/13 22:53:49 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\Tasks\ConfigExec.job
[2011/11/14 10:39:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\Tasks\DataUpload.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: NETBT.SYS >
[2004/08/10 00:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008/04/13 14:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008/04/13 14:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\SoftwareDistribution.old\Download\dd9ab5193501484cf5e6884fa1d22f9e\netbt.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >


I'll check back for further instructions.

Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 6:27 pm

Hello.
Good, there is a copy there, we can replace it and get the services restarted soon, just gathering as much info as possible about it right now.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 7:19 pm

Following is log from current ComboFix, with Script:

ComboFix 11-11-14.02 - HP_Administrator 11/14/2011 13:46:47.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.450 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
.
.
--------------- FCopy ---------------f
.
c:\windows\$NtServicePackUninstall$\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 18:46 . 2004-08-10 05:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-14 18:46 . 2004-08-10 05:00 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-14 03:29 . 2011-11-14 03:33 -------- d-----w- c:\windows\system32\NtmsData
2011-10-25 19:35 . 2011-10-25 19:35 -------- d-----w- c:\program files\7-Zip
2011-10-21 18:43 . 2011-10-21 18:43 -------- d-----w- c:\program files\ESET
2011-10-21 02:57 . 2008-06-27 21:24 467028 ----a-w- c:\windows\system32\acs.exe
2011-10-19 00:37 . 2011-10-19 00:37 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 17:56 . 2010-11-30 06:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-03 09:06 . 2010-12-05 16:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 06:37 . 2010-02-14 06:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2006-01-12 22:39 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2006-01-12 22:39 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2006-01-12 22:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2006-01-12 22:41 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2010-11-30 06:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-01-13 05:41 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2006-01-12 22:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2006-01-12 22:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2006-01-12 22:38 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2006-01-12 22:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-01 13:18 . 2011-05-07 15:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-04-01 02:47 . 2008-06-09 23:45 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-03-05 22:08 . 2009-05-17 01:17 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"nwiz"="nwiz.exe" [2007-08-28 1626112]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-09-28 557056]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-25 210216]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2010-11-17 329096]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CaSup.lnk - c:\hp\region\CustAtStartUp.wsf [N/A]
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2008-2-26 323584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-12-2 1503306]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=
"c:\\Program Files\\AWS\\WeatherBug\\Weather.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\aswMBR.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 4:15 AM 547744]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/1/2008 4:45 PM 57440]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [11/16/2010 1:10 AM 267568]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [3/8/2010 4:36 PM 96256]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 12:10 PM 17149]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [9/30/2008 3:24 AM 453120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 17:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-11-14 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-11-16 06:09]
.
2011-11-14 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-11-16 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-11-14 14:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-14 14:09:01
ComboFix-quarantined-files.txt 2011-11-14 19:08
ComboFix2.txt 2011-10-27 20:29
ComboFix3.txt 2011-10-25 20:56
ComboFix4.txt 2011-10-21 03:49
ComboFix5.txt 2011-11-14 18:44
.
Pre-Run: 121,972,133,888 bytes free
Post-Run: 121,955,913,728 bytes free
.
- - End Of File - - 2E1FF050F821F4D247C70F2BB204A9A3


I will wait for next steps. Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 8:49 pm

Okay before we get the stopped services running again, I want 1 more piece of information.

Please create a folder on your Desktop called SWReg.

  1. Download SWReg.exe from [You must be registered and logged in to see this link.].
  2. Save SWReg.exe inside the SWReg folder you just created.

    Do not run SWReg.exe just yet.

    Now open a new Notepad file, and input this into the Notepad file:

    @echo off
    swreg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT" /s >> log.txt
    swreg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP" /s >> log.txt
    start notepad log.txt

  3. Save this as SWReg.bat, save it inside the SWReg folder as well.
  4. Make sure both SWReg.exe and SWReg.bat as located next to each other for this to work.
  5. Now, double click on SWReg.bat to run the script.
  6. Once done, a Notepad log file will open, copy and paste that log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 9:02 pm

Again, done! Following is the log:


SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt
Type REG_DWORD 1 (0x1)
Start REG_DWORD 1 (0x1)
ErrorControl REG_DWORD 1 (0x1)
Tag REG_DWORD 5 (0x5)
ImagePath REG_EXPAND_SZ system32\DRIVERS\netbt.sys
DisplayName REG_SZ NetBios over Tcpip
Group REG_SZ PNP_TDI
DependOnService REG_MULTI_SZ Tcpip\0\0
DependOnGroup REG_MULTI_SZ \0
Description REG_SZ NetBios over Tcpip

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage
OtherDependencies REG_MULTI_SZ Tcpip\0\0
Bind REG_MULTI_SZ \Device\Tcpip_{C72A36E4-3E1C-4AFE-896F-6225AD450C02}\0\Device\Tcpip_{B3C73173-0762-4B81-9895-C2EDEC4748B4}\0\Device\Tcpip_{5B74AE0B-EA56-4AB7-8C7F-58D808595B8A}\0\Device\Tcpip_{56B6407D-44C7-475D-9CF5-2E61B6417829}\0\Device\Tcpip_{201B7D01-482D-4862-846E-44904AD96B73}\0\Device\Tcpip_{C7CFBAB3-209B-4DBA-9E92-ED57D9B94B37}\0\Device\Tcpip_{806D2A77-DA02-437A-8697-82CEA873675A}\0\Device\Tcpip_{5AB0B083-40AF-4683-96A9-1B28EF6F403D}\0\0
Route REG_MULTI_SZ "Tcpip" "{C72A36E4-3E1C-4AFE-896F-6225AD450C02}"\0"Tcpip" "{B3C73173-0762-4B81-9895-C2EDEC4748B4}"\0"Tcpip" "{5B74AE0B-EA56-4AB7-8C7F-58D808595B8A}"\0"Tcpip" "{56B6407D-44C7-475D-9CF5-2E61B6417829}"\0"Tcpip" "{201B7D01-482D-4862-846E-44904AD96B73}"\0"Tcpip" "{C7CFBAB3-209B-4DBA-9E92-ED57D9B94B37}"\0"Tcpip" "NdisWanIp"\0\0
Export REG_MULTI_SZ \Device\NetBT_Tcpip_{C72A36E4-3E1C-4AFE-896F-6225AD450C02}\0\Device\NetBT_Tcpip_{B3C73173-0762-4B81-9895-C2EDEC4748B4}\0\Device\NetBT_Tcpip_{5B74AE0B-EA56-4AB7-8C7F-58D808595B8A}\0\Device\NetBT_Tcpip_{56B6407D-44C7-475D-9CF5-2E61B6417829}\0\Device\NetBT_Tcpip_{201B7D01-482D-4862-846E-44904AD96B73}\0\Device\NetBT_Tcpip_{C7CFBAB3-209B-4DBA-9E92-ED57D9B94B37}\0\Device\NetBT_Tcpip_{806D2A77-DA02-437A-8697-82CEA873675A}\0\Device\NetBT_Tcpip_{5AB0B083-40AF-4683-96A9-1B28EF6F403D}\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters
NbProvider REG_SZ _tcp
NameServerPort REG_DWORD 137 (0x89)
CacheTimeout REG_DWORD 600000 (0x927c0)
BcastNameQueryCount REG_DWORD 3 (0x3)
BcastQueryTimeout REG_DWORD 750 (0x2ee)
NameSrvQueryCount REG_DWORD 3 (0x3)
NameSrvQueryTimeout REG_DWORD 1500 (0x5dc)
Size/Small/Medium/Large REG_DWORD 1 (0x1)
SessionKeepAlive REG_DWORD 3600000 (0x36ee80)
TransportBindName REG_SZ \Device\
DhcpNodeType REG_DWORD 8 (0x8)
EnableProxy REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{201B7D01-482D-4862-846E-44904AD96B73}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{56B6407D-44C7-475D-9CF5-2E61B6417829}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{5AB0B083-40AF-4683-96A9-1B28EF6F403D}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{5B74AE0B-EA56-4AB7-8C7F-58D808595B8A}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{806D2A77-DA02-437A-8697-82CEA873675A}
NameServerList REG_MULTI_SZ \0\0
RASFlags REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{B3C73173-0762-4B81-9895-C2EDEC4748B4}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{C72A36E4-3E1C-4AFE-896F-6225AD450C02}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{C7CFBAB3-209B-4DBA-9E92-ED57D9B94B37}
NameServerList REG_MULTI_SZ \0
NetbiosOptions REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Security
Security REG_BINARY 01001480e8000000f4000000140000003000000002001c000100000002801400ff010f000101000000000001000000000200b80008000000000014008d01020001010000000000050b000000000018009d0102000102000000000005200000002302000000001800ff010f000102000000000005200000002002000000001800ff010f000102000000000005200000002502000000001400fd01020001010000000000051200000000001400400000000101000000000005130000000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum
0 REG_SZ Root\LEGACY_NETBT\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)
INITSTARTFAILED REG_DWORD 1 (0x1)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp
Type REG_DWORD 32 (0x20)
Start REG_DWORD 2 (0x2)
ErrorControl REG_DWORD 1 (0x1)
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
DisplayName REG_SZ DHCP Client
Group REG_SZ TDI
DependOnService REG_MULTI_SZ Tcpip\0Afd\0NetBT\0\0
DependOnGroup REG_MULTI_SZ \0
ObjectName REG_SZ LocalSystem
Description REG_SZ Manages network configuration by registering and updating IP addresses and DNS names.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Configurations
Options REG_BINARY 32000000000000000400000000000000ffffff7f0000000001000000000000000400000000000000ffffff7f00000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Linkage

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Linkage\Disabled

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\dhcpcsvc.dll
{C7CFBAB3-209B-4DBA-9E92-ED57D9B94B37} REG_BINARY 0f000000000000000f00000000000000bd37c6427367742e637071636f72702e6e65740001000000000000000400000000000000bd37c642fffffc0033000000000000000400000000000000bd37c6420000025836000000000000000400000000000000bd37c6420a01010135000000000000000100000000000000bd37c64205000000
{201B7D01-482D-4862-846E-44904AD96B73} REG_BINARY 06000000000000000400000000000000711720420a0a050a03000000000000000400000000000000711720420a0a050a0100000000000000040000000000000071172042ffffff00330000000000000004000000000000007117204200000e1036000000000000000400000000000000711720420a0a0508350000000000000001000000000000007117204205000000
{B3C73173-0762-4B81-9895-C2EDEC4748B4} REG_BINARY 0600000000000000000000000000000007cf7a4b0300000000000000000000000000000007cf7a4b3300000000000000000000000000000007cf7a4b3b00000000000000000000000000000007cf7a4b3a00000000000000000000000000000007cf7a4b0100000000000000000000000000000007cf7a4b3600000000000000000000000000000007cf7a4b3500000000000000000000000000000007cf7a4b
{C72A36E4-3E1C-4AFE-896F-6225AD450C02} REG_BINARY 060000000000000004000000000000007263a44ec0a80101030000000000000004000000000000007263a44ec0a80101010000000000000004000000000000007263a44effffff00330000000000000004000000000000007263a44e00015180360000000000000004000000000000007263a44ec0a80101350000000000000001000000000000007263a44e05000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\1
KeyType REG_DWORD 7 (0x7)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpSubnetMaskOpt\0SYSTEM\CurrentControlSet\Services\?\Parameters\Tcpip\DhcpSubnetMaskOpt\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\15
KeyType REG_DWORD 1 (0x1)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain\0SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\220
KeyType REG_DWORD 3 (0x3)
VendorType REG_DWORD 1 (0x1)
RegSendLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\SoHRequest\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\3
KeyType REG_DWORD 7 (0x7)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDefaultGateway\0SYSTEM\CurrentControlSet\Services\?\Parameters\Tcpip\DhcpDefaultGateway\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\44
KeyType REG_DWORD 1 (0x1)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNameServerList\0SYSTEM\CurrentControlSet\Services\NetBT\Adapters\?\DhcpNameServer\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\46
KeyType REG_DWORD 4 (0x4)
RegLocation REG_SZ SYSTEM\CurrentControlSet\Services\NetBT\Parameters\DhcpNodeType

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\47
KeyType REG_DWORD 1 (0x1)
RegLocation REG_SZ SYSTEM\CurrentControlSet\Services\NetBT\Parameters\DhcpScopeID

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\6
KeyType REG_DWORD 1 (0x1)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpNameServer\0SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Parameters\Options\DhcpNetbiosOptions
KeyType REG_DWORD 4 (0x4)
OptionId REG_DWORD 1 (0x1)
VendorType REG_DWORD 1 (0x1)
RegLocation REG_MULTI_SZ SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNetbiosOptions\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Security
Security REG_BINARY 01001480900000009c000000140000003000000002001c000100000002801400ff010f000101000000000001000000000200600004000000000014008d01020001010000000000050b00000000001800fd0102000102000000000005200000002c02000000001800ff010f000102000000000005200000002002000000001400fd010200010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp\Enum
0 REG_SZ Root\LEGACY_DHCP\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)

I'll check back for next instructions.

Thanks,

Patricia


robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 9:46 pm

Okay sweet.

Click Start > Run. Type in services.msc.

Look in the list for DHCP Client, when you find it, double click it, what does it say next to Service Status? Started or stopped?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 9:51 pm

I checked DHCP in services. It was blank (not Stopped, or Started).

Next?

Thanks,

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 9:53 pm

Son of a gun! I restarted it (I know, you didn't tell me to...) and it started and we now have an IP address and connection! :smile2:

I'm sure you'll have something for me to do as clean-up, etc., but I'm glad to finally get this far!

I'll check back for next advice.

Thanks~

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 10:33 pm

Yep, that's fine.

The FSS tool is new, only a few days old, as you learnt from this case. This infection messes with internet connection and none of our other tools can tell why - now we can. ;)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by robbhenningsr on Mon Nov 14, 2011 10:47 pm

Thanks, so much-- and thanks to whoever developed that tool! Thank You!

As I mentioned, this isn't the first time my DH got virused and it messed up his services...last time, though, it was the printer, too. (I'll have to check that. Done! Printer works, too.)

Whenever I'm tempted to throw the towel in and reformat, I remember the wise advice of an old friend who used to say, "It's damn near always something simple!" Then, I go back to basics and see what I can find...it seems the hackers have developed a passion for screwing up Services, as if it wasn't bad enough when they were messing with the Registry.

Anyway, thanks again for all your help. We're retirees (forced out early, of course) but I will strongly suggest to DH that he make a donation. Hooray!

I will still check back in...and I'm hoping to learn how to help others with this kind of thing, eventually.

Thanks, again~

Patricia

robbhenningsr
Novice
Novice

Posts Posts : 39
Joined Joined : 2011-10-19
OS OS : XP Media Ctr 2002 Service pack 3
Points Points : 19313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Kazy infection-OTL.txt/ addl logs in addl posts

Post by Belahzur on Mon Nov 14, 2011 11:11 pm

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:
Thank you for choosing GeekPolice. [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum