CPU at 100% with no activity

Inactive
By Code Butcher
Feb 28, 2012
  1. A friend of mine asked me to look at her PC because she says it was running very slow and had pop-ups to porn sites. She had installed a program called Internet Security that was recomended by one of the Pop-up. I've never heard of such a program. I'm trying to go by the 5 steps but the system is so slow, even in Safe Mode. The CPU at 100% with no HD activity.

    From what I've scanned, I believe it's a TR/Dropper, Rootkit 0Access, and Backdoor IRCBot. All have been deleted, but the damaged has been done.

    I've tried using ComboFix, but it times out with a message saying it's there is not enough memory to run program. Even though PF Usage is about 20%.

    I'll try to post any logs I can get out of the system.
  2. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I tried to install Malwarebytes, but it just opened a dos box with NTVDM.EXE in the title bar then closed. I don't know what NTVDM does but it seems to be a Windows file.
  3. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
  4. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Thanks, Broni! I don't think the CD drive works, I've tried to open the tray and it never opens. I can boot from USB, is there a USB drive version?

    Also, I don't think I have a blank CD-R. :( But I'm still looking.
  5. Broni

    Broni Malware Annihilator Posts: 46,388   +252

  6. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I found a CD-R and swapped the drive with a working one.
    Here is the OTL.Txt contents:

    OTL logfile created on: 2/28/2012 7:38:07 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.51 Gb Total Space | 56.31 Gb Free Space | 75.58% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet003

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) [Auto] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)
    SRV - [2010/04/28 14:21:30 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe -- (Sony SCSI Helper Service)
    SRV - [2010/04/05 07:19:58 | 000,444,928 | ---- | M] (Livescribe) [Auto] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
    SRV - [2009/11/18 10:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) [Auto] -- C:\Program Files\Verizon\VSP\ServicepointService.exe -- (ServicepointService)
    SRV - [2008/10/28 16:42:30 | 000,156,968 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
    SRV - [2008/09/30 17:41:08 | 000,116,664 | ---- | M] (symantec) [On_Demand] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
    SRV - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
    SRV - [2008/08/20 15:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
    SRV - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
    SRV - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
    SRV - [2007/09/12 18:27:26 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
    SRV - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
    SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
    SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (MRENDIS5)
    DRV - File not found [Kernel | On_Demand] -- -- (MREMPR5)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/02/23 19:14:52 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2012/02/13 01:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2012/01/16 11:48:06 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120224.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2012/01/16 11:48:06 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120224.002\NAVENG.SYS -- (NAVENG)
    DRV - [2010/05/14 00:16:40 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/05/04 14:55:44 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2010/05/04 14:55:44 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/04/05 07:20:00 | 000,020,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
    DRV - [2010/03/17 13:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2010/03/17 13:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2009/02/14 10:28:06 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008/08/20 15:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2008/08/20 15:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/05/28 11:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
    DRV - [2008/05/28 11:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
    DRV - [2007/11/15 21:18:20 | 000,572,416 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt2860.sys -- (RT80x86)
    DRV - [2007/09/26 15:58:00 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MRVW245.sys -- (MRVW245)
    DRV - [2007/07/26 19:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========
  7. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    The log is incomplete.
    Redo.
  8. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Sorry, Here is the rest:

    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\Edna_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.aol.com/
    IE - HKU\Edna_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    IE - HKU\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    IE - HKU\test_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\Verizon\VSP\nprpspa.dll (Verizon)
    FF - HKLM\Software\MozillaPlugins\@sony.com/eBookLibrary: C:\Program Files\Sony\Reader\Data\bin\npebldetectmoz.dll (Sony Corporation)



    O1 HOSTS File: ([2012/02/25 20:55:54 | 000,000,882 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 94.63.147.22 www.google.com
    O1 - Hosts: 94.63.147.23 www.bing.com
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Verizon Broadband Toolbar) - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\Program Files\verizon_broad\verizon_broad.dll (Verizon Online. )
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKU\Edna_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\Edna_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [dplaysvr] File not found
    O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
    O4 - HKLM..\Run: [Reader Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe (Sony Corporation)
    O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
    O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
    O4 - HKU\Edna_ON_C..\Run: [dplaysvr] File not found
    O4 - HKU\Edna_ON_C..\Run: [Internet Security] File not found
    O4 - HKU\Edna_ON_C..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
    O4 - HKU\Edna_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - HKU\Edna_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Edna_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\test_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O9 - Extra Button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll ()
    O9 - Extra 'Tools' menuitem : Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon High Speed Internet Installer.cab (Support.com Configuration Class)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1234638438733 (WUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_19)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab (GpcContainer Class)
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.128.12
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/02/14 10:09:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell\AutoRun\command - "" = D:\autorun.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O36 - AppCertDlls: rsvpMRT - (C:\WINDOWS\system32\fixmdiag.dll) - C:\WINDOWS\system32\fixmdiag.dll (Kaspersky Lab)
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/28 17:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\My Documents\My Books
    [2012/02/28 17:22:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Sun
    [2012/02/28 17:21:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\kinoma
    [2012/02/28 17:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\Sony Corporation
    [2012/02/28 17:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\SUPERAntiSpyware.com
    [2012/02/28 16:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Apple Computer
    [2012/02/28 16:40:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Verizon
    [2012/02/28 16:39:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\AskToolbar
    [2012/02/28 16:36:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\VERIZON_BROAD
    [2012/02/28 16:29:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Identities
    [2012/02/28 16:28:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents\My Music
    [2012/02/28 16:28:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents\My Pictures
    [2012/02/28 16:28:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\test\IETldCache
    [2012/02/28 16:27:24 | 000,000,000 | --SD | C] -- C:\Documents and Settings\test\Application Data\Microsoft
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\SendTo
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\Recent
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\Application Data
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu\Programs\Startup
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Favorites
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu\Programs\Accessories
    [2012/02/28 16:27:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\test\Cookies
    [2012/02/28 16:27:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\PrintHood
    [2012/02/28 16:27:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\NetHood
    [2012/02/28 16:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Desktop
    [2012/02/28 16:27:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\Templates
    [2012/02/28 16:27:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\Microsoft
    [2012/02/28 16:27:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\Local Settings
    [2012/02/28 16:20:38 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
    [2012/02/28 16:18:20 | 000,000,000 | -HSD | C] -- C:\FOUND.004
    [2012/02/27 23:33:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/02/27 19:05:38 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2012/02/27 12:32:06 | 000,086,528 | -H-- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\fixmdiag.dll
    [2012/02/25 18:58:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [2012/02/22 22:33:49 | 000,147,968 | RHS- | C] (Bpasiymks Ixhfoaguuch) -- C:\WINDOWS\System32\ntimages.dll
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/28 19:29:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/02/28 19:28:08 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    [2012/02/28 19:25:02 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
    [2012/02/28 19:22:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/02/28 19:19:18 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\WNPEWR.job
    [2012/02/28 16:30:30 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/02/28 16:30:20 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2012/02/28 11:49:30 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\test\Desktop\dds.scr
    [2012/02/28 11:49:30 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2012/02/28 11:49:16 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\test\Desktop\GMER.exe
    [2012/02/28 11:49:16 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\GMER.exe
    [2012/02/27 23:59:38 | 009,502,424 | ---- | M] () -- C:\Documents and Settings\test\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\test\Desktop\ComboFix.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\ComboFix.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2012/02/27 12:59:34 | 002,062,896 | ---- | M] () -- C:\Documents and Settings\test\Desktop\TDSSKiller.exe
    [2012/02/27 12:32:08 | 000,086,528 | -H-- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\fixmdiag.dll
    [2012/02/25 23:15:00 | 000,000,089 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat
    [2012/02/25 23:13:46 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Edna\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security.lnk
    [2012/02/23 19:15:20 | 000,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/22 23:09:56 | 000,432,778 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/02/22 23:09:56 | 000,067,734 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/02/22 23:07:18 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/02/22 22:33:50 | 000,147,968 | RHS- | M] (Bpasiymks Ixhfoaguuch) -- C:\WINDOWS\System32\ntimages.dll
    [2012/02/22 21:42:42 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/28 18:50:05 | 002,062,896 | ---- | C] () -- C:\Documents and Settings\test\Desktop\TDSSKiller.exe
    [2012/02/28 17:27:52 | 009,502,424 | ---- | C] () -- C:\Documents and Settings\test\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/28 16:54:23 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\test\Desktop\dds.scr
    [2012/02/28 16:54:23 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\test\Desktop\GMER.exe
    [2012/02/28 16:54:21 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\test\Desktop\ComboFix.exe
    [2012/02/28 16:30:29 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/02/28 16:30:29 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Internet Explorer.lnk
    [2012/02/28 16:30:19 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2012/02/28 16:29:56 | 000,000,651 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Outlook Express.lnk
    [2012/02/28 16:27:26 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Remote Assistance.lnk
    [2012/02/28 16:27:26 | 000,000,705 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Windows Media Player.lnk
    [2012/02/28 16:21:43 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2012/02/28 16:21:43 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2012/02/28 16:21:43 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\GMER.exe
    [2012/02/27 19:12:40 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\ComboFix.exe
    [2012/02/25 23:13:28 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Edna\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security.lnk
    [2012/02/25 23:13:27 | 000,000,089 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat
    [2012/02/22 22:33:49 | 000,000,310 | ---- | C] () -- C:\WINDOWS\tasks\WNPEWR.job
    [2012/02/22 21:46:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/22 21:46:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2011/01/11 18:05:18 | 000,008,592 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
    [2010/01/07 16:15:24 | 000,051,300 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/01/07 15:30:52 | 000,068,294 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
    [2010/01/07 15:30:52 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
    [2009/02/16 12:56:46 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
    [2009/02/14 10:48:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/02/14 10:44:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
    [2009/02/14 10:21:01 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
    [2009/02/14 10:13:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009/02/14 10:06:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009/02/14 10:01:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/02/14 10:01:02 | 000,247,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2005/03/22 01:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/03/22 01:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 12:00:00 | 000,432,778 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 12:00:00 | 000,067,734 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2004/08/04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2010/05/04 16:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\Downloaded Installations
    [2011/03/04 15:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\TechWizard
    [2011/07/30 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\Broderbund
    [2009/02/17 11:17:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
    [2010/01/07 16:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kinoma
    [2010/04/28 20:28:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Radialpoint
    [2010/05/04 16:17:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Livescribe, Inc
    [2011/04/29 14:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2011/07/18 19:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2011/07/30 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
    [2011/09/21 18:21:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
    [2012/02/28 19:19:18 | 000,000,310 | ---- | M] () -- C:\WINDOWS\Tasks\WNPEWR.job
    [2012/02/22 21:42:42 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    [2012/02/28 19:25:02 | 000,000,232 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

    ========== Purity Check ==========


    < End of report >
  9. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    IE - HKU\Edna_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O1 - Hosts: 94.63.147.22 www.google.com
    O1 - Hosts: 94.63.147.23 www.bing.com
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKU\Edna_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
    O4 - HKLM..\Run: [dplaysvr] File not found
    O4 - HKU\Edna_ON_C..\Run: [dplaysvr] File not found
    O4 - HKU\Edna_ON_C..\Run: [Internet Security] File not found
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\Shell\AutoRun\command - "" = D:\autorun.exe
    [2012/02/28 16:39:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\AskToolbar
    [2012/02/22 22:33:49 | 000,147,968 | RHS- | C] (Bpasiymks Ixhfoaguuch) -- C:\WINDOWS\System32\ntimages.dll
    [2012/02/28 19:25:02 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
    [2012/02/28 19:19:18 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\WNPEWR.job
    [2012/02/25 23:13:46 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Edna\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security.lnk
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Program Files\Ask.com
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
  10. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    ========== OTL ==========
    Registry value HKEY_USERS\Edna_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ deleted successfully.
    C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
    94.63.147.22 www.google.com removed from HOSTS file successfully
    94.63.147.23 www.bing.com removed from HOSTS file successfully
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_USERS\Edna_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater deleted successfully.
    C:\Program Files\Ask.com\Updater\Updater.exe moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dplaysvr deleted successfully.
    Registry value HKEY_USERS\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\dplaysvr deleted successfully.
    Registry value HKEY_USERS\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825edc37-fa7d-11dd-99b6-806d6172696f}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825edc37-fa7d-11dd-99b6-806d6172696f}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{825edc37-fa7d-11dd-99b6-806d6172696f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825edc37-fa7d-11dd-99b6-806d6172696f}\ not found.
    File D:\autorun.exe not found.
    C:\Documents and Settings\test\Local Settings\Application Data\AskToolbar\APNU folder moved successfully.
    C:\Documents and Settings\test\Local Settings\Application Data\AskToolbar folder moved successfully.
    C:\WINDOWS\system32\ntimages.dll moved successfully.
    C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job moved successfully.
    C:\WINDOWS\tasks\WNPEWR.job moved successfully.
    C:\Documents and Settings\Edna\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security.lnk moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\Ask.com\assets\oobe folder moved successfully.
    C:\Program Files\Ask.com\assets folder moved successfully.
    C:\Program Files\Ask.com\Updater folder moved successfully.
    C:\Program Files\Ask.com folder moved successfully.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 02282012_232350

    I rebooted the PC to Windows. It's still at 100% CPU, but the PF Usage is much lower.
  11. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    See if you can....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  12. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    No Dice, Same thing as before happens. A Dos window for C:\windows\system32\NTVDM.EXE pops up and closes, followed by another DOS window that opens then closes, before it closes it says, "Program too big to fin in Memory".

    FWIW, the PC is a Dell Optiplex GX270, P4 2.4Ghz with 2Gb of RAM.
  13. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    That happens when you try to do what exactly?
  14. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    When I try to run any program in a Normal startup.
  15. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    What about safe mode?
  16. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Same thing happens in Safe Mode, though much faster.
  17. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    fixboot

    exit

    Reboot computer.
  18. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Is that Safe Mode with Cmmand Prompt? I've only seen the Recovery Console with an install disk boot.
  19. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Do you have Windows XP CD?
  20. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Yes, I do have a Win XP CD. I was able to run SuperAntiSpyware and running a scan right now. I'll post anything that comes up in the scan. Then try the Recovery Console.
  21. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Wait with that if you're able to run some programs...
  22. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    When done with Super.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  23. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    The scan only found Adware Cookies. I was able to boot the Windows CD and run the Recover Console. Same thing as before happens.
  24. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Can't run any of the rkill file. It just pops up a window then closes. I've tried to run Combofix right after I click on the rKill to have the NTVDM.EXE window pop up.

    rKill did manage to run and is currently killing processes, but I can't run Combofix yet.
  25. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.