Solved: Packed.rolex virus - Page 4

**Cookiegal** · 01-Jul-2009, 04:50 PM **#46**

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the OTS folder and double-click on OTS.exe to start the program.
In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.

Use the Reply button, scroll down to the attachments section and attach the notepad file here.

Roe727 · 01-Jul-2009, 05:17 PM **#47**

Ok here's the log..

**Cookiegal** · 02-Jul-2009, 06:44 PM **#48**

Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.

Code:

[Kill All Processes]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Windows Defender hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\Users\Jason Nordeman\Desktop\*.tmp files -> C:\Users\Jason Nordeman\Desktop\*.tmp
NY -> SKYNET.dat -> C:\Windows\System32\SKYNET.dat
[Files/Folders - Modified Within 30 Days]
NY -> 20 C:\Users\Jason Nordeman\Documents\*.tmp files -> C:\Users\Jason Nordeman\Documents\*.tmp
NY -> SKYNET.dat -> C:\Windows\System32\SKYNET.dat
[Empty Temp Folders]
[Start Explorer]
[Reboot]

Roe727 · 02-Jul-2009, 07:06 PM **#49**

OTS LOG:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Defender hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
[Files/Folders - Created Within 30 Days]
C:\Windows\System32\SKYNET.dat moved successfully.
[Files/Folders - Modified Within 30 Days]
File C:\Windows\System32\SKYNET.dat not found!
[Empty Temp Folders]

User: Administrator

User: All Users

User: Default
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: Jason Nordeman
File delete failed. C:\Users\Jason Nordeman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 3969833 bytes
->Java cache emptied: 50218670 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes

RecycleBin emptied: 371 bytes

Total Files Cleaned = 51.68 mb

< End of fix log >
OTS by OldTimer - Version 3.0.9.0 fix logfile created on 07022009_175320

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:41 PM, on 7/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\notepad.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jason Nordeman\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.wcupa.edu/exchweb/bi...ange/&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SafeConnect Network manager (scManager) - Unknown owner - C:\Program Files\Impulse\scManager.sys servicestart (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4477 bytes

**Cookiegal** · 02-Jul-2009, 09:35 PM **#50**

Open HijackThis and click on the Open Misc Tools section button. Click on the Open Uninstall Manager button. Click the Save List button. Save the list then copy and paste it here.

Roe727 · 02-Jul-2009, 09:58 PM **#51**

Ok....here is the uninstall list:

Ad-aware 6 Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
Canon iP1700
Conexant HDA D110 MDC V.92 Modem
Dell PC Fax
Dell Photo AIO Printer 926
Dell Wireless WLAN Card
Digital Line Detect
Dynex 5-in-1 card reader
Free YouTube to Mp3 Converter version 3.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 5.1.2
Linksys Updater
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Modem Diagnostic Tool
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SafeConnect
SigmaTel Audio
Sonic Activation Module
Synaptics Pointing Device Driver
Uninstall 1.0.0.1
User's Guides
VC Runtimes MSI
Viewpoint Media Player
W Photo Studio

flavallee · 10:08 AM

Rosemary:

I'm giving you some instructions and some links. Don't do anything other than what I've advising you to do until Cookiegal is done with you or advises otherwise. I'm getting you ahead of the game a little bit so we can save some time later.

----------------------------------------------------------------

Go here to download Sun Java Runtime Environment 1.6.0.14. Just save it for now and don't install it yet.

Go here to download Adobe Reader 9.1.0. Just save it for now and don't install it yet.

Go here to download iTunes 8.2.0 and go here to download QuickTime 7.62.14.0. Just save them for now and don't install them yet.

(Note: If you're using an iPod and already have iTunes and QuickTime up-to-date, disregard downloading and saving those 2 files. The Add Or Remove Programs doesn't show the current version installed, so I'm assuming at this time that they're out-of-date.)

-----------------------------------------------------------------

Roe727 · 03-Jul-2009, 11:31 AM **#53**

Thanks....I have them downloaded to a disc and will install them when instructed. Anything to save time later is greatly appreciated.

I'll wait for my next instructions.

I really appreciate all that you guys/gals do.

Rosemary

flavallee · 04:35 PM

You're welcome, Rosemary.

That's why we're here.

----------------------------------------------------------------

Uninstall Ad-Aware 6 Personal because it's a very old and outdated version of Lavasoft Ad-Aware.

Malwarebytes Anti-Malware and SUPERAntiSpyware are better replacements anyway.

After it's uninstalled, go into the C:\Program Files folder and delete the entire leftover Ad-Aware or Lavasoft folder - if it's still there.

----------------------------------------------------------------

Uninstall Viewpoint Media Player because it's not needed and is known to be associated with spyware.

After it's uninstalled, go into the C:\Program Files folder and delete the entire Viewpoint folder - if it's still there.

----------------------------------------------------------------

Uninstall LimeWire 5.1.2 because it's a file-sharing program that leaves your computer open to infection.

After it's uninstalled, go into the C:\Program Files folder and delete the entire LimeWire folder - if it's still there.

---------------------------------------------------------------

After you've uninstalled those 3 programs and deleted their folders, restart your computer.

Follow Cookiegal's instructions for HijackThis in post #50 and then post an updated list here.

These are my last instructions to you for now.

----------------------------------------------------------------

**Cookiegal** · 03-Jul-2009, 04:40 PM **#55**

Are there other user accounts on this computer?

Roe727 · 03-Jul-2009, 05:18 PM **#56**

Ok...did as instructed and here is a new list:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
Canon iP1700
Conexant HDA D110 MDC V.92 Modem
Dell PC Fax
Dell Photo AIO Printer 926
Dell Wireless WLAN Card
Digital Line Detect
Dynex 5-in-1 card reader
Free YouTube to Mp3 Converter version 3.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Linksys Updater
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Modem Diagnostic Tool
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SafeConnect
SigmaTel Audio
Sonic Activation Module
Synaptics Pointing Device Driver
Uninstall 1.0.0.1
User's Guides
VC Runtimes MSI
W Photo Studio

Roe727 · 03-Jul-2009, 05:19 PM **#57**

No...only the one user account.

Rosemary

**Cookiegal** · 03-Jul-2009, 06:57 PM **#58**

Are you still not able to boot into safe mode?

Roe727 · 03-Jul-2009, 08:17 PM **#59**

No, the computer will still not boot in safe mode. I ran another combofix and here is the log that came up....

ComboFix 09-06-29.07 - Jason Nordeman 07/03/2009 19:04.15 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1349 [GMT -4:00]
Running from: c:\users\Jason Nordeman\Desktop\combo-fix.exe
Command switches used :: c:\users\Jason Nordeman\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 23:10 . 2009-07-03 23:10 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\temp
2009-07-03 22:52 . 2009-07-03 22:56 -------- d-s---w- C:\combo-fix.exe
2009-07-02 21:53 . 2009-07-02 21:53 -------- d-----w- C:\_OTS
2009-06-30 20:11 . 2009-07-01 00:02 -------- d-----w- C:\ComboFix
2009-06-28 22:44 . 2009-06-28 22:44 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll
2009-06-27 14:48 . 2009-06-27 14:48 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\data
2009-06-27 14:39 . 2009-06-27 14:39 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\quicktime
2009-06-27 14:39 . 2009-06-27 14:39 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\META-INF
2009-06-27 14:39 . 2009-06-27 14:39 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\com
2009-06-27 14:39 . 2009-06-27 14:39 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
2009-06-27 14:39 . 2009-06-27 14:39 -------- d-----w- c:\users\Jason Nordeman\AppData\Local\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
2009-06-25 12:48 . 2009-06-25 11:41 2052888 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-06-25 12:40 . 2009-06-30 22:47 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-25 11:41 . 2009-06-25 11:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 11:41 . 2009-06-25 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-25 11:41 . 2009-06-25 11:41 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 11:41 . 2009-06-25 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 11:41 . 2009-06-30 23:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-24 21:44 . 2009-06-24 21:52 -------- d-----w- c:\windows\BDOSCAN8
2009-06-21 18:01 . 2009-06-21 18:01 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\Malwarebytes
2009-06-21 18:00 . 2009-06-21 18:00 -------- d-----w- c:\programdata\Malwarebytes
2009-06-13 16:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-13 16:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 20:34 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-12 20:34 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 21:47 . 2009-03-16 18:29 -------- d-----w- c:\programdata\avg8
2009-06-28 01:12 . 2008-11-09 18:05 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\SUPERAntiSpyware.com
2009-06-28 01:12 . 2008-11-09 18:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 23:18 . 2007-05-09 13:46 -------- d-----w- c:\program files\Corel
2009-06-25 23:17 . 2007-05-09 13:54 -------- d-----w- c:\program files\Google
2009-06-24 20:37 . 2009-04-10 00:28 -------- d-----w- c:\program files\DVDVideoSoft
2009-06-22 10:47 . 2007-05-14 22:59 13448 ----a-w- c:\users\Jason Nordeman\AppData\Roaming\nvModes.dat
2009-06-21 17:49 . 2007-06-26 12:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-19 16:03 . 2007-06-05 16:37 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\LimeWire
2009-06-15 13:46 . 2009-04-19 20:39 -------- d-----w- c:\program files\Dl_cats
2009-06-10 13:36 . 2009-04-20 05:29 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\DellFaxCtr
2009-05-30 18:27 . 2009-05-30 18:11 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\W Photo Studio
2009-05-30 18:27 . 2009-05-30 18:00 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\W Photo Studio Viewer
2009-05-30 18:09 . 2009-05-30 18:09 -------- d-----w- c:\programdata\Walgreens
2009-05-30 18:09 . 2009-05-30 18:09 -------- d-----w- c:\users\Jason Nordeman\AppData\Roaming\Walgreens
2009-05-30 18:09 . 2009-05-30 18:09 -------- d-----w- c:\program files\Common Files\HP
2009-05-30 18:09 . 2009-05-30 18:09 -------- d-----w- c:\program files\Walgreens
2009-05-27 20:05 . 2009-05-27 19:50 -------- d-----w- c:\program files\Coupons
2009-05-16 16:06 . 2009-05-16 16:06 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-14 07:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-04-24 16:05 . 2009-06-12 20:33 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-12 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-12 20:33 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-12 20:33 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2007-05-09 21:21 . 2007-05-09 21:20 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-26_02.38.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-09 14:07 . 2009-07-03 20:05 45968 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-07-03 22:59 64000 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-05-14 22:25 . 2009-07-03 22:59 14406 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2996572545-135866921-4033492168-1000_UserData.bin
- 2006-11-02 13:02 . 2009-06-26 02:06 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2006-11-02 13:02 . 2009-07-01 20:36 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2006-11-02 13:02 . 2009-06-26 02:06 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-07-01 20:36 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-06-26 02:06 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2006-11-02 13:02 . 2009-07-01 20:36 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2007-05-17 00:20 . 2009-06-28 12:29 4522 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-07-03 22:34 . 2009-07-03 22:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-26 02:26 . 2009-06-26 02:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-26 02:26 . 2009-06-26 02:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-03 22:34 . 2009-07-03 22:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-05-14 22:59 . 2009-07-03 19:57 240350 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-07-03 23:02 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-26 02:34 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-26 02:34 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-07-03 23:02 101350 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SCClient.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SCClient.exe.lnk
backup=c:\windows\pss\SCClient.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2996572545-135866921-4033492168-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{30D18C48-2E87-4AB5-B5F5-5C5C90D409BE}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{33ECB0B3-0BA8-4AEF-A847-3DE8AB30765A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{752A2A26-7848-4B6F-95F5-99C961DD44D0}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{44AC46A5-5D40-4064-96EE-72C1852EB6F8}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{40AA8754-CC61-4C37-92CC-18E467D9FF9E}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{CAEDFBF3-8AC1-4501-9187-7B6C3AE33A99}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2B0C8748-C298-4593-9A2C-F711CE3BF54B}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{565BCD25-E083-4F79-95BE-CA8B17076CBD}"= UDP:c:\users\Jason Nordeman\Desktop\Shared\LimeWire\LimeWire.exe:LimeWire
"{C63E095A-D1A0-48BC-AB5A-453C57DB18E9}"= TCP:c:\users\Jason Nordeman\Desktop\Shared\LimeWire\LimeWire.exe:LimeWire
"{1BEF7C0B-FA0A-4A4A-8C3F-4D27EA4F706D}"= UDP:c:\users\Jason Nordeman\Desktop\Office, pp, excel\Shared\LimeWire\LimeWire.exe:LimeWire
"{ED31C1C4-A6AD-4BDD-95F3-FD502A945883}"= TCP:c:\users\Jason Nordeman\Desktop\Office, pp, excel\Shared\LimeWire\LimeWire.exe:LimeWire
"{E0D5481E-022F-4EF1-8E73-ECBC0F06C920}"= UDP:c:\users\Jason Nordeman\Desktop\Shared\LimeWire\LimeWire.exe:LimeWire
"{981B494F-F1CE-40FB-B17C-0AFD5C540E0E}"= TCP:c:\users\Jason Nordeman\Desktop\Shared\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{C4596475-1235-497F-A66C-B4D67FCAD7A9}c:\\program files\\internet explorer\\iexplore.exe"= Disabled:UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AF475501-7225-430C-988D-2A6E013A29B5}c:\\program files\\internet explorer\\iexplore.exe"= Disabled:TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1ADC034B-24D0-4A4E-8F68-68E50C690B8A}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{D4FF6448-E444-46D6-A271-BA1D2AFEA691}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{432D73F0-7642-43D9-87DC-9F68B74F2CE0}c:\\users\\jason nordeman\\desktop\\new folder (2)\\soulseek\\slsk.exe"= UDP:c:\users\jason nordeman\desktop\new folder (2)\soulseek\slsk.exe:slsk.exe
"UDP Query User{FACFF2AA-A4F9-458E-95D1-F6CD1EE9F7B5}c:\\users\\jason nordeman\\desktop\\new folder (2)\\soulseek\\slsk.exe"= TCP:c:\users\jason nordeman\desktop\new folder (2)\soulseek\slsk.exe:slsk.exe
"TCP Query User{322DAA30-8DA3-4C37-9C85-B5CEF9F40FE8}c:\\users\\jason nordeman\\desktop\\new folder\\soulseek\\slsk.exe"= UDP:c:\users\jason nordeman\desktop\new folder\soulseek\slsk.exe:slsk.exe
"UDP Query User{9F5ED81A-1F16-4F64-AB61-F41C9897B5BD}c:\\users\\jason nordeman\\desktop\\new folder\\soulseek\\slsk.exe"= TCP:c:\users\jason nordeman\desktop\new folder\soulseek\slsk.exe:slsk.exe
"TCP Query User{1751EDD1-3958-4FD3-95BD-A6B80B23B128}c:\\users\\jason nordeman\\desktop\\soulseek\\slsk.exe"= UDP:c:\users\jason nordeman\desktop\soulseek\slsk.exe:slsk.exe
"UDP Query User{6A3D6779-DA09-4D53-8FC9-D81790679962}c:\\users\\jason nordeman\\desktop\\soulseek\\slsk.exe"= TCP:c:\users\jason nordeman\desktop\soulseek\slsk.exe:slsk.exe
"{5612308F-E23E-41A3-8E8F-66EE85702116}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6C62D755-6B0D-433F-BEE3-477E65302824}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93EA2948-2AC6-4714-B668-CD8E389D7EB7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7FE49F12-FD2C-44D3-B448-A0332C9DCC27}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A31D874D-C774-4C50-9B37-EFEACEDB7126}"= UDP:c:\windows\System32\dlcxcoms.exe:Lexmark Communications System
"{53CACE5E-F6F6-43A2-9F4A-8DCE351D4777}"= TCP:c:\windows\System32\dlcxcoms.exe:Lexmark Communications System
"{EBADB57F-E90E-40F5-84BD-6C96A9614010}"= UDP:c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

evice Monitor
"{F598B523-83A8-4254-896D-63C7555B199C}"= TCP:c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

evice Monitor
"{4D21C11A-78EA-451E-9EE6-F0972D57AB40}"= UDP:c:\program files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{EB5045ED-A6F7-4C5F-BC2E-141F40265387}"= TCP:c:\program files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{04133352-B104-419F-9DAC-EA90F86045E1}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{163E3D9F-747E-4609-862C-86EE434602CF}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/25/2009 7:41 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [6/25/2009 7:41 AM 108552]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
R2 scManager;SafeConnect Network manager ;c:\program files\Impulse\scManager.sys servicestart --> c:\program files\Impulse\scManager.sys servicestart [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 7:41 AM 298776]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.wcupa.edu/exchweb/bi...ange/&reason=0
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 19:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-03 19:14
ComboFix-quarantined-files.txt 2009-07-03 23:14
ComboFix2.txt 2009-07-03 22:50
ComboFix3.txt 2009-07-01 11:34
ComboFix4.txt 2009-07-01 01:18
ComboFix5.txt 2009-07-03 22:52

Pre-Run: 10,201,694,208 bytes free
Post-Run: 11,582,500,864 bytes free

194 --- E O F --- 2009-06-30 21:04

**Cookiegal** · 04-Jul-2009, 04:34 PM **#60**

When did you first notice that you can't boot to safe mode?

Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop mac malware memory monitor motherboard music network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!