Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with Virus, lost admin powers [Closed]

Started by Gnitrops , Apr 13 2009 03:28 PM

  • This topic is locked This topic is locked

#1
Gnitrops
Posted 13 April 2009 - 03:28 PM

Gnitrops

    Member

  • Member
  • PipPip
  • 29 posts
Hello,

I'm posting here because I'm in need of some help. One computer in my house has been infected with Brontok. It's operating system is a 64-bit Vista.
I have no Internet connection on that computer at the moment.

I've looked around for solutions, but what I've tried so far has had no success. I can't access the registry, I can't do administrator actions even if I'm logged in as a computer administrator.
I've tried installing anti-virus, the computer restarts when I double-click the installer. I've tried brontok-washer, to have the same result. I tried brontgui.com (from Sophos.com), which actually runs, but can't do much since it's not in Administrator mode.
I'd try to remove it manually, but I can't start Vista in Safe Mode with Command Prompt; If I try to, I just get redirected to normal Safe Mode (and still, no admin rights).

I found out this computer had virus because my personal computer detected it on a USB pen coming from the infected computer. Apparently, when you put some removable media on the infected PC, it automatically copies the Brontok to it, creating some folder-like exes called DATA of USER. It also seems to find out zip and rar files, and create other fake folder-like exes with the same name of the zip/rar.

On task manager, I noticed that I have some fake lsass.exe, crss.exe, winlogon.exe, services.exe and a temp01.exe.

In the meanwhile, I tested a mix of several methods, and managed to regain access to regedit, using brontgui.com with some manual removal. I delete all .exes I can find with the folder icon, plus temp01.exe and temp02.exe, plus any file I can find with a name similar to brontok. I found them everywhere, from windows\system32 to user\appdata\local . Still, every time I reboot, they are all back.

I can't run Rooter.exe. I get some weird error when it starts running, and no report is generated.

Here are the logs from OT:

OTListIt logfile created on: 13-04-2009 22:12:54 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Users\Thiago\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

2,00 Gb Total Physical Memory | 0,90 Gb Available Physical Memory | 44,99% Memory free
4,00 Gb Paging File | 3,01 Gb Available in Paging File | 75,31% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232,88 Gb Total Space | 4,82 Gb Free Space | 2,07% Space Free | Partition Type: NTFS
Drive D: | 4,38 Gb Total Space | 4,37 Gb Free Space | 99,88% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 465,75 Gb Total Space | 159,16 Gb Free Space | 34,17% Space Free | Partition Type: NTFS
Drive J: | 1,89 Gb Total Space | 1,84 Gb Free Space | 97,25% Space Free | Partition Type: FAT

Computer Name: TOTOS
Current User Name: Thiago
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
PRC - C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files (x86)\Electronic Arts\EADM\Core.exe (Electronic Arts)
PRC - C:\Program Files (x86)\XpertVision\TBPANEL.exe (Xpertvision, Inc.)
PRC - C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Users\Thiago\AppData\Local\winlogon.exe ()
PRC - C:\Users\Thiago\AppData\Local\services.exe ()
PRC - C:\Users\Thiago\AppData\Local\lsass.exe ()
PRC - C:\Windows\SysWOW64\conime.exe (Microsoft Corporation)
PRC - C:\Users\Thiago\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (BthServ [Auto | Running]) -- C:\Windows\sysnative\bthserv.dll ()
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_64 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CscService [Auto | Running]) -- C:\Windows\sysnative\cscsvc.dll ()
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Fax [On_Demand | Stopped]) -- C:\Windows\sysnative\fxssvc.exe ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (hpqcxs08 [On_Demand | Stopped]) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll (Hewlett-Packard Co.)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iWinGamesInstaller [Auto | Stopped]) -- C:\Program Files (x86)\iWin Games\iWinGamesInstaller.exe (iWin Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PcaSvc [Auto | Running]) -- C:\Windows\sysnative\pcasvc.dll ()
SRV - (PerfHost [On_Demand | Stopped]) -- C:\Windows\SysWow64\perfhost.exe (Microsoft Corporation)
SRV - (ServiceLayer [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\PCSuite\Services\ServiceLayer.exe (Nokia.)
SRV - (Steam Client Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (UmRdpService [On_Demand | Stopped]) -- C:\Windows\sysnative\umrdp.dll ()
SRV - (UxTuneUp [Auto | Running]) -- C:\Windows\System32\uxtuneup.dll (TuneUp Software GmbH)
SRV - (wbengine [On_Demand | Stopped]) -- C:\Windows\sysnative\wbengine.exe ()
SRV - (WMPNetworkSvc [Auto | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ADIHdAudAddService [On_Demand | Stopped]) -- C:\Windows\sysnative\drivers\ADIHdAud.sys ()
DRV - (AsIO [System | Running]) -- C:\Windows\SysWow64\drivers\AsIO.sys ()
DRV - (atksgt [Auto | Running]) -- C:\Windows\sysnative\DRIVERS\atksgt.sys ()
DRV - (BlueletAudio [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\blueletaudio.sys (IVT Corporation.)
DRV - (BlueletSCOAudio [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\BlueletSCOAudio.sys (IVT Corporation.)
DRV - (BT [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\btnetdrv.sys (IVT Corporation.)
DRV - (Btcsrusb [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\btcusb.sys (IVT Corporation.)
DRV - (BthEnum [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\BthEnum.sys ()
DRV - (BTHidEnum [Boot | Running]) -- C:\Windows\System32\Drivers\vbtenum.sys (IVT Corporation.)
DRV - (BTHidMgr [Boot | Running]) -- C:\Windows\System32\Drivers\BTHidMgr.sys (IVT Corporation.)
DRV - (BthPan [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\bthpan.sys ()
DRV - (BTHPORT [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\BTHport.sys ()
DRV - (BTHUSB [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\BTHUSB.sys ()
DRV - (Cardex [On_Demand | Running]) -- C:\Windows\SysWOW64\drivers\TBPANELX64.SYS (Windows ® Server 2003 DDK provider)
DRV - (CdaC15BA [Auto | Stopped]) -- C:\Windows\system32\drivers\CdaC15BA.SYS (Macrovision Europe Ltd)
DRV - (CSC [System | Running]) -- C:\Windows\sysnative\drivers\csc.sys ()
DRV - (fvevol [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\fvevol.sys ()
DRV - (HdAudAddService [On_Demand | Running]) -- C:\Windows\sysnative\drivers\HdAudio.sys ()
DRV - (lirsgt [Auto | Running]) -- C:\Windows\sysnative\DRIVERS\lirsgt.sys ()
DRV - (MTsensor [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\ASACPI.sys ()
DRV - (Nokia USB Generic [On_Demand | Stopped]) -- C:\Windows\sysnative\drivers\nmwcdcx64.sys ()
DRV - (Nokia USB Modem [On_Demand | Stopped]) -- C:\Windows\sysnative\drivers\nmwcdcmx64.sys ()
DRV - (Nokia USB Phone Parent [On_Demand | Stopped]) -- C:\Windows\sysnative\drivers\nmwcdx64.sys ()
DRV - (Nokia USB Port [On_Demand | Stopped]) -- C:\Windows\sysnative\drivers\nmwcdcjx64.sys ()
DRV - (NPPTNT2 [On_Demand | Stopped]) -- C:\Windows\system32\npptNT2.sys (INCA Internet Co., Ltd.)
DRV - (pcouffin [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\pcouffin.sys ()
DRV - (RFCOMM [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\rfcomm.sys ()
DRV - (ROOTMODEM [On_Demand | Running]) -- C:\Windows\sysnative\Drivers\RootMdm.sys ()
DRV - (RTL8169 [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\Rtlh64.sys ()
DRV - (SASDIFSV [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (sptd [Boot | Running]) -- C:\Windows\sysnative\Drivers\sptd.sys ()
DRV - (TBPanel [On_Demand | Stopped]) -- C:\Windows\System32\drivers\TBPanel.sys (Windows ® 2000 DDK provider)
DRV - (VComm [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\VComm.sys (IVT Corporation.)
DRV - (VcommMgr [On_Demand | Running]) -- C:\Windows\System32\Drivers\VcommMgr.sys (IVT Corporation.)
DRV - (WpdUsb [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\wpdusb.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://internetsearc...q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://internetsearc...com/search?q=%s


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\S-1-5-21-366772731-3514380911-1372750896-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\S-1-5-21-366772731-3514380911-1372750896-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...rchSource=3&q="
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.condui...earchSource=13"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}:1.5.47.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7
FF - prefs.js..keyword.URL: "http://search.condui...d=CT1460988&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{98e34367-8df7-42b4-837b-20b892ff0847}: C:\PROGRAMDATA\IWIN GAMES\FIREFOX [2008-07-15 18:09:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\COMPONENTS [2009-03-19 00:25:35 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGINS [2009-03-08 20:25:52 | 00,000,000 | ---D | M]

[2008-08-11 18:05:55 | 00,000,000 | ---D | M] -- C:\Users\Thiago\AppData\Roaming\mozilla\Extensions
[2008-08-11 18:05:55 | 00,000,000 | ---D | M] -- C:\Users\Thiago\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2007-08-10 16:48:29 | 00,000,000 | ---D | M] -- C:\Users\Thiago\AppData\Roaming\mozilla\Firefox\Profiles\20k3lvxh.default\extensions
[2008-11-24 15:50:50 | 00,000,838 | ---- | M] () -- C:\Users\Thiago\AppData\Roaming\Mozilla\FireFox\Profiles\20k3lvxh.default\searchplugins\conduit.xml
[2009-04-13 19:36:14 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions
[2009-03-08 20:25:52 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009-01-28 18:47:22 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}
[2007-08-11 18:57:51 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2008-08-11 18:01:38 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009-03-08 20:25:44 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browserdirprovider.dll
[2009-03-08 20:25:44 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\brwsrcmp.dll
[2007-11-07 23:02:16 | 00,001,525 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009-01-28 21:54:20 | 00,002,194 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2008-04-16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\google.xml
[2007-11-07 23:02:16 | 00,001,529 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\priberam.xml
[2007-11-07 23:02:16 | 00,002,071 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\sapo.xml
[2008-04-12 15:58:30 | 00,000,942 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-ptpt.xml
[2007-11-07 23:02:16 | 00,000,648 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-br.xml

O1 HOSTS File: (140237 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 0.0.0.0 123spywar.com
O1 - Hosts: 0.0.0.0 www.123spywar.com
O1 - Hosts: 0.0.0.0 1clickspyclean.com
O1 - Hosts: 0.0.0.0 www.1clickspyclean.com
O1 - Hosts: 0.0.0.0 1clicksuite.net
O1 - Hosts: 0.0.0.0 www.1clicksuite.net
O1 - Hosts: 0.0.0.0 1spyware-removal.com
O1 - Hosts: 0.0.0.0 www.1spyware-removal.com
O1 - Hosts: 0.0.0.0 1spywarekiller.com
O1 - Hosts: 0.0.0.0 www.1spywarekiller.com
O1 - Hosts: 0.0.0.0 1stantivirus.com
O1 - Hosts: 0.0.0.0 www.1stantivirus.com
O1 - Hosts: 0.0.0.0 1stspywar.com
O1 - Hosts: 0.0.0.0 www.1stspywar.com
O1 - Hosts: 0.0.0.0 2-antispyware.com
O1 - Hosts: 0.0.0.0 www.2-antispyware.com
O1 - Hosts: 0.0.0.0 3bsoftware.com
O1 - Hosts: 0.0.0.0 www.3bsoftware.com
O1 - Hosts: 0.0.0.0 actualresearch.com
O1 - Hosts: 0.0.0.0 www.actualresearch.com
O1 - Hosts: 0.0.0.0 abletostop.com
O1 - Hosts: 0.0.0.0 www.abletostop.com
O1 - Hosts: 0.0.0.0 aboutblankremover.com
O1 - Hosts: 0.0.0.0 www.aboutblankremover.com
O1 - Hosts: 0.0.0.0 achtungachtung.com
O1 - Hosts: 4888 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Megaupload Toolbar) - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~2\MEGAUP~1\MEGAUP~1.DLL File not found
O3 - HKLM\..\Toolbar: (Megaupload Toolbar) - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~2\MEGAUP~1\MEGAUP~1.DLL File not found
O3 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\..\Toolbar\WebBrowser: (no name) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Bron-Spizaetus] "C:\Windows\ShellNew\RakyatKelaparan.exe" ()
O4 - HKLM..\Run: [Gainward] "C:\Program Files (x86)\XpertVision\TBPanel.exe" /A (Xpertvision, Inc.)
O4 - HKLM..\Run: [Gbplugin] C:\Arquivos de programas\gbplugin.exe File not found
O4 - HKLM..\Run: [MyProgram] c:\windows\temp01.exe File not found
O4 - HKLM..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (Alcohol Soft Development Team)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun (DT Soft Ltd)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [EA Core] C:\Program Files (x86)\Electronic Arts\EADM\Core.exe -silent (Electronic Arts)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [Google Update] "C:\Users\Mãe\AppData\Local\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [MsnMsgr] "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background File not found
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [Tok-Cirrhatus] File not found
O4 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000..\Run: [Tok-Cirrhatus-1992] "C:\Users\Thiago\AppData\Local\smss.exe" ()
O4 - HKU\.DEFAULT..\RunOnce: [IETI] C:\Program Files (x86)\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART File not found
O4 - HKU\S-1-5-18..\RunOnce: [IETI] C:\Program Files (x86)\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 0
O7 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [Espaço de nome Bluetooth] - C:\Windows\system32\wshbth.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O15 - HKU\S-1-5-21-366772731-3514380911-1372750896-1000\..Trusted Domains: 43 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} http://aolsvc.aol.co...houseplayer.cab (GameHouse Games Player)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} http://l.yimg.com/jh...loadControl.cab (DVCDownloadControl)
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} http://zone.msn.com/...ia.1.0.0.46.cab (CPlayFirstSweetopiaControl Object)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\system32\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - ("C:\Windows\KesenjanganSosial.exe") - C:\Windows\KesenjanganSosial.exe ()
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd-brontok.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\Shell - "" = AutoRun
O33 - MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\Shell\AutoRun\command - "" = E:\Autorun.exe -- File not found
O33 - MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\Shell - "" = AutoRun
O33 - MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O33 - MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\Shell - "" = AutoRun
O33 - MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\Shell\AutoRun\command - "" = F:\Capinst.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009-04-13 22:11:57 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009-04-13 22:10:16 | 00,000,000 | ---D | C] -- C:\Users\Thiago\AppData\Local\Bron.tok-15-13
[2009-04-13 21:40:33 | 03,199,195 | -H-- | C] () -- C:\Users\Thiago\AppData\Local\IconCache.db
[2009-04-13 21:24:58 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Thiago\Desktop\mbam-setup.exe
[2009-04-13 21:24:58 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Users\Thiago\Desktop\OTListIt2.exe
[2009-04-13 21:24:58 | 00,267,612 | ---- | C] () -- C:\Users\Thiago\Desktop\Rooter.exe
[2009-04-13 19:09:30 | 00,088,064 | ---- | C] () -- C:\Users\Thiago\Desktop\brontgui.com
[2009-04-13 18:22:38 | 00,991,232 | ---- | C] () -- C:\Users\Thiago\Desktop\brontok-washer.exe
[2009-04-13 18:22:38 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Users\Thiago\Desktop\HijackThis.exe
[2009-04-13 18:22:29 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Thiago\Desktop\HJTInstall.exe
[2009-04-13 18:22:27 | 01,249,226 | ---- | C] () -- C:\Users\Thiago\Desktop\brontok-washer.zip
[2009-04-13 17:00:32 | 00,000,000 | ---D | C] -- C:\Users\Thiago\Desktop\paradise2
[2009-04-12 13:35:47 | 00,000,569 | ---- | C] () -- C:\Users\Public\Desktop\Capitalism II.lnk
[2009-04-12 13:34:47 | 00,000,000 | ---D | C] -- C:\Capitalism II
[2009-04-12 13:24:41 | 00,000,000 | ---D | C] -- C:\Users\Thiago\Desktop\Capitalism II
[2009-04-11 12:08:46 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009-04-09 19:45:17 | 00,000,000 | ---D | C] -- C:\Users\Thiago\Documents\Hitman Blood Money
[2009-04-09 19:41:22 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\GameShadow
[2009-04-09 18:26:30 | 00,000,000 | ---D | C] -- C:\Users\Thiago\AppData\Local\Microsoft Games
[2009-04-09 18:24:39 | 00,000,835 | ---- | C] () -- C:\Users\Public\Desktop\Launch Hitman Blood Money.lnk
[2009-04-09 18:24:39 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Eidos
[2009-04-08 12:28:30 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Managed DirectX (0901)
[2009-04-07 21:56:14 | 00,000,000 | ---D | C] -- C:\Users\Thiago\Desktop\Hitman - Blood Money
[2009-04-07 21:17:12 | 00,000,764 | ---- | C] () -- C:\Users\Thiago\Desktop\FILMS - Atalho.lnk
[2009-04-06 10:53:17 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Call of Duty
[2009-04-01 12:33:36 | 00,000,632 | ---- | C] () -- C:\Windows\CoD.INI
[2009-03-31 13:35:19 | 00,000,000 | ---D | C] -- C:\ProgramData\KONAMI
[2009-03-31 13:26:08 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\KONAMI
[2009-03-16 14:45:44 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\SMPlayer
[2009-03-16 14:29:32 | 00,000,000 | ---D | C] -- C:\ProgramData\BigFish
[2009-03-15 15:07:36 | 00,001,580 | ---- | C] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2009-01-27 17:12:20 | 00,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009-01-17 14:53:58 | 00,000,090 | ---- | C] () -- C:\Windows\WA.INI
[2008-09-17 19:26:00 | 00,000,250 | ---- | C] () -- C:\Windows\gmer.ini
[2008-09-17 19:25:59 | 00,884,736 | ---- | C] () -- C:\Windows\gmer.dll
[2008-06-27 22:19:54 | 00,001,152 | ---- | C] () -- C:\Windows\System32\windrv.sys
[2008-01-27 22:42:14 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007-12-10 15:07:01 | 00,000,020 | ---- | C] () -- C:\Windows\SeiSTPB.INI
[2007-12-10 15:07:01 | 00,000,013 | ---- | C] () -- C:\Windows\SeiSTPBImg.INI
[2007-12-10 01:29:18 | 00,003,431 | ---- | C] () -- C:\Windows\nero.INI
[2007-08-07 22:52:10 | 00,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll
[2007-08-07 22:52:10 | 00,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll
[2007-06-28 21:19:23 | 00,024,576 | ---- | C] () -- C:\Windows\System32\AsIO.dll
[2007-06-28 21:19:23 | 00,013,632 | ---- | C] () -- C:\Windows\System32\drivers\AsIO.sys
[2007-06-28 20:54:16 | 00,000,558 | ---- | C] () -- C:\Windows\DFC.INI
[2007-02-05 20:05:26 | 00,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006-11-02 13:34:27 | 00,000,331 | ---- | C] () -- C:\Windows\win.ini
[2006-11-02 13:34:27 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006-10-09 01:29:22 | 00,032,832 | ---- | C] () -- C:\Windows\System32\drivers\BTNetFilter.sys

========== Files - Modified Within 30 Days ==========

[2009-04-13 22:10:15 | 00,000,007 | -HS- | M] () -- C:\AUTOEXEC.BAT
[2009-04-13 22:10:13 | 00,000,558 | ---- | M] () -- C:\Windows\DFC.INI
[2009-04-13 22:09:34 | 03,199,195 | -H-- | M] () -- C:\Users\Thiago\AppData\Local\IconCache.db
[2009-04-13 21:42:17 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009-04-13 21:42:14 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009-04-13 21:40:39 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009-04-13 19:50:22 | 00,267,612 | ---- | M] () -- C:\Users\Thiago\Desktop\Rooter.exe
[2009-04-13 19:49:18 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Thiago\Desktop\mbam-setup.exe
[2009-04-13 19:47:18 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Users\Thiago\Desktop\OTListIt2.exe
[2009-04-13 18:51:58 | 00,088,064 | ---- | M] () -- C:\Users\Thiago\Desktop\brontgui.com
[2009-04-13 17:56:20 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Thiago\Desktop\HJTInstall.exe
[2009-04-13 17:48:46 | 01,249,226 | ---- | M] () -- C:\Users\Thiago\Desktop\brontok-washer.zip
[2009-04-13 17:30:45 | 00,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-366772731-3514380911-1372750896-1001.job
[2009-04-13 17:05:02 | 00,058,368 | ---- | M] () -- C:\Users\Thiago\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-04-12 13:35:47 | 00,000,569 | ---- | M] () -- C:\Users\Public\Desktop\Capitalism II.lnk
[2009-04-09 23:42:07 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2009-04-09 18:24:39 | 00,000,835 | ---- | M] () -- C:\Users\Public\Desktop\Launch Hitman Blood Money.lnk
[2009-04-08 12:24:20 | 00,000,632 | ---- | M] () -- C:\Windows\CoD.INI
[2009-04-07 21:17:12 | 00,000,764 | ---- | M] () -- C:\Users\Thiago\Desktop\FILMS - Atalho.lnk
[2009-04-07 19:58:56 | 00,113,280 | ---- | M] () -- C:\Users\Thiago\AppData\Local\GDIPFONTCACHEV1.DAT
[2009-03-20 18:15:00 | 00,000,404 | ---- | M] () -- C:\Windows\tasks\1-Click Maintenance.job
[2009-03-15 15:07:36 | 00,001,580 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:EA031481
@Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:DE77CFA8
@Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:7377F1F0
@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:543CAD1B
@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:54D5DB8A
@Alternate Data Stream - 94 bytes -> C:\ProgramData\TEMP:3313A48D
@Alternate Data Stream - 508 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:ACD203D5
@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:FF510ADC
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:91B3E405
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:1CC24DDC
@Alternate Data Stream - 140 bytes -> C:\ProgramData\TEMP:11F4E4A6
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:55064E5E
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:E8292261
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:8F288A0A
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:CE868062
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:70EB7261
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:5D351BC6
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:FD5FB170
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:3F1D69E8
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:3539CD43
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:26939499
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:99352C4C
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:9398DBB4
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:930F088E
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:8E12100F
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:8C4D8A52
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:7B52659E
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:5F280981
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:31B401F6
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:2C8C3383
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:2A2493EF
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:0E684AC9
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:03C75FD1
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:EA1582F8
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:E49D4B50
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:67CC31E0
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:52AA05F1
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:47E1EAB1
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:2E03B2A0
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:FF3DA68B
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:F6E0ED6E
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E5294695
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E2197D91
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:D8669B93
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:D31BE97C
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:90B52091
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:3C8621EA
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:225CD7D5
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:05773093
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:C6D0EC31
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:8A8B2585
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:709CDE3B
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:62672BC8
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:553A851E
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:48FEA089
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:354E094D
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:31F2397C
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:1E0D6460
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:B6FD7157
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:99B66030
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:7CC608E0
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:61F0C8FB
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:4D3DCB3B
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:0FF07E97
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:05E95A33
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:002A177A
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:D02AD8C8
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:3F028F41
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:2F6462DF
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:1505883A
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:101708D3
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:A97A5A47
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:7867C00C
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:6425A235
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:5C6EBC69
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:33384BC0
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:C9233B58
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:8F4B5B2D
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:56D7FD15
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:43982D5E
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:3C5ABDC7
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:3678540D
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:177313FB
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:FF333535
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:F4F720BA
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:974C6D78
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:92A815D8
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:71A5565E
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:0A5BA9A0
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:E22FF3D0
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:D48500F8
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:93226FE3
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:6677D85A
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:1792752F
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:CB16385F
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:AFA6E827
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:ADD788AD
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:A688EF17
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:4CF76F21
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:1FCBE20C
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:0CE7F3C9
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:AEC895D8
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:A3251D01
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:52D492DA
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:2DD00E73
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:11C15960
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:E39052E1
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:DF0BC727
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:C2630911
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:9943177D
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:94A6C632
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:55E3C0E0
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:22313216
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:D3EFD0C3
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:B6D90CD7
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:B4254BB8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:A56D6987
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:82EEB5A1
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:76FD34B7
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:53DF59D1
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:D346FE4C
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:C90C4DBA
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:538B96B5
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:D6A1079E
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:CEE4A457
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:5F98973C
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:5C83A083
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:3E06C78F
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:F369DF24
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:E71141D2
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:E50615CD
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:D9CAB3CD
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:C8A0BC27
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:620EC79A
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:4DCAC4BC
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:1A347EE4
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:07241935
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:F57ED3F6
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:F061428B
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:A5DB4A94
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:4673E9EA
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:1F86F437
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A65DC98A
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:957053A5
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:1B927722
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:118DA42D
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:AA37E770
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:A234C49E
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:9DF07E8F
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:7A0EFE63
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:0C4D34AD
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:C22674B6
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:7776B809
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:51F17BB8
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:4072646B
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:07F32517
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:EC0A74A1
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:90A19D42
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:E32966C0
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:44688298
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:43301D1D
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:315B4A13
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:9D59097E
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:9B8E89D2
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:5A4B6413
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:561B1D2B
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:3FCF9F58
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:220F4706
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:3C282BEA
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:2E49D185
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:260575F1
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:FDDD8917
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:D630D1F5
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:C8DC895B
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:918B7566
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:70E897B5
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:32BD974D
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:EF71CAB5
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:A296A63F
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:877DEA57
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:753B8DFE
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:4FE30352
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:443E44FA
< End of report >

Can anyone give me a hand on this? Thanks in advance!
  • 0

Advertisements

#2
fenzodahl512
Posted 17 April 2009 - 05:29 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download CCleaner and save it to your Desktop.
  • Run the installer, and uncheck the option to install Yahoo Toolbar (unless you want Yahoo Toolbar).
  • Once installed, run CCleaner, click the Windows [tab]
  • The following should be selected by default, if not, please select:
    Posted Image
  • Next: click Options click the Settings tab
  • Uncheck: "Only delete files older than 48 hrs.", click Ok
  • Then click Run Cleaner (bottom right).. Let it scan until finish. After that click Exit



Please download OTScanIt2.exe and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - IE Explorer Bars
      Reg - NetSvcs
      Reg - Tcpip Persistent Routers
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..
  • 0

#3
Gnitrops
Posted 17 April 2009 - 03:16 PM

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hello,


I followed your instructions throughly, but my computer gets rebooted before finishing OTScanIt's work. It only works if I turn Rootkit Search to "No". I tried it several times with no success, double-checking the instructions (including run as admin).

Still, here's the log of OTScanIt without the rootkit search.

Attached Files


  • 0

#4
fenzodahl512
Posted 17 April 2009 - 07:36 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> lsass.exe -> %UserProfile%\AppData\Local\lsass.exe
YY -> services.exe -> %UserProfile%\AppData\Local\services.exe
YY -> winlogon.exe -> %UserProfile%\AppData\Local\winlogon.exe
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Bron-Spizaetus" -> %SystemRoot%\ShellNew\RakyatKelaparan.exe ["C:\Windows\ShellNew\RakyatKelaparan.exe"]
YN -> "MyProgram" -> %SystemRoot%\temp01.exe [c:\windows\temp01.exe]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> "C:\Windows\KesenjanganSosial.exe" -> %SystemRoot%\KesenjanganSosial.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{399b85df-263a-11dc-a102-001a92635277} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell -> 
YN -> \{399b85df-263a-11dc-a102-001a92635277}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell\AutoRun\command -> 
YN -> \{399b85df-263a-11dc-a102-001a92635277}\shell\AutoRun\command\\"" -> E:\Autorun.exe [E:\Autorun.exe]
YN -> \{5e05584d-4e68-11dd-9e3e-0015830591b1} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell -> 
YN -> \{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\AutoRun\command -> 
YN -> \{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\AutoRun\command\\"" -> I:\LaunchU3.exe [I:\LaunchU3.exe]
YN -> \{7f6fbdf6-cb99-11dc-b25b-0015830591b1} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell -> 
YN -> \{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\AutoRun\command -> 
YN -> \{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\AutoRun\command\\"" -> F:\Capinst.exe [F:\Capinst.exe]
[Files/Folders - Created Within 90 Days]
NY -> Bron.tok-15-17 -> %UserProfile%\AppData\Local\Bron.tok-15-17
NY -> Bron.tok-15-15 -> %UserProfile%\AppData\Local\Bron.tok-15-15
NY -> Bron.tok-15-14 -> %UserProfile%\AppData\Local\Bron.tok-15-14
NY -> Loc.Mail.Bron.Tok -> %UserProfile%\AppData\Local\Loc.Mail.Bron.Tok
NY -> Ok-SendMail-Bron-tok -> %UserProfile%\AppData\Local\Ok-SendMail-Bron-tok
NY -> Bron.tok-15-13 -> %UserProfile%\AppData\Local\Bron.tok-15-13
[Files/Folders - Modified Within 90 Days]
NY -> KesenjanganSosial.exe -> %SystemRoot%\KesenjanganSosial.exe
NY -> winlogon.exe -> %UserProfile%\AppData\Local\winlogon.exe
NY -> smss.exe -> %UserProfile%\AppData\Local\smss.exe
NY -> services.exe -> %UserProfile%\AppData\Local\services.exe
NY -> lsass.exe -> %UserProfile%\AppData\Local\lsass.exe
NY -> inetinfo.exe -> %UserProfile%\AppData\Local\inetinfo.exe
NY -> Empty.pif -> %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
NY -> Documents.exe -> %UserProfile%\Documents\Documents.exe
NY -> csrss.exe -> %UserProfile%\AppData\Local\csrss.exe
NY -> cmd-brontok.exe -> %SystemRoot%\System32\cmd-brontok.exe
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %AllUsersProfile%\TEMP:072F1F69
NY -> @Alternate Data Stream - 0 bytes -> %AllUsersProfile%\TEMP:09064307
NY -> @Alternate Data Stream - 0 bytes -> %AllUsersProfile%\TEMP:BB71BBA2
NY -> @Alternate Data Stream - 0 bytes -> %AllUsersProfile%\TEMP:F14D1F80
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersProfile%\TEMP:443E44FA
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersProfile%\TEMP:4FE30352
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:753B8DFE
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:877DEA57
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:A296A63F
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:EF71CAB5
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:32BD974D
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:70E897B5
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:918B7566
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:C8DC895B
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:D630D1F5
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\TEMP:FDDD8917
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\TEMP:260575F1
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\TEMP:2E49D185
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\TEMP:3C282BEA
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:220F4706
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:3FCF9F58
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:561B1D2B
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:5A4B6413
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:9B8E89D2
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:9D59097E
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\TEMP:315B4A13
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\TEMP:43301D1D
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\TEMP:44688298
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\TEMP:E32966C0
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersProfile%\TEMP:90A19D42
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersProfile%\TEMP:EC0A74A1
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\TEMP:07F32517
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\TEMP:4072646B
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\TEMP:51F17BB8
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\TEMP:7776B809
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\TEMP:C22674B6
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:0C4D34AD
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:7A0EFE63
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:9DF07E8F
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:A234C49E
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:AA37E770
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:118DA42D
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:1B927722
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:957053A5
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:A65DC98A
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:1F86F437
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:4673E9EA
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:A5DB4A94
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:F061428B
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:F57ED3F6
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:07241935
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:1A347EE4
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:4DCAC4BC
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:620EC79A
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:C8A0BC27
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:D9CAB3CD
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:E50615CD
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:E71141D2
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:F369DF24
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:3E06C78F
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:5C83A083
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:5F98973C
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:CEE4A457
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:D6A1079E
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:538B96B5
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:C90C4DBA
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:D346FE4C
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:53DF59D1
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:76FD34B7
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:82EEB5A1
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:A56D6987
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:B4254BB8
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:B6D90CD7
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:D3EFD0C3
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:22313216
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:55E3C0E0
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:94A6C632
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:9943177D
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:C2630911
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:DF0BC727
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:E39052E1
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:11C15960
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:2DD00E73
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:52D492DA
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:A3251D01
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:AEC895D8
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:0CE7F3C9
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:1FCBE20C
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:4CF76F21
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:A688EF17
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:ADD788AD
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:AFA6E827
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:CB16385F
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:1792752F
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:6677D85A
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:93226FE3
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:D48500F8
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:E22FF3D0
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:0A5BA9A0
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:71A5565E
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:92A815D8
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:974C6D78
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:F4F720BA
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:FF333535
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:177313FB
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:3678540D
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:3C5ABDC7
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:43982D5E
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:56D7FD15
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:5C321E34
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:8F4B5B2D
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:C9233B58
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:33384BC0
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:5C6EBC69
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:6425A235
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:7867C00C
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:A97A5A47
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:101708D3
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:1505883A
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:2F6462DF
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:3F028F41
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:D02AD8C8
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:002A177A
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:05E95A33
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:0FF07E97
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:4D3DCB3B
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:61F0C8FB
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:7CC608E0
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:99B66030
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:B6FD7157
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:1E0D6460
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:31F2397C
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:354E094D
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:48FEA089
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:553A851E
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:62672BC8
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:709CDE3B
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:8A8B2585
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:C6D0EC31
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:05773093
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:225CD7D5
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:3C8621EA
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:90B52091
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:D31BE97C
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:D8669B93
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:E2197D91
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:E5294695
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:F6E0ED6E
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:FF3DA68B
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:2E03B2A0
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:47E1EAB1
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:52AA05F1
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:67CC31E0
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:E49D4B50
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:EA1582F8
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:03C75FD1
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:0E684AC9
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:2A2493EF
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:2C8C3383
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:31B401F6
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:5F280981
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:7B52659E
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:8C4D8A52
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:8E12100F
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:930F088E
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:9398DBB4
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:99352C4C
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:26939499
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:3539CD43
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:3F1D69E8
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:FD5FB170
NY -> @Alternate Data Stream - 130 bytes -> %AllUsersProfile%\TEMP:5D351BC6
NY -> @Alternate Data Stream - 132 bytes -> %AllUsersProfile%\TEMP:70EB7261
NY -> @Alternate Data Stream - 132 bytes -> %AllUsersProfile%\TEMP:CE868062
NY -> @Alternate Data Stream - 134 bytes -> %AllUsersProfile%\TEMP:8F288A0A
NY -> @Alternate Data Stream - 136 bytes -> %AllUsersProfile%\TEMP:E8292261
NY -> @Alternate Data Stream - 137 bytes -> %AllUsersProfile%\TEMP:55064E5E
NY -> @Alternate Data Stream - 140 bytes -> %AllUsersProfile%\TEMP:11F4E4A6
NY -> @Alternate Data Stream - 144 bytes -> %AllUsersProfile%\TEMP:1CC24DDC
NY -> @Alternate Data Stream - 152 bytes -> %AllUsersProfile%\TEMP:91B3E405
NY -> @Alternate Data Stream - 160 bytes -> %AllUsersProfile%\TEMP:FF510ADC
NY -> @Alternate Data Stream - 165 bytes -> %AllUsersProfile%\TEMP:ACD203D5
NY -> @Alternate Data Stream - 508 bytes -> %AllUsersProfile%\TEMP:05EE1EEF
NY -> @Alternate Data Stream - 94 bytes -> %AllUsersProfile%\TEMP:3313A48D
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersProfile%\TEMP:54D5DB8A
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersProfile%\TEMP:543CAD1B
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersProfile%\TEMP:7377F1F0
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersProfile%\TEMP:DE77CFA8
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersProfile%\TEMP:EA031481
[Purity]
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here. I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
Gnitrops
Posted 18 April 2009 - 08:15 AM

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hello,


I ran the code above on OTScanIt2 as instructed. While the fix ran, suddenly the My Documents folder popped out of nowhere (curiously, this is the same thing that happened before when I ran the fake folder-like executables created by the virus). OTScanIt asked permission to reboot after the tests, which I did. However, the computer still has the virus (I can see the fake services, lsass, etc on Task Manager). I tried to run cmd > regedit, but the computer reboots shortly after the command line starts. (this hasn't happened before)

Here's the report (couldn't attach it):
No active process named Explorer.EXE was found!
[Processes - Safe List]
Process lsass.exe killed successfully!
C:\Users\Thiago\AppData\Local\lsass.exe moved successfully.
Process services.exe killed successfully!
C:\Users\Thiago\AppData\Local\services.exe moved successfully.
Process winlogon.exe killed successfully!
C:\Users\Thiago\AppData\Local\winlogon.exe moved successfully.
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus deleted successfully.
C:\Windows\ShellNew\RakyatKelaparan.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MyProgram deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:"C:\Windows\KesenjanganSosial.exe" deleted successfully.
C:\Windows\KesenjanganSosial.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{399b85df-263a-11dc-a102-001a92635277}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{399b85df-263a-11dc-a102-001a92635277}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5e05584d-4e68-11dd-9e3e-0015830591b1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e05584d-4e68-11dd-9e3e-0015830591b1}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f6fbdf6-cb99-11dc-b25b-0015830591b1}\shell\AutoRun\command not found.
[Files/Folders - Created Within 90 Days]
C:\Users\Thiago\AppData\Local\Bron.tok-15-17 folder moved successfully.
C:\Users\Thiago\AppData\Local\Bron.tok-15-15 folder moved successfully.
C:\Users\Thiago\AppData\Local\Bron.tok-15-14 folder moved successfully.
C:\Users\Thiago\AppData\Local\Loc.Mail.Bron.Tok folder moved successfully.
C:\Users\Thiago\AppData\Local\Ok-SendMail-Bron-tok folder moved successfully.
C:\Users\Thiago\AppData\Local\Bron.tok-15-13 folder moved successfully.
[Files/Folders - Modified Within 90 Days]
File C:\Windows\KesenjanganSosial.exe not found!
File C:\Users\Thiago\AppData\Local\winlogon.exe not found!
C:\Users\Thiago\AppData\Local\smss.exe moved successfully.
File C:\Users\Thiago\AppData\Local\services.exe not found!
File C:\Users\Thiago\AppData\Local\lsass.exe not found!
C:\Users\Thiago\AppData\Local\inetinfo.exe moved successfully.
C:\Users\Thiago\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif moved successfully.
C:\Users\Thiago\Documents\Documents.exe moved successfully.
C:\Users\Thiago\AppData\Local\csrss.exe moved successfully.
C:\Windows\System32\cmd-brontok.exe moved successfully.
[Alternate Data Streams]
ADS C:\ProgramData\TEMP:072F1F69 deleted successfully.
ADS C:\ProgramData\TEMP:09064307 deleted successfully.
ADS C:\ProgramData\TEMP:BB71BBA2 deleted successfully.
ADS C:\ProgramData\TEMP:F14D1F80 deleted successfully.
ADS C:\ProgramData\TEMP:443E44FA deleted successfully.
ADS C:\ProgramData\TEMP:4FE30352 deleted successfully.
ADS C:\ProgramData\TEMP:753B8DFE deleted successfully.
ADS C:\ProgramData\TEMP:877DEA57 deleted successfully.
ADS C:\ProgramData\TEMP:A296A63F deleted successfully.
ADS C:\ProgramData\TEMP:EF71CAB5 deleted successfully.
ADS C:\ProgramData\TEMP:32BD974D deleted successfully.
ADS C:\ProgramData\TEMP:70E897B5 deleted successfully.
ADS C:\ProgramData\TEMP:918B7566 deleted successfully.
ADS C:\ProgramData\TEMP:C8DC895B deleted successfully.
ADS C:\ProgramData\TEMP:D630D1F5 deleted successfully.
ADS C:\ProgramData\TEMP:FDDD8917 deleted successfully.
ADS C:\ProgramData\TEMP:260575F1 deleted successfully.
ADS C:\ProgramData\TEMP:2E49D185 deleted successfully.
ADS C:\ProgramData\TEMP:3C282BEA deleted successfully.
ADS C:\ProgramData\TEMP:220F4706 deleted successfully.
ADS C:\ProgramData\TEMP:3FCF9F58 deleted successfully.
ADS C:\ProgramData\TEMP:561B1D2B deleted successfully.
ADS C:\ProgramData\TEMP:5A4B6413 deleted successfully.
ADS C:\ProgramData\TEMP:9B8E89D2 deleted successfully.
ADS C:\ProgramData\TEMP:9D59097E deleted successfully.
ADS C:\ProgramData\TEMP:315B4A13 deleted successfully.
ADS C:\ProgramData\TEMP:43301D1D deleted successfully.
ADS C:\ProgramData\TEMP:44688298 deleted successfully.
ADS C:\ProgramData\TEMP:E32966C0 deleted successfully.
ADS C:\ProgramData\TEMP:90A19D42 deleted successfully.
ADS C:\ProgramData\TEMP:EC0A74A1 deleted successfully.
ADS C:\ProgramData\TEMP:07F32517 deleted successfully.
ADS C:\ProgramData\TEMP:4072646B deleted successfully.
ADS C:\ProgramData\TEMP:51F17BB8 deleted successfully.
ADS C:\ProgramData\TEMP:7776B809 deleted successfully.
ADS C:\ProgramData\TEMP:C22674B6 deleted successfully.
ADS C:\ProgramData\TEMP:0C4D34AD deleted successfully.
ADS C:\ProgramData\TEMP:7A0EFE63 deleted successfully.
ADS C:\ProgramData\TEMP:9DF07E8F deleted successfully.
ADS C:\ProgramData\TEMP:A234C49E deleted successfully.
ADS C:\ProgramData\TEMP:AA37E770 deleted successfully.
ADS C:\ProgramData\TEMP:118DA42D deleted successfully.
ADS C:\ProgramData\TEMP:1B927722 deleted successfully.
ADS C:\ProgramData\TEMP:957053A5 deleted successfully.
ADS C:\ProgramData\TEMP:A65DC98A deleted successfully.
ADS C:\ProgramData\TEMP:1F86F437 deleted successfully.
ADS C:\ProgramData\TEMP:4673E9EA deleted successfully.
ADS C:\ProgramData\TEMP:A5DB4A94 deleted successfully.
ADS C:\ProgramData\TEMP:F061428B deleted successfully.
ADS C:\ProgramData\TEMP:F57ED3F6 deleted successfully.
ADS C:\ProgramData\TEMP:07241935 deleted successfully.
ADS C:\ProgramData\TEMP:1A347EE4 deleted successfully.
ADS C:\ProgramData\TEMP:4DCAC4BC deleted successfully.
ADS C:\ProgramData\TEMP:620EC79A deleted successfully.
ADS C:\ProgramData\TEMP:C8A0BC27 deleted successfully.
ADS C:\ProgramData\TEMP:D9CAB3CD deleted successfully.
ADS C:\ProgramData\TEMP:E50615CD deleted successfully.
ADS C:\ProgramData\TEMP:E71141D2 deleted successfully.
ADS C:\ProgramData\TEMP:F369DF24 deleted successfully.
ADS C:\ProgramData\TEMP:3E06C78F deleted successfully.
ADS C:\ProgramData\TEMP:5C83A083 deleted successfully.
ADS C:\ProgramData\TEMP:5F98973C deleted successfully.
ADS C:\ProgramData\TEMP:CEE4A457 deleted successfully.
ADS C:\ProgramData\TEMP:D6A1079E deleted successfully.
ADS C:\ProgramData\TEMP:538B96B5 deleted successfully.
ADS C:\ProgramData\TEMP:C90C4DBA deleted successfully.
ADS C:\ProgramData\TEMP:D346FE4C deleted successfully.
ADS C:\ProgramData\TEMP:53DF59D1 deleted successfully.
ADS C:\ProgramData\TEMP:76FD34B7 deleted successfully.
ADS C:\ProgramData\TEMP:82EEB5A1 deleted successfully.
ADS C:\ProgramData\TEMP:A56D6987 deleted successfully.
ADS C:\ProgramData\TEMP:B4254BB8 deleted successfully.
ADS C:\ProgramData\TEMP:B6D90CD7 deleted successfully.
ADS C:\ProgramData\TEMP:D3EFD0C3 deleted successfully.
ADS C:\ProgramData\TEMP:22313216 deleted successfully.
ADS C:\ProgramData\TEMP:55E3C0E0 deleted successfully.
ADS C:\ProgramData\TEMP:94A6C632 deleted successfully.
ADS C:\ProgramData\TEMP:9943177D deleted successfully.
ADS C:\ProgramData\TEMP:C2630911 deleted successfully.
ADS C:\ProgramData\TEMP:DF0BC727 deleted successfully.
ADS C:\ProgramData\TEMP:E39052E1 deleted successfully.
ADS C:\ProgramData\TEMP:11C15960 deleted successfully.
ADS C:\ProgramData\TEMP:2DD00E73 deleted successfully.
ADS C:\ProgramData\TEMP:52D492DA deleted successfully.
ADS C:\ProgramData\TEMP:A3251D01 deleted successfully.
ADS C:\ProgramData\TEMP:AEC895D8 deleted successfully.
ADS C:\ProgramData\TEMP:0CE7F3C9 deleted successfully.
ADS C:\ProgramData\TEMP:1FCBE20C deleted successfully.
ADS C:\ProgramData\TEMP:4CF76F21 deleted successfully.
ADS C:\ProgramData\TEMP:A688EF17 deleted successfully.
ADS C:\ProgramData\TEMP:ADD788AD deleted successfully.
ADS C:\ProgramData\TEMP:AFA6E827 deleted successfully.
ADS C:\ProgramData\TEMP:CB16385F deleted successfully.
ADS C:\ProgramData\TEMP:1792752F deleted successfully.
ADS C:\ProgramData\TEMP:6677D85A deleted successfully.
ADS C:\ProgramData\TEMP:93226FE3 deleted successfully.
ADS C:\ProgramData\TEMP:D48500F8 deleted successfully.
ADS C:\ProgramData\TEMP:E22FF3D0 deleted successfully.
ADS C:\ProgramData\TEMP:0A5BA9A0 deleted successfully.
ADS C:\ProgramData\TEMP:71A5565E deleted successfully.
ADS C:\ProgramData\TEMP:92A815D8 deleted successfully.
ADS C:\ProgramData\TEMP:974C6D78 deleted successfully.
ADS C:\ProgramData\TEMP:F4F720BA deleted successfully.
ADS C:\ProgramData\TEMP:FF333535 deleted successfully.
ADS C:\ProgramData\TEMP:177313FB deleted successfully.
ADS C:\ProgramData\TEMP:3678540D deleted successfully.
ADS C:\ProgramData\TEMP:3C5ABDC7 deleted successfully.
ADS C:\ProgramData\TEMP:43982D5E deleted successfully.
ADS C:\ProgramData\TEMP:56D7FD15 deleted successfully.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
ADS C:\ProgramData\TEMP:8F4B5B2D deleted successfully.
ADS C:\ProgramData\TEMP:C9233B58 deleted successfully.
ADS C:\ProgramData\TEMP:33384BC0 deleted successfully.
ADS C:\ProgramData\TEMP:5C6EBC69 deleted successfully.
ADS C:\ProgramData\TEMP:6425A235 deleted successfully.
ADS C:\ProgramData\TEMP:7867C00C deleted successfully.
ADS C:\ProgramData\TEMP:A97A5A47 deleted successfully.
ADS C:\ProgramData\TEMP:101708D3 deleted successfully.
ADS C:\ProgramData\TEMP:1505883A deleted successfully.
ADS C:\ProgramData\TEMP:2F6462DF deleted successfully.
ADS C:\ProgramData\TEMP:3F028F41 deleted successfully.
ADS C:\ProgramData\TEMP:D02AD8C8 deleted successfully.
ADS C:\ProgramData\TEMP:002A177A deleted successfully.
ADS C:\ProgramData\TEMP:05E95A33 deleted successfully.
ADS C:\ProgramData\TEMP:0FF07E97 deleted successfully.
ADS C:\ProgramData\TEMP:4D3DCB3B deleted successfully.
ADS C:\ProgramData\TEMP:61F0C8FB deleted successfully.
ADS C:\ProgramData\TEMP:7CC608E0 deleted successfully.
ADS C:\ProgramData\TEMP:99B66030 deleted successfully.
ADS C:\ProgramData\TEMP:B6FD7157 deleted successfully.
ADS C:\ProgramData\TEMP:1E0D6460 deleted successfully.
ADS C:\ProgramData\TEMP:31F2397C deleted successfully.
ADS C:\ProgramData\TEMP:354E094D deleted successfully.
ADS C:\ProgramData\TEMP:48FEA089 deleted successfully.
ADS C:\ProgramData\TEMP:553A851E deleted successfully.
ADS C:\ProgramData\TEMP:62672BC8 deleted successfully.
ADS C:\ProgramData\TEMP:709CDE3B deleted successfully.
ADS C:\ProgramData\TEMP:8A8B2585 deleted successfully.
ADS C:\ProgramData\TEMP:C6D0EC31 deleted successfully.
ADS C:\ProgramData\TEMP:05773093 deleted successfully.
ADS C:\ProgramData\TEMP:225CD7D5 deleted successfully.
ADS C:\ProgramData\TEMP:3C8621EA deleted successfully.
ADS C:\ProgramData\TEMP:90B52091 deleted successfully.
ADS C:\ProgramData\TEMP:D31BE97C deleted successfully.
ADS C:\ProgramData\TEMP:D8669B93 deleted successfully.
ADS C:\ProgramData\TEMP:E2197D91 deleted successfully.
ADS C:\ProgramData\TEMP:E5294695 deleted successfully.
ADS C:\ProgramData\TEMP:F6E0ED6E deleted successfully.
ADS C:\ProgramData\TEMP:FF3DA68B deleted successfully.
ADS C:\ProgramData\TEMP:2E03B2A0 deleted successfully.
ADS C:\ProgramData\TEMP:47E1EAB1 deleted successfully.
ADS C:\ProgramData\TEMP:52AA05F1 deleted successfully.
ADS C:\ProgramData\TEMP:67CC31E0 deleted successfully.
ADS C:\ProgramData\TEMP:E49D4B50 deleted successfully.
ADS C:\ProgramData\TEMP:EA1582F8 deleted successfully.
ADS C:\ProgramData\TEMP:03C75FD1 deleted successfully.
ADS C:\ProgramData\TEMP:0E684AC9 deleted successfully.
ADS C:\ProgramData\TEMP:2A2493EF deleted successfully.
ADS C:\ProgramData\TEMP:2C8C3383 deleted successfully.
ADS C:\ProgramData\TEMP:31B401F6 deleted successfully.
ADS C:\ProgramData\TEMP:5F280981 deleted successfully.
ADS C:\ProgramData\TEMP:7B52659E deleted successfully.
ADS C:\ProgramData\TEMP:8C4D8A52 deleted successfully.
ADS C:\ProgramData\TEMP:8E12100F deleted successfully.
ADS C:\ProgramData\TEMP:930F088E deleted successfully.
ADS C:\ProgramData\TEMP:9398DBB4 deleted successfully.
ADS C:\ProgramData\TEMP:99352C4C deleted successfully.
ADS C:\ProgramData\TEMP:26939499 deleted successfully.
ADS C:\ProgramData\TEMP:3539CD43 deleted successfully.
ADS C:\ProgramData\TEMP:3F1D69E8 deleted successfully.
ADS C:\ProgramData\TEMP:FD5FB170 deleted successfully.
ADS C:\ProgramData\TEMP:5D351BC6 deleted successfully.
ADS C:\ProgramData\TEMP:70EB7261 deleted successfully.
ADS C:\ProgramData\TEMP:CE868062 deleted successfully.
ADS C:\ProgramData\TEMP:8F288A0A deleted successfully.
ADS C:\ProgramData\TEMP:E8292261 deleted successfully.
ADS C:\ProgramData\TEMP:55064E5E deleted successfully.
ADS C:\ProgramData\TEMP:11F4E4A6 deleted successfully.
ADS C:\ProgramData\TEMP:1CC24DDC deleted successfully.
ADS C:\ProgramData\TEMP:91B3E405 deleted successfully.
ADS C:\ProgramData\TEMP:FF510ADC deleted successfully.
ADS C:\ProgramData\TEMP:ACD203D5 deleted successfully.
ADS C:\ProgramData\TEMP:05EE1EEF deleted successfully.
ADS C:\ProgramData\TEMP:3313A48D deleted successfully.
ADS C:\ProgramData\TEMP:54D5DB8A deleted successfully.
ADS C:\ProgramData\TEMP:543CAD1B deleted successfully.
ADS C:\ProgramData\TEMP:7377F1F0 deleted successfully.
ADS C:\ProgramData\TEMP:DE77CFA8 deleted successfully.
ADS C:\ProgramData\TEMP:EA031481 deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
User's Internet Explorer cache folder emptied.
File delete failed. C:\Windows\temp\TMP000000228AC4AE44CC3D9B7D scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 04182009_150403

Files moved on Reboot...
File C:\Windows\temp\TMP000000228AC4AE44CC3D9B7D not found!

Registry entries deleted on Reboot...

  • 0

#6
fenzodahl512
Posted 18 April 2009 - 11:56 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Go to this webpage and download GVR 4.1 Setup by ApoNie and save it to your Desktop
  • Unzip and install it to your computer
  • Go to Option >> Update Definition >> press Update >> after it finishes, press Close
  • Hit Scan button >> choose Scan Drive/Folder >> hit Scan Now button >> Delete all infections
  • After the scan is finishes, Go to Tool >> choose View Logs
  • Post the log here in your next reply

Note, if the GVR installer is not working, you can use GVR portable instead
  • 0

#7
Gnitrops
Posted 18 April 2009 - 02:02 PM

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hello,

I downloaded and installed GVR. I followed the instructions, but GVR found no viruses. Therefore, no logs were produced.
I suspect that even when I do a "run as admin", the virus doesn't let me run as admin, and that might be why we are getting no results :|
  • 0

#8
fenzodahl512
Posted 18 April 2009 - 07:23 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please go HERE and download PCMAV and unzip it to your Desktop.
  • Make sure you are connected to the internet. Disable ALL of your antivirus/antispyware and firewall.
  • Open PCMAV folder and click on the PCMAV-CLN icon. It will update its definition automatically.
  • After that, it will start initial scan. Let it..
  • When it say, they recommend to "turn off System Restore", click No
  • Now, on PC Media Antivirus (PCMAV) click on "My Computer" >> Scan Now >> Let it scan until finish.
  • If they found anything DO NOT cure/delete/quarantine anything yet. We want to see what it find. After that, just exit PCMAV
  • Open PCMAV folder and you'll find PCMAV.txt. Post the content of PCMAV.txt in your next reply

  • 0

#9
Gnitrops
Posted 19 April 2009 - 08:37 AM

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Couldn't run the scan. I downloaded the file from the location indicated, but when running PCMAV-CLN the program hangs on the loading screen (On the "loading services...100%") part. Rest of the computer keeps working fine.
  • 0

#10
fenzodahl512
Posted 19 April 2009 - 09:08 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. exit PCMAV.. Lets do an online scan..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#11
fenzodahl512
Posted 24 April 2009 - 11:16 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP