Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser Redirect

Started by jpleone , Jul 24 2010 03:15 PM

  • This topic is locked This topic is locked

#31
jpleone
Posted 26 July 2010 - 06:58 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
SweetTech,

First scan showed nothing, but complete (and very long) scan showed the following:

7Sultans.exe\data018;C:\Documents and Settings\Owner\My Documents\Casinos\7Sultans.exe;Trojan.MulDrop.10632;;
7Sultans.exe;C:\Documents and Settings\Owner\My Documents\Casinos;Container contains infected objects;;
riverbelle_w.exe\data017;C:\Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe;Trojan.MulDrop.10632;;
riverbelle_w.exe;C:\Documents and Settings\Owner\My Documents\Casinos;Container contains infected objects;;
VegasPalms_w.exe\data018;C:\Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe;Trojan.MulDrop.10632;;
VegasPalms_w.exe;C:\Documents and Settings\Owner\My Documents\Casinos;Container contains infected objects;;
  • 0

Advertisements

#32
SweetTech
Posted 26 July 2010 - 07:01 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Do you have the SecurityCheck log, as well as the new OTL Custom Scan log?
  • 0

#33
jpleone
Posted 26 July 2010 - 07:05 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I don't think so. Did I miss a step?
  • 0

#34
SweetTech
Posted 26 July 2010 - 07:09 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
It was in one of my previous posts that contained instructions for the first online scanner that you were not able to run.
  • 0

#35
jpleone
Posted 26 July 2010 - 07:15 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The only logs I have are the ones I posted. Sorry.
  • 0

#36
SweetTech
Posted 26 July 2010 - 07:22 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NEXT:




OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

  • 0

#37
jpleone
Posted 26 July 2010 - 07:37 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here they are. Are we making progress? I haven't had any browser issues at all and computer seems to be running fine.

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

OTL logfile created on: 7/26/2010 9:32:43 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.03 Gb Total Space | 268.71 Gb Free Space | 93.29% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.98 Gb Free Space | 59.77% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOANN-8FP4FUTYO
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe ()
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avg8wd) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (DwProt) -- File not found
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2010/07/25 16:54:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe (CASIO COMPUTER CO.,LTD.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1204830376265 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1204839659421 (MUWebControl Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.133.170.2 66.133.150.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/06 11:41:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/26 21:05:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/26 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\DoctorWeb
[2010/07/25 17:04:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/07/25 17:04:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/25 17:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/25 17:04:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/25 17:04:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/25 16:56:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/25 16:51:59 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/07/25 11:36:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/25 11:36:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/25 11:36:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/25 11:36:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/25 11:36:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/25 09:07:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/24 22:17:40 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2010/07/24 20:36:22 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/24 20:26:10 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\OTL.exe
[2010/07/24 17:26:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/07/24 16:45:32 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/07/24 16:30:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2010/07/24 16:30:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/07/24 16:25:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/07/24 16:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
[2010/07/24 16:16:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/07/24 16:15:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Apple
[2010/07/24 16:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Real
[2010/07/24 16:15:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/24 16:14:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(4)
[2010/07/24 16:14:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(3)
[2010/07/24 15:12:14 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/24 15:12:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/24 14:52:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/23 19:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\New Folder
[2010/07/23 19:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
[2010/07/23 17:30:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/21 10:42:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\M&T Statements
[2010/07/21 10:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Chase Statements
[2010/07/16 06:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/07/16 05:51:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Ad-Aware
[2010/07/14 04:03:53 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/11 17:24:17 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/07/11 16:41:49 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
[2010/07/11 16:41:36 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/07/06 19:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Apple Computer
[2010/07/06 19:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/07/06 19:12:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Real
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/26 21:33:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA1cabd057488df76.job
[2010/07/26 21:28:52 | 000,867,892 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2010/07/26 18:20:21 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/26 15:51:24 | 047,860,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\drweb-cureit.exe
[2010/07/26 15:04:24 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2010/07/26 08:44:40 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk
[2010/07/26 05:07:22 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/25 22:33:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/25 17:04:13 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/25 16:55:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/25 16:54:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/25 16:54:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/25 16:51:08 | 003,744,105 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/07/24 22:20:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/24 22:19:44 | 007,639,040 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/07/24 22:19:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/07/24 22:19:39 | 004,299,388 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/24 22:17:51 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2010/07/24 21:20:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/24 20:52:23 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/24 20:36:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/24 20:27:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\OTL.exe
[2010/07/24 16:33:52 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/07/24 16:30:17 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/24 16:27:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/24 15:12:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/24 13:59:32 | 000,396,932 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100724-201825.backup
[2010/07/23 18:56:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/21 10:44:52 | 000,025,628 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\2010-7-Checking.pdf
[2010/07/11 17:32:31 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/07/11 16:41:47 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/07/06 19:12:58 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll
[2010/07/06 19:12:58 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2010/07/06 13:28:45 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/07/06 13:28:44 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/29 17:06:25 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/26 21:28:51 | 000,867,892 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2010/07/26 15:51:23 | 047,860,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\drweb-cureit.exe
[2010/07/25 17:04:13 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/25 11:36:22 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/25 11:36:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/25 11:36:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/25 11:36:22 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/25 11:36:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/25 09:05:50 | 003,744,105 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/07/24 20:52:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/24 16:33:52 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/07/24 16:27:06 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/07/23 17:53:22 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/21 10:44:52 | 000,025,628 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\2010-7-Checking.pdf
[2010/07/15 20:58:40 | 007,639,040 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/07/11 18:29:14 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/07/11 16:41:47 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/11/06 20:13:35 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2009/11/06 20:13:32 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/11/06 20:12:40 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2009/07/10 08:17:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/03/07 10:25:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/03/07 10:25:33 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/03/06 15:03:04 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/02/04 19:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/07/24 22:20:41 | 000,049,595 | ---- | M] () -- C:\aaw7boot.log
[2008/03/06 11:41:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/25 16:56:12 | 000,016,716 | ---- | M] () -- C:\ComboFix.txt
[2008/03/06 11:41:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/03/06 11:41:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/03/06 11:41:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/07/24 22:20:41 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/07/24 22:18:43 | 000,031,080 | ---- | M] () -- C:\TDSSKiller.2.3.2.2_24.07.2010_22.18.38_log.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/03/06 11:41:29 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[1998/12/11 20:29:52 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\OLFPNT40.DLL

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/03/06 05:30:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/03/06 05:30:04 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/03/06 05:30:04 | 000,417,792 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/13 20:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/13 20:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/13 20:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-24 20:34:32

< >

< >
< End of report >
  • 0

#38
jpleone
Posted 26 July 2010 - 07:40 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Shall I close out Security Check, it is asking "which should open"
  • 0

#39
SweetTech
Posted 26 July 2010 - 07:45 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Yes, you can close out of SecurityCheck.
  • 0

#40
SweetTech
Posted 26 July 2010 - 07:49 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Yes we are making process, and should be done shortly, I like to be thorough with my scans go ensure that we've gotten everything.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\Documents and Settings\Owner\My Documents\Casinos\7Sultans.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please repeat the above process for these files below:
C:\Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe
C:\Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe


Please post the results in your next reply


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:OTL
SRV - (avg8wd) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe File not found
DRV - (DwProt) -- File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
[2010/07/26 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\DoctorWeb
[2010/07/26 21:28:52 | 000,867,892 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2010/07/26 15:51:24 | 047,860,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\drweb-cureit.exe

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Can you please comment on your Anti-Virus situation. I don't see any signs of active processes running for any AV's. Which is the reason why I'm asking.
  • 0

Advertisements

#41
jpleone
Posted 26 July 2010 - 08:51 PM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
SweetTech, there were 2 Riverbelle files so I scanned them both. As for virus protection, apparently I don't have any. :) As I said in my original post, I am not very techy and I thought Adaware and Spybot were sufficient. What would you recommend? I will be signing off shortly unless you need something else tonight.


File riverbelle_w.exe received on 2010.07.27 02:18:05 (UTC)
Current status: finished
Result: 7/42 (16.67%)
Compact
Print results
Email:

Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.26 TR/Agent.5464064
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 -
Avast 4.8.1351.0 2010.07.26 Win32:Trojan-gen
Avast5 5.0.332.0 2010.07.26 Win32:Trojan-gen
AVG 9.0.0.851 2010.07.26 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.26 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5549 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 Trojan.MulDrop.10632
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.26 Win32.DelFiles.s
eTrust-Vet 36.1.7738 2010.07.26 -
F-Prot 4.6.1.107 2010.07.27 -
F-Secure 9.0.15370.0 2010.07.26 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 Win32:Trojan-gen
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 -
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.26 -
NOD32 5315 2010.07.26 -
Norman 6.05.11 2010.07.26 -
nProtect 2010-07-26.02 2010.07.26 -
Panda 10.0.2.7 2010.07.26 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.01.01 2010.07.27 Trojan.DelFiles.af
Sophos 4.55.0 2010.07.26 -
Sunbelt 6645 2010.07.27 -
SUPERAntiSpyware 4.40.0.1006 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.26 -
ViRobot 2010.7.26.3960 2010.07.26 -
VirusBuster 5.0.27.0 2010.07.26 -
Additional information
File size: 5464064 bytes
MD5...: bf9632e11131d5d12bb482556df5b7fe
SHA1..: 035ec1cdd3dea9da85d669305deb558df614987e
SHA256: 93986b9818393e7db3d3e9e2a2c3882415e3fc4f8fd908491dad9471eb587930
ssdeep: 98304:DwRNZ9qHiD2f4/aPVd+5M1ZJhS2gkbO5xNmOn7d4ULF:DypqHO54CnjXnDJ
PEiD..: -
PEInfo: PE Structure information( base data )entrypointaddress.: 0x11a3timedatestamp.....: 0x3847b099 (Fri Dec 03 11:59:21 1999)machinetype.......: 0x14c (I386)( 4 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x33c 0x1000 1.69 8ae8ae158a67a33023055993bf26374b.rdata 0x2000 0x410 0x1000 1.68 f68bcc992e1a2b8f3ed85efab596446b.data 0x3000 0x3c 0x1000 0.03 87a7d1887278427e8522e3853018e073.rsrc 0x4000 0x532000 0x532000 8.00 fa9072a5ce51bc15e0f50c8d9f4abaaf( 4 imports ) > KERNEL32.dll: lstrlenA, CloseHandle, WriteFile, CreateFileA, CreateProcessA, FreeResource, LoadResource, FindResourceA, GetTempFileNameA, GetTempPathA, SizeofResource, LockResource, DeleteFileA, GetStartupInfoA, WaitForSingleObject, GetModuleHandleA> USER32.dll: wsprintfA, LoadStringA> ADVAPI32.dll: RegCreateKeyExA, RegSetValueExA, RegCloseKey> MSVCRT.dll: _adjust_fdiv, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _controlfp, __p__commode, __p__fmode, __set_app_type, _except_handler3( 0 exports )
RDS...: NSRL Reference Data Set-
trid..: Win64 Executable Generic (87.2%)Win32 Executable Generic (8.6%)Generic Win/DOS Executable (2.0%)DOS Executable Generic (2.0%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
Symantec Reputation Network: Suspicious.Insight http://www.symantec....-021223-0550-99
sigcheck:publisher....: Microgaming Systemscopyright....: Microgaming System 2001product......: n/adescription..: riverbelle Ver 1.0.2.3aoriginal name: n/ainternal name: n/afile version.: 1.0.2.3acomments.....: n/asigners......: -signing date.: -verified.....: Unsigned
packers (Avast): Embedded_R#0041b4

File VegasPalms_w.exe received on 2010.07.27 02:08:38 (UTC)
Current status: finished
Result: 10/42 (23.81%)
Compact
Print results
Email:

Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.26 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 W32/Trojan2.LOGX
Avast 4.8.1351.0 2010.07.26 Win32:Trojan-gen
Avast5 5.0.332.0 2010.07.26 Win32:Trojan-gen
AVG 9.0.0.851 2010.07.26 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.26 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5549 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 Trojan.MulDrop.10632
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.26 Win32.DelFiles.s
eTrust-Vet 36.1.7738 2010.07.26 -
F-Prot 4.6.1.107 2010.07.27 W32/Trojan2.LOGX
F-Secure 9.0.15370.0 2010.07.26 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 Win32:Trojan-gen
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 Trojan.Win32.DelFiles.s
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.26 -
NOD32 5315 2010.07.26 -
Norman 6.05.11 2010.07.26 -
nProtect 2010-07-26.02 2010.07.26 -
Panda 10.0.2.7 2010.07.26 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.00.04 2010.07.26 Trojan.DelFiles.af
Sophos 4.55.0 2010.07.26 -
Sunbelt 6645 2010.07.27 -
SUPERAntiSpyware 4.40.0.1006 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.26 -
ViRobot 2010.7.26.3960 2010.07.26 -
VirusBuster 5.0.27.0 2010.07.26 -
Additional information
File size: 6033408 bytes
MD5...: c7916042c4e2ed297598089303abf837
SHA1..: 25b034bfa9bcb02c1e2797473d322c47cecaafcd
SHA256: 1297b686d0a38a7181eb51b32fc6009584f02c1f32f60ed6e820b844cf2e7630
ssdeep: 98304:DirCX88A6/Q1aehUgOh09ldXWQl/9UsUAoXt/t80O5xNmc8xBw3bj9M9d+5M1YUh:Dir0/Q1pUi9vXW8lhw/tujYxBKj9j5mN
PEiD..: -
PEInfo: PE Structure information( base data )entrypointaddress.: 0x1367timedatestamp.....: 0x3bd95841 (Fri Oct 26 12:34:09 2001)machinetype.......: 0x14c (I386)( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x381 0x1000 1.76 543c9cec5e7d7e96e5e6d31b276b2ecb.rdata 0x2000 0x2e4 0x1000 1.23 0610c8b373a4bfbb0b133b70859b2bff.rsrc 0x3000 0x5be000 0x5be000 8.00 cdccf5c10c8008b26a81c08d37943a2a( 3 imports ) > KERNEL32.dll: CreateFileA, WriteFile, LockResource, LoadResource, FindResourceA, CloseHandle, SizeofResource, WaitForSingleObject, lstrlenA, DeleteFileA, lstrcatA, lstrcpyA, GetModuleHandleA, GetCommandLineA, FreeResource, CreateProcessA, GetTempFileNameA, GetTempPathA, lstrcmpiA> USER32.dll: LoadStringA, MessageBoxA> ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegSetValueExA, RegCreateKeyExA( 0 exports )

File riverbelle.exe received on 2010.07.27 01:57:51 (UTC)
Current status: finished
Result: 3/42 (7.15%)
Compact
Print results
Email:

Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.26 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 W32/Trojan2.LOGX
Avast 4.8.1351.0 2010.07.26 -
Avast5 5.0.332.0 2010.07.26 -
AVG 9.0.0.851 2010.07.26 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.26 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5549 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 -
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.26 -
eTrust-Vet 36.1.7738 2010.07.26 -
F-Prot 4.6.1.107 2010.07.27 W32/Trojan2.LOGX
F-Secure 9.0.15370.0 2010.07.26 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 -
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 -
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.26 -
NOD32 5315 2010.07.26 -
Norman 6.05.11 2010.07.26 -
nProtect 2010-07-26.02 2010.07.26 -
Panda 10.0.2.7 2010.07.26 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.00.04 2010.07.26 -
Sophos 4.55.0 2010.07.26 -
Sunbelt 6645 2010.07.27 -
SUPERAntiSpyware 4.40.0.1006 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.26 -
ViRobot 2010.7.26.3960 2010.07.26 -
VirusBuster 5.0.27.0 2010.07.26 -
Additional information
File size: 7544832 bytes
MD5...: 679462060e61e73c73df531382d3e9a4
SHA1..: b34e8d5605d1c057a55123b2331b78471d2badf8
SHA256: 5ad7c339f582d80225a28c98733983e15dcb1f9eb5e1a32d87ad52d6f6d1e9a6
ssdeep: 196608:S9xSkfCBjIn7h+5cmXNLwHeG+xUh4Ci8IJ65IO:SvbqBc7Y5cmXOHj+xUGsT
PEiD..: -
PEInfo: PE Structure information( base data )entrypointaddress.: 0x1367timedatestamp.....: 0x3bd95841 (Fri Oct 26 12:34:09 2001)machinetype.......: 0x14c (I386)( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x381 0x1000 1.76 543c9cec5e7d7e96e5e6d31b276b2ecb.rdata 0x2000 0x2e4 0x1000 1.23 0610c8b373a4bfbb0b133b70859b2bff.rsrc 0x3000 0x72f000 0x72f000 8.00 6ec730502366644ebb0adfac483de912( 3 imports ) > KERNEL32.dll: CreateFileA, WriteFile, LockResource, LoadResource, FindResourceA, CloseHandle, SizeofResource, WaitForSingleObject, lstrlenA, DeleteFileA, lstrcatA, lstrcpyA, GetModuleHandleA, GetCommandLineA, FreeResource, CreateProcessA, GetTempFileNameA, GetTempPathA, lstrcmpiA> USER32.dll: LoadStringA, MessageBoxA> ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegSetValueExA, RegCreateKeyExA( 0 exports )
RDS...: NSRL Reference Data Set-
sigcheck:publisher....: Microgamingcopyright....: Copyright © Microgaming 2003product......: n/adescription..: riverbelle Ver 3.3.2.0original name: n/ainternal name: n/afile version.: 3.3.2.0comments.....: n/asigners......: -signing date.: -verified.....: Unsigned
trid..: Wise Installer executable (97.5%)Win32 Executable Generic (1.0%)Win32 Dynamic Link Library (generic) (0.9%)Generic Win/DOS Executable (0.2%)DOS Executable Generic (0.2%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec....-021223-0550-99

RDS...: NSRL Reference Data Set-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)Win32 Dynamic Link Library (generic) (37.6%)Generic Win/DOS Executable (9.9%)DOS Executable Generic (9.9%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:publisher....: Microgaming Systemscopyright....: Microgaming Systems 2003product......: n/adescription..: vegaspalms Ver 3.2.6.0original name: n/ainternal name: n/afile version.: 3.2.6.0comments.....: n/asigners......: -signing date.: -verified.....: Unsigned
Symantec Reputation Network: Suspicious.Insight http://www.symantec....-021223-0550-99
packers (Avast): Embedded_R#003904


OTL
>Flash cache emptied: 3511 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 90 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 672 bytes

Total Files Cleaned = 100.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07262010_223205
  • 0

#42
SweetTech
Posted 27 July 2010 - 08:34 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
These 3 files appear to be infected. We will go ahead and remove them.

C:\Documents and Settings\Owner\My Documents\Casinos\7Sultans.exe
C:\Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe
C:\Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:OTL

:Reg

:Files
C:\Documents and Settings\Owner\My Documents\Casinos\7Sultans.exe
C:\Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe
C:\Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



No Anti-Virus Present

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.
  • 0

#43
jpleone
Posted 27 July 2010 - 09:57 AM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Good Morning SweetTech,

Here's the report. I downloaded Avira and am in the process of running it now.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Owner\My Documents\Casinos\7Sultans.exe moved successfully.
C:\Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe moved successfully.
C:\Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 9860836 bytes
->Temporary Internet Files folder emptied: 15192353 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 787 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1519 bytes

Total Files Cleaned = 24.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07272010_110626

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF6650.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF6660.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF66FE.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF6709.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF673A.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF674F.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\like[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\like[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\Messenger[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\page__st__30__gopid__1876101[1].txt moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\PLoad[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\PLoad[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\xd_proxy[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R0SY1PCQ\xd_proxy[3].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OD34QTN1\channel[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OD34QTN1\PLoad[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OD34QTN1\PLoad[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\BalancesAndPositions[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\clear[1].gif moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\finance[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\InboxLight[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\index[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\Main[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\PLoad[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXA0Q6FU\urllauncher[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\basic_materials;fe=nyse;ft=aks;fm=small;sz=300x250;dcopt=ist;myd=ad;dc_ref=http___finance.google.com_finance_q=NYSE_AKS;domain=www.google[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\default[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\EquityTrade[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\like[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\like[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\LocalStorage[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\page__st__30[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9JHCH6TB\PLoad[1].htm moved successfully.

Registry entries deleted on Reboot...
  • 0

#44
SweetTech
Posted 27 July 2010 - 10:02 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay. Please let me know when it has finished running.
  • 0

#45
jpleone
Posted 27 July 2010 - 10:35 AM

jpleone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here's the Avira Report

Avira AntiVir Personal
Report file date: Tuesday, July 27, 2010 11:46

Scanning for 2578239 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : Removed.--ST
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JOANN-8FP4FUTYO

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:29:05
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 15:29:11
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 15:29:24
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 15:29:24
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 15:29:24
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 15:29:24
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 15:29:24
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 15:29:25
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 15:29:25
VBASE014.VDF : 7.10.9.199 2048 Bytes 7/26/2010 15:29:25
VBASE015.VDF : 7.10.9.200 2048 Bytes 7/26/2010 15:29:25
VBASE016.VDF : 7.10.9.201 2048 Bytes 7/26/2010 15:29:26
VBASE017.VDF : 7.10.9.202 2048 Bytes 7/26/2010 15:29:26
VBASE018.VDF : 7.10.9.203 2048 Bytes 7/26/2010 15:29:26
VBASE019.VDF : 7.10.9.204 2048 Bytes 7/26/2010 15:29:26
VBASE020.VDF : 7.10.9.205 2048 Bytes 7/26/2010 15:29:26
VBASE021.VDF : 7.10.9.206 2048 Bytes 7/26/2010 15:29:26
VBASE022.VDF : 7.10.9.207 2048 Bytes 7/26/2010 15:29:27
VBASE023.VDF : 7.10.9.208 2048 Bytes 7/26/2010 15:29:27
VBASE024.VDF : 7.10.9.209 2048 Bytes 7/26/2010 15:29:27
VBASE025.VDF : 7.10.9.210 2048 Bytes 7/26/2010 15:29:27
VBASE026.VDF : 7.10.9.211 2048 Bytes 7/26/2010 15:29:27
VBASE027.VDF : 7.10.9.212 2048 Bytes 7/26/2010 15:29:27
VBASE028.VDF : 7.10.9.213 2048 Bytes 7/26/2010 15:29:27
VBASE029.VDF : 7.10.9.214 2048 Bytes 7/26/2010 15:29:28
VBASE030.VDF : 7.10.9.215 2048 Bytes 7/26/2010 15:29:28
VBASE031.VDF : 7.10.9.224 93184 Bytes 7/27/2010 15:29:28
Engineversion : 8.2.4.26
AEVDF.DLL : 8.1.2.0 106868 Bytes 7/27/2010 15:29:38
AESCRIPT.DLL : 8.1.3.41 1364346 Bytes 7/27/2010 15:29:38
AESCN.DLL : 8.1.6.1 127347 Bytes 7/27/2010 15:29:37
AESBX.DLL : 8.1.3.1 254324 Bytes 7/27/2010 15:29:39
AERDL.DLL : 8.1.8.2 614772 Bytes 7/27/2010 15:29:36
AEPACK.DLL : 8.2.3.2 471414 Bytes 7/27/2010 15:29:36
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/27/2010 15:29:35
AEHEUR.DLL : 8.1.2.6 2793846 Bytes 7/27/2010 15:29:34
AEHELP.DLL : 8.1.13.2 242039 Bytes 7/27/2010 15:29:31
AEGEN.DLL : 8.1.3.17 385396 Bytes 7/27/2010 15:29:31
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/27/2010 15:29:30
AECORE.DLL : 8.1.16.2 192887 Bytes 7/27/2010 15:29:30
AEBB.DLL : 8.1.1.0 53618 Bytes 7/27/2010 15:29:29
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, July 27, 2010 11:46

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '59' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '62' Module(s) have been scanned
Scan process 'avgnt.exe' - '50' Module(s) have been scanned
Scan process 'sched.exe' - '46' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '54' Module(s) have been scanned
Scan process 'iexplore.exe' - '130' Module(s) have been scanned
Scan process 'iexplore.exe' - '122' Module(s) have been scanned
Scan process 'wuauclt.exe' - '36' Module(s) have been scanned
Scan process 'iexplore.exe' - '122' Module(s) have been scanned
Scan process 'iexplore.exe' - '123' Module(s) have been scanned
Scan process 'iexplore.exe' - '123' Module(s) have been scanned
Scan process 'iexplore.exe' - '71' Module(s) have been scanned
Scan process 'AAWTray.exe' - '23' Module(s) have been scanned
Scan process 'msmsgs.exe' - '43' Module(s) have been scanned
Scan process 'msimn.exe' - '82' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '65' Module(s) have been scanned
Scan process 'OLFSNT40.EXE' - '14' Module(s) have been scanned
Scan process 'Plauto.exe' - '23' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '76' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '54' Module(s) have been scanned
Scan process 'HPWuSchd2.exe' - '18' Module(s) have been scanned
Scan process 'hkcmd.exe' - '26' Module(s) have been scanned
Scan process 'igfxtray.exe' - '27' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '42' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'unsecapp.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '100' Module(s) have been scanned
Scan process 'spoolsv.exe' - '65' Module(s) have been scanned
Scan process 'AAWService.exe' - '91' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '163' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '36' Module(s) have been scanned
Scan process 'winlogon.exe' - '67' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '362' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6B6C0CF7-045B-434D-8C89-7274C5A9D9AE}\Microsoft\Outlook Express\Finance.dbx
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6B6C0CF7-045B-434D-8C89-7274C5A9D9AE}\Microsoft\Outlook Express\Paypal.dbx
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
C:\System Volume Information\_restore{63E936C5-8345-4EC2-BE07-B78F79745EE8}\RP788\A0087230.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.axlw back-door program
C:\_OTL\MovedFiles\07272010_110626\C_Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe
[DETECTION] Is the TR/Agent.5464064 Trojan
C:\_OTL\MovedFiles\07272010_110626\C_Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\' <RECOVERY>

Beginning disinfection:
C:\_OTL\MovedFiles\07272010_110626\C_Documents and Settings\Owner\My Documents\Casinos\VegasPalms_w.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '465dae59.qua'.
C:\_OTL\MovedFiles\07272010_110626\C_Documents and Settings\Owner\My Documents\Casinos\riverbelle_w.exe
[DETECTION] Is the TR/Agent.5464064 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5eb981e2.qua'.
C:\System Volume Information\_restore{63E936C5-8345-4EC2-BE07-B78F79745EE8}\RP788\A0087230.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.axlw back-door program
[NOTE] The file was moved to the quarantine directory under the name '0c5cdb41.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6B6C0CF7-045B-434D-8C89-7274C5A9D9AE}\Microsoft\Outlook Express\Paypal.dbx
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '6adc94d0.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6B6C0CF7-045B-434D-8C89-7274C5A9D9AE}\Microsoft\Outlook Express\Finance.dbx
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '2f2db9f7.qua'.


End of the scan: Tuesday, July 27, 2010 12:33
Used time: 45:47 Minute(s)

The scan has been done completely.

8161 Scanned directories
247646 Files were scanned
5 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
5 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
247641 Files not concerned
1259 Archives were scanned
0 Warnings
5 Notes
488107 Objects were scanned with rootkit scan
0 Hidden objects were found

Edited by SweetTech, 27 July 2010 - 10:41 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP