Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Removed - Still Have Browser Hijack and Damaged Files


  • This topic is locked This topic is locked

#1
peter23fulton

peter23fulton

    New Member

  • Member
  • Pip
  • 7 posts
Got a virus when browsing to a site, nothing downloaded. I think it was Internet Security 2012 or something like that. Ran Malwarebytes and it found and removed seven items. Upon restart I can't find many of my Windows applications, MS Office is empty, MS Works and Frontpage are gone. When I go into program files and click on the icon, it asks me what program I want to use to run the program. So my applications are all messed up. To run OTL I had to use OTL.scr, OTL.exe would not work.. And when I try to use Internet Explorer I get redirected to sites I do not want.

Below is my OTL file.

Thank You


OTL logfile created on: 6/14/2011 3:10:39 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.48 Mb Total Physical Memory | 504.49 Mb Available Physical Memory | 71.71% Memory free
954.55 Mb Paging File | 519.59 Mb Available in Paging File | 54.43% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.69 Gb Total Space | 5.88 Gb Free Space | 17.46% Space Free | Partition Type: NTFS
Drive D: | 3.56 Gb Total Space | 1.68 Gb Free Space | 47.05% Space Free | Partition Type: FAT32
Drive E: | 0.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 3.65 Gb Total Space | 0.20 Gb Free Space | 5.37% Space Free | Partition Type: FAT32

Computer Name: YOUR-89F78CD95C | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2007/09/20 20:39:38 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/10/13 19:56:16 | 000,126,976 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe)
SRV - [2005/08/24 16:01:04 | 000,122,368 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe)
SRV - [2005/07/01 19:22:50 | 000,245,760 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe)
SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Owner\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/12/22 12:06:02 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/12/22 12:05:58 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/09/20 20:53:44 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/06/17 18:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 18:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 18:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/25 18:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/05/25 18:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/05/17 02:00:54 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/05/17 02:00:52 | 000,033,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/04/02 03:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/01/10 19:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.1
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.6.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/01/28 16:15:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/03 16:02:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2008/12/30 18:50:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/06/03 16:04:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions
[2010/10/25 10:57:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/05 15:16:46 | 000,000,000 | ---D | M] (GTrends Keyword Grabber) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions\[email protected]
[2011/06/03 16:02:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JEONAZ1E.DEFAULT\EXTENSIONS\{317B5128-0B0B-49B2-B2DB-1E7560E16C74}.XPI
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2007/09/21 14:24:43 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - File not found
O2 - BHO: (del.icio.us Toolbar Helper) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O2 - BHO: (PPCScamBHO Class) - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (EarthLink, Inc.)
O2 - BHO: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKLM\..\Toolbar: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKLM\..\Toolbar: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O3 - HKCU\..\Toolbar\ShellBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKCU\..\Toolbar\WebBrowser: (Wisdom-soft toolbar) - {6DFC55BB-BFFF-485A-9709-90C3FDF6DB58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKCU\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VistaMessage.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - File not found
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O15 - HKCU\..Trusted Domains: //@[email protected] ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@[email protected] ([]msni in Local intranet)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_15)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (dafopore.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\zzop91: DllName - zzop91.dll - File not found
O21 - SSODL: zajitavod - {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - File not found
O22 - SharedTaskScheduler: {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - tokatiluy - File not found
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 14:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O32 - AutoRun File - [2010/04/14 22:54:30 | 000,000,166 | ---- | M] () - F:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell - "" = AutoRun
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O33 - MountPoints2\{3b42cc0b-67de-11dc-a227-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{3b42cc0b-67de-11dc-a227-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3b42cc0b-67de-11dc-a227-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
O33 - MountPoints2\{b32b8996-8df5-11e0-99bb-806d6172696f}\Shell\AutoRun\command - "" = F:\urDrive.exe -- [2011/02/17 19:44:32 | 001,931,264 | ---- | M] (FUHU, Inc.)
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/14 15:09:22 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/06/03 15:11:33 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\123jjkkmybla.exe
[2011/06/03 15:05:40 | 000,141,120 | ---- | C] (GridinSoft) -- C:\Documents and Settings\Owner\Desktop\unhider.exe
[2011/06/02 19:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft
[2011/06/02 19:05:06 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2011/06/02 17:42:40 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\3e34e34e.com.exe
[2011/06/02 17:38:43 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\3e34e34e.com.exe
[2011/06/02 15:56:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/06/02 15:42:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Windows XP Recovery

========== Files - Modified Within 30 Days ==========

[2011/06/14 15:11:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/06/13 22:11:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/13 13:06:34 | 058,064,040 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\setup_av_free.exe
[2011/06/13 11:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\hkfcuilk.job
[2011/06/13 11:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gyghbtfd.job
[2011/06/13 10:54:45 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\F05CDE266EA6918583F61F6AE52057BBCAC53B8D
[2011/06/13 10:49:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/13 09:49:39 | 010,753,765 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.000
[2011/06/13 09:24:03 | 000,011,766 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/13 09:24:03 | 000,011,766 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/10 15:16:40 | 000,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/06/09 16:00:22 | 010,753,765 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.mex
[2011/06/03 16:02:50 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/03 16:02:50 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/06/03 15:39:30 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/03 15:15:48 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.002
[2011/06/03 10:58:48 | 000,141,120 | ---- | M] (GridinSoft) -- C:\Documents and Settings\Owner\Desktop\unhider.exe
[2011/06/02 19:05:13 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
[2011/06/02 17:38:43 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\3e34e34e.com.exe
[2011/06/02 17:38:43 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\3e34e34e.com.exe
[2011/06/02 17:31:23 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\rkill.com
[2011/06/02 16:46:15 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.003
[2011/06/02 15:44:03 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
[2011/06/02 15:43:35 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676
[2011/06/02 15:43:33 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676r
[2011/06/02 15:42:34 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\20176676
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/25 07:10:16 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\123jjkkmybla.exe
[2011/05/24 12:38:43 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.001

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\ritupuzu
[2011/06/13 13:06:34 | 058,064,040 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\setup_av_free.exe
[2011/06/13 10:54:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\F05CDE266EA6918583F61F6AE52057BBCAC53B8D
[2011/06/11 20:22:03 | 000,011,766 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/11 20:22:03 | 000,011,766 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/03 16:02:50 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/03 16:02:50 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/06/03 16:02:50 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/06/02 19:05:13 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
[2011/06/02 17:31:24 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\rkill.com
[2011/06/02 15:44:02 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
[2011/06/02 15:43:33 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20176676r
[2011/06/02 15:43:32 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20176676
[2011/06/02 15:42:34 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\20176676
[2010/03/22 09:38:33 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ioat.sys
[2010/01/25 18:21:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/21 12:22:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/21 12:22:48 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/09/02 15:13:26 | 000,000,343 | ---- | C] () -- C:\WINDOWS\ScreenHunter.INI
[2009/08/31 16:30:19 | 000,030,752 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/12/29 15:52:08 | 000,000,023 | ---- | C] () -- C:\WINDOWS\oldale.ini
[2008/12/12 17:10:14 | 000,000,886 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/09/25 11:04:17 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/25 09:10:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\winkey.exe
[2008/05/21 16:42:31 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/07 17:29:23 | 000,134,655 | ---- | C] () -- C:\WINDOWS\Data Extractor Uninstaller.exe
[2008/05/07 15:49:35 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\winlad62.sys
[2008/05/07 15:49:34 | 000,000,023 | ---- | C] () -- C:\WINDOWS\System32\log2t62.sys
[2008/05/07 15:49:34 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\wint162.sys
[2008/05/07 15:49:34 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\mtxml62.sys
[2008/05/07 15:49:34 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\intxml62.sys
[2008/05/06 16:24:36 | 000,112,640 | ---- | C] () -- C:\WINDOWS\lsb_un20.exe
[2008/03/28 11:51:12 | 000,000,087 | ---- | C] () -- C:\WINDOWS\ContentCheckup.ini
[2008/02/28 15:30:08 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2008/02/04 13:00:57 | 000,000,226 | ---- | C] () -- C:\WINDOWS\ContentComposer.ini
[2008/02/04 12:59:19 | 000,000,897 | ---- | C] () -- C:\WINDOWS\ccseinst.ini
[2008/01/08 16:40:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/07 13:02:48 | 000,001,530 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2007/09/21 14:12:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2007/09/21 13:57:04 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe
[2007/09/21 13:57:04 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\PopWait.exe
[2007/09/20 20:55:34 | 000,471,300 | ---- | C] () -- C:\WINDOWS\wallpe.exe
[2007/09/20 20:51:50 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/11/18 10:16:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\nktwab.dll
[2004/08/27 06:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/27 05:54:47 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2004/08/26 14:07:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/26 14:01:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/26 12:12:43 | 000,001,240 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 12:12:43 | 000,000,497 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 12:12:13 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/26 12:12:10 | 000,432,664 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/26 12:12:10 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/26 12:12:10 | 000,067,428 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/26 12:12:10 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/26 12:12:08 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/26 12:12:07 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/26 12:12:05 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/26 12:12:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/26 12:11:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/26 12:11:54 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/26 12:11:46 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/26 06:54:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/26 06:54:01 | 000,169,896 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2011/06/03 15:40:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/28 15:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Auslogics
[2008/09/04 11:33:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
[2008/05/07 17:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CraigsPal
[2007/09/21 15:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Insight Software
[2007/09/27 11:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
[2009/01/28 16:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2009/08/28 15:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/09/20 20:54:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/28 14:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2008/09/04 11:07:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG7
[2009/04/30 10:26:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CoreFTP
[2011/01/03 18:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EurekaLog
[2009/12/03 18:32:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Free Monitor for Google
[2008/06/26 11:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\G-Lock Software
[2011/04/06 13:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GSA Email Spider
[2010/05/06 17:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2008/03/19 11:36:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2007/09/20 21:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/09/21 14:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ScamGuard
[2008/06/02 16:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2009/05/21 13:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2011/06/13 11:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\gyghbtfd.job
[2011/06/13 11:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\hkfcuilk.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2010/05/06 11:23:09 | 000,002,596 | ---- | M] ()(C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K?.txt) -- C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K‏.txt
[2010/05/06 11:23:03 | 000,002,596 | ---- | C] ()(C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K?.txt) -- C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K‏.txt

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:679ABA25

< End of report >
  • 0

Advertisements


#2
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Hi, peter23fulton! Welcome to GeeksToGo! My name is BlackOxide and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :unsure:

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just incase you are unable to access this site.

Please note the following:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply, unless I specifically need you to attach them.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for me to analyse and fix your PC in the long run.
  • I will always try and respond to replies as soon as possible, but please be patient as some logs require more time than others to fully analyse.
  • If you are not sure of anything along the way, just ask.

OK, lets start :)

Looking at the log you do appear to still have numerous infections. I'd first of all, like you to run the following program for me please, then get back to me with the log that it creates. In the meantime, please don't run any Junk/Temp cleaners or install any other Malware removal software, as these could stop us repairing the damage that's already been done by the malware. I will try and restore those missing/hidden files and shortcuts very shortly if possible. Can't guarantee that they are still there but if they are, we should be fine in restoring them :yes:



Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and press Enter on the keyboard
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.



In your next reply
Please post the contents of...
RKreport.txt
  • 0

#3
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Downloaded and ran rk as instructed - below is report.

Thank You

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date : 06/16/2011 16:16:37

Bad processes: 0

Registry Entries: 5
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...]exefile\shell\open\command : ("C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Documents and Settings\Owner\Local Settings\Application Data\lpu.exe" -a "%1" %*) -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#4
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Hey,

Can you do the following two fixes with RogueKiller please, then get back to me with a fresh OTL log :)

Roguekiller will create a log for both steps below. Please include these in your next reply if possible.



1)
Quit all running programs and run RogueKiller once again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and then press Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.




2)
Run RogueKiller again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 6 and then press Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

You must now reboot your PC to finalize the fixes





3)
Once your PC has booted, run a Quick Scan with OTL, using the instructions below

OTL Quick Scan
  • Double click on the OTL icon to run it.
  • When the window appears, underneath Output at the top, make sure Standard Output is selected.
  • Tick the Scan All Users box at the top
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window.
  • Please post the contents of this log




4)
Can you check your applications and icons etc please. They should have reappeared and work normally now. This doesn't mean your PC is free from infections though, there are still other scans that need to be performed, but we should be making good progress now.



In your next reply
Please post the contents of...
Roguekiller logs that were created for Steps 1 and 2
OTL log

  • 0

#5
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
RK 1 AND 2 -AND OTL

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback:

http://www.sur-la-to...5-1-BRogueKille

rD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32

bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Remove -- Date : 06/17/2011 13:56:42

Bad processes: 0

Registry Entries: 3
[HJ] HKLM\[...]\NewStartPanel :

{20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) ->

REPLACED (0)
[FILE ASSO]

HKCU\[...]Software\Classes\.exe\shell\open\command :

("C:\Documents and Settings\Owner\Local

Settings\Application Data\lpu.exe" -a "%1" %*) -> REPLACED :

("%1" %*)
[FILE ASSO]

HKCU\[...]Software\Classes\exefile\shell\open\command :

("C:\Documents and Settings\Owner\Local

Settings\Application Data\lpu.exe" -a "%1" %*) -> REPLACED :

("%1" %*)

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt





RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Shortcuts HJfix -- Date : 06/17/2011 15:17:18

Bad processes: 0

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 22 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 73 / Fail 0
My documents: Success 267 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1136 / Fail 0
Backup: [FOUND] Success 238 / Fail 7

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt






OTL REPORT



OTL logfile created on: 6/17/2011 3:59:06 PM - Run 2
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.48 Mb Total Physical Memory | 83.98 Mb Available Physical Memory | 11.94% Memory free
954.55 Mb Paging File | 460.02 Mb Available in Paging File | 48.19% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.69 Gb Total Space | 5.33 Gb Free Space | 15.81% Space Free | Partition Type: NTFS
Drive D: | 3.56 Gb Total Space | 1.68 Gb Free Space | 47.05% Space Free | Partition Type: FAT32
Drive E: | 0.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: YOUR-89F78CD95C | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
PRC - [2007/12/19 21:35:50 | 000,585,728 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VistaMessage.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/03 23:51:54 | 000,131,072 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe


========== Modules (SafeList) ==========

MOD - [2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2007/09/20 20:39:38 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/10/13 19:56:16 | 000,126,976 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe)
SRV - [2005/08/24 16:01:04 | 000,122,368 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe)
SRV - [2005/07/01 19:22:50 | 000,245,760 | ---- | M] (McAfee, Inc) [Disabled | Stopped] -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe)
SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Owner\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/12/22 12:06:02 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/12/22 12:05:58 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/09/20 20:53:44 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/06/17 18:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 18:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 18:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/25 18:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/05/25 18:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/05/17 02:00:54 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/05/17 02:00:52 | 000,033,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/04/02 03:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/01/10 19:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.msn.com/
IE - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\URLSearchHook: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.1
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.6.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/01/28 16:15:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/03 16:02:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2008/12/30 18:50:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/06/03 16:04:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions
[2010/10/25 10:57:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/05 15:16:46 | 000,000,000 | ---D | M] (GTrends Keyword Grabber) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\jeonaz1e.default\extensions\[email protected]
[2011/06/03 16:02:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JEONAZ1E.DEFAULT\EXTENSIONS\{317B5128-0B0B-49B2-B2DB-1E7560E16C74}.XPI
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2007/09/21 14:24:43 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - File not found
O2 - BHO: (del.icio.us Toolbar Helper) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O2 - BHO: (PPCScamBHO Class) - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (EarthLink, Inc.)
O2 - BHO: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKLM\..\Toolbar: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKLM\..\Toolbar: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\ShellBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (Wisdom-soft toolbar) - {6DFC55BB-BFFF-485A-9709-90C3FDF6DB58} - C:\Program Files\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (del.icio.us) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll (del.icio.us, a Yahoo! Company)
O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKU\.DEFAULT..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-18..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_mfu_us.cmd ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VistaMessage.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - File not found
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O15 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..Trusted Domains: //@[email protected] ([]msni in My Computer)
O15 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..Trusted Domains: //@[email protected] ([]msni in Local intranet)
O15 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_15)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O20 - AppInit_DLLs: (dafopore.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\zzop91: DllName - zzop91.dll - File not found
O21 - SSODL: zajitavod - {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - File not found
O22 - SharedTaskScheduler: {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - tokatiluy - File not found
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 14:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | --S- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | --S- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell - "" = AutoRun
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3273313e-686d-11dc-a229-0040ca20c10b}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O33 - MountPoints2\{b32b8996-8df5-11e0-99bb-806d6172696f}\Shell\AutoRun\command - "" = F:\urDrive.exe
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/17 13:58:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/06/17 13:58:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/06/16 16:16:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\RK_Quarantine
[2011/06/14 15:09:22 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/06/03 15:11:33 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\123jjkkmybla.exe
[2011/06/03 15:05:40 | 000,141,120 | ---- | C] (GridinSoft) -- C:\Documents and Settings\Owner\Desktop\unhider.exe
[2011/06/02 19:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft
[2011/06/02 19:05:06 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2011/06/02 17:42:40 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\3e34e34e.com.exe
[2011/06/02 17:38:43 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\3e34e34e.com.exe
[2011/06/02 15:56:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent
[2011/06/02 15:42:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Windows XP Recovery

========== Files - Modified Within 30 Days ==========

[2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\hkfcuilk.job
[2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gyghbtfd.job
[2011/06/17 15:28:35 | 000,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/06/17 15:27:27 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/17 15:26:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/17 15:11:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/16 11:21:31 | 000,512,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2011/06/16 11:21:31 | 000,512,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\roguekiller.com.exe
[2011/06/16 11:13:16 | 062,081,710 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\DM.rar
[2011/06/14 15:04:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/06/13 13:06:34 | 058,064,040 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\setup_av_free.exe
[2011/06/13 10:54:45 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\F05CDE266EA6918583F61F6AE52057BBCAC53B8D
[2011/06/13 09:49:39 | 010,753,765 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.000
[2011/06/13 09:24:03 | 000,011,766 | --S- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/13 09:24:03 | 000,011,766 | --S- | M] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/09 16:00:22 | 010,753,765 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.mex
[2011/06/03 16:02:50 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/03 16:02:50 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/06/03 15:39:30 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/03 15:15:48 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.002
[2011/06/03 10:58:48 | 000,141,120 | ---- | M] (GridinSoft) -- C:\Documents and Settings\Owner\Desktop\unhider.exe
[2011/06/02 19:05:13 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
[2011/06/02 17:38:43 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\3e34e34e.com.exe
[2011/06/02 17:38:43 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\3e34e34e.com.exe
[2011/06/02 17:31:23 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\rkill.com
[2011/06/02 16:46:15 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.003
[2011/06/02 15:44:03 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
[2011/06/02 15:43:35 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676
[2011/06/02 15:43:33 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676r
[2011/06/02 15:42:34 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\20176676
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/25 07:10:16 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\123jjkkmybla.exe
[2011/05/24 12:38:43 | 010,659,027 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\macex.001

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | ---- | C] () -- C:\WINDOWS\System32\ritupuzu
[2011/06/17 13:58:43 | 000,002,541 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HighPageRank.lnk
[2011/06/17 13:58:43 | 000,001,794 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.LNK
[2011/06/17 13:58:43 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/06/17 13:58:43 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/17 13:58:43 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/17 13:58:43 | 000,000,748 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Niche Research Commando.lnk
[2011/06/17 13:58:43 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FLV Player.lnk
[2011/06/17 13:58:43 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/17 13:58:43 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Core FTP Lite.lnk
[2011/06/17 13:58:43 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/06/17 13:58:42 | 000,001,641 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\MSN.lnk
[2011/06/17 13:58:42 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/17 13:58:42 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics BoostSpeed.lnk
[2011/06/17 13:58:42 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Content Magnet Article Extractor.lnk
[2011/06/17 13:58:42 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/06/17 13:58:42 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/06/17 13:58:41 | 000,000,045 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
[2011/06/17 13:58:41 | 000,000,042 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_mfu_us.cmd
[2011/06/17 13:58:40 | 000,001,814 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online
[2011/06/17 13:58:39 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2011/06/17 13:58:39 | 000,001,096 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Encarta Plus.lnk
[2011/06/17 13:58:38 | 000,001,961 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2003.lnk
[2011/06/17 13:58:38 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Market Samurai.lnk
[2011/06/17 13:58:37 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Macro Express 3.lnk
[2011/06/17 13:58:34 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\EdwinSoft Semi-Auto Bookmarking 1.0.lnk
[2011/06/17 13:58:31 | 000,002,311 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
[2011/06/16 11:24:15 | 000,512,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\roguekiller.com.exe
[2011/06/16 11:21:22 | 000,512,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2011/06/16 11:13:16 | 062,081,710 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\DM.rar
[2011/06/13 13:06:34 | 058,064,040 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\setup_av_free.exe
[2011/06/13 10:54:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\F05CDE266EA6918583F61F6AE52057BBCAC53B8D
[2011/06/11 20:22:03 | 000,011,766 | --S- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/11 20:22:03 | 000,011,766 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
[2011/06/03 16:02:50 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/03 16:02:50 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/06/03 16:02:50 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/06/02 19:05:13 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
[2011/06/02 17:31:24 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\rkill.com
[2011/06/02 15:44:02 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
[2011/06/02 15:43:33 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20176676r
[2011/06/02 15:43:32 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20176676
[2011/06/02 15:42:34 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\20176676
[2010/03/22 09:38:33 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ioat.sys
[2010/01/25 18:21:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/21 12:22:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/21 12:22:48 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/09/02 15:13:26 | 000,000,343 | ---- | C] () -- C:\WINDOWS\ScreenHunter.INI
[2009/08/31 16:30:19 | 000,030,752 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/12/29 15:52:08 | 000,000,023 | ---- | C] () -- C:\WINDOWS\oldale.ini
[2008/12/12 17:10:14 | 000,000,886 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/09/25 11:04:17 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/25 09:10:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\winkey.exe
[2008/05/21 16:42:31 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/07 17:29:23 | 000,134,655 | ---- | C] () -- C:\WINDOWS\Data Extractor Uninstaller.exe
[2008/05/07 15:49:35 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\winlad62.sys
[2008/05/07 15:49:34 | 000,000,023 | ---- | C] () -- C:\WINDOWS\System32\log2t62.sys
[2008/05/07 15:49:34 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\wint162.sys
[2008/05/07 15:49:34 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\mtxml62.sys
[2008/05/07 15:49:34 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\intxml62.sys
[2008/05/06 16:24:36 | 000,112,640 | ---- | C] () -- C:\WINDOWS\lsb_un20.exe
[2008/03/28 11:51:12 | 000,000,087 | ---- | C] () -- C:\WINDOWS\ContentCheckup.ini
[2008/02/28 15:30:08 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2008/02/04 13:00:57 | 000,000,226 | ---- | C] () -- C:\WINDOWS\ContentComposer.ini
[2008/02/04 12:59:19 | 000,000,897 | ---- | C] () -- C:\WINDOWS\ccseinst.ini
[2008/01/08 16:40:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/07 13:02:48 | 000,001,530 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2007/09/21 14:12:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2007/09/21 13:57:04 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe
[2007/09/21 13:57:04 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\PopWait.exe
[2007/09/20 20:55:34 | 000,471,300 | ---- | C] () -- C:\WINDOWS\wallpe.exe
[2007/09/20 20:51:50 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/11/18 10:16:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\nktwab.dll
[2004/08/27 06:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/27 05:54:47 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2004/08/26 14:07:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/26 14:01:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/26 12:12:43 | 000,001,240 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 12:12:43 | 000,000,497 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 12:12:13 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/26 12:12:10 | 000,432,664 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/26 12:12:10 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/26 12:12:10 | 000,067,428 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/26 12:12:10 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/26 12:12:08 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/26 12:12:07 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/26 12:12:05 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/26 12:12:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/26 12:11:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/26 12:11:54 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/26 12:11:46 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/26 06:54:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/26 06:54:01 | 000,169,896 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2007/09/20 21:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2011/06/03 15:40:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/28 15:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Auslogics
[2008/09/04 11:33:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
[2008/05/07 17:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CraigsPal
[2007/09/21 15:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Insight Software
[2007/09/27 11:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
[2009/01/28 16:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2009/08/28 15:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/09/20 20:54:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/09/20 21:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2008/01/11 18:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2008/05/17 15:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\ScamGuard
[2009/08/28 14:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2008/09/04 11:07:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG7
[2009/04/30 10:26:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CoreFTP
[2011/01/03 18:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EurekaLog
[2009/12/03 18:32:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Free Monitor for Google
[2008/06/26 11:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\G-Lock Software
[2011/04/06 13:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GSA Email Spider
[2010/05/06 17:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2008/03/19 11:36:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2007/09/20 21:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/09/21 14:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ScamGuard
[2008/06/02 16:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2009/05/21 13:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\gyghbtfd.job
[2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\hkfcuilk.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2010/05/06 11:23:09 | 000,002,596 | ---- | M] ()(C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K?.txt) -- C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K‏.txt
[2010/05/06 11:23:03 | 000,002,596 | ---- | C] ()(C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K?.txt) -- C:\Documents and Settings\Owner\My Documents\TUB AND SHOWER KW - ALLINTITE 0-5K‏.txt

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:679ABA25

< End of report >

Edited by peter23fulton, 17 June 2011 - 02:14 PM.

  • 0

#6
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Lets now remove the infections found within the OTL log. Once you have done this, I would like you to run aswMBR, which will check your MBR and give me info on any rootkits that may be lurking.



1)
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Processes
    killallprocesses
    
    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O2 - BHO: (PPCScamBHO Class) - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (EarthLink, Inc.)
    O2 - BHO: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
    O3 - HKLM\..\Toolbar: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
    O3 - HKU\S-1-5-21-578350526-1246750036-1693755002-1003\..\Toolbar\WebBrowser: (PeoplePal Toolbar) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (PeoplePC)
    O20 - Winlogon\Notify\zzop91: DllName - zzop91.dll - File not found
    O21 - SSODL: zajitavod - {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - File not found
    O22 - SharedTaskScheduler: {5755017d-e1ed-487a-bbbd-1ea6bf26b153} - tokatiluy - File not found
    [2011/06/02 15:42:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Windows XP Recovery
    [2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\hkfcuilk.job
    [2011/06/17 16:00:01 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gyghbtfd.job
    [2011/06/13 09:24:03 | 000,011,766 | --S- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
    [2011/06/13 09:24:03 | 000,011,766 | --S- | M] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
    [2011/06/02 15:44:03 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
    [2011/06/02 15:43:35 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676
    [2011/06/02 15:43:33 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20176676r
    [2011/06/02 15:42:34 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\20176676
    [2099/01/01 12:00:00 | 000,006,456 | ---- | C] () -- C:\WINDOWS\System32\ritupuzu
    [2011/06/17 13:58:43 | 000,001,794 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.LNK
    [2011/06/11 20:22:03 | 000,011,766 | --S- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
    [2011/06/11 20:22:03 | 000,011,766 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s
    [2011/06/02 15:44:02 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk
    [2010/03/22 09:38:33 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ioat.sys
    [2010/01/25 18:21:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
    [2008/07/25 09:10:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\winkey.exe
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done.
  • Open OTL again, Tick the Scan All Users box at the top and then click the Quick Scan button. Post the log it produces in your next reply.




2)
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image





3)
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VistaMessage.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.




In your next reply
Please post the contents of...
OTL log
aswMBR log
VirScan log

  • 0

#7
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OTL LOG -


========== PROCESSES ==========
All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}\ deleted successfully.
C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ deleted successfully.
C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.
File C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.
File C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.
File C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-578350526-1246750036-1693755002-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.
File C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zzop91\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\zajitavod deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5755017d-e1ed-487a-bbbd-1ea6bf26b153}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{5755017d-e1ed-487a-bbbd-1ea6bf26b153} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5755017d-e1ed-487a-bbbd-1ea6bf26b153}\ not found.
C:\Documents and Settings\Owner\Start Menu\Programs\Windows XP Recovery folder moved successfully.
C:\WINDOWS\tasks\hkfcuilk.job moved successfully.
C:\WINDOWS\tasks\gyghbtfd.job moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s moved successfully.
C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s moved successfully.
C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\~20176676 moved successfully.
C:\Documents and Settings\All Users\Application Data\~20176676r moved successfully.
C:\Documents and Settings\All Users\Application Data\20176676 moved successfully.
C:\WINDOWS\system32\ritupuzu moved successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.LNK moved successfully.
File C:\Documents and Settings\Owner\Local Settings\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s not found.
File C:\Documents and Settings\All Users\Application Data\784208gs8h8wp35u402827mm7xp5j0yda53h852258s not found.
File C:\Documents and Settings\Owner\Desktop\Windows XP Recovery.lnk not found.
C:\WINDOWS\system32\drivers\ioat.sys moved successfully.
C:\WINDOWS\system32\18467.exe moved successfully.
C:\WINDOWS\system32\winkey.exe moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.24.0 log created on 06182011_144504

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#8
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
OTL looks to have removed those files, which is good. Just post the OTL Quick scan log and the aswMBR and VirScan logs, when you have them :)
  • 0

#9
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
aswMBR Log

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-20 11:53:39
-----------------------------
11:53:39.078 OS Version: Windows 5.1.2600 Service Pack 2
11:53:39.078 Number of processors: 1 586 0xA00
11:53:39.078 ComputerName: YOUR-89F78CD95C UserName: Owner
11:54:00.093 Initialize success
12:14:30.453 AVAST engine defs: 11061901
13:50:09.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:50:09.828 Disk 0 Vendor: ST340015A 3.15 Size: 38166MB BusType: 3
13:50:11.859 Disk 0 MBR read successfully
13:50:11.859 Disk 0 MBR scan
13:50:11.890 Disk 0 unknown MBR code
13:50:13.890 Disk 0 scanning sectors +78140160
13:50:13.906 Disk 0 scanning C:\WINDOWS\system32\drivers
13:50:29.765 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
13:50:30.078 Service scanning
13:50:34.171 Disk 0 trace - called modules:
13:50:34.203 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85cf21ed]<<
13:50:34.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ce1ab8]
13:50:34.218 3 CLASSPNP.SYS[f7dbb05b] -> nt!IofCallDriver -> \Device\00000081[0x85e1b1c0]
13:50:34.718 5 ACPI.sys[f7cb1620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x85d37d98]
13:50:34.718 \Driver\atapi[0x85dc4e40] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x85cf21ed
13:50:38.921 AVAST engine scan C:\WINDOWS
14:23:35.984 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:30:27.500 File: C:\WINDOWS\system32\wtempfile.exe **INFECTED** MSIL:Agent-V [Trj]
14:58:33.890 AVAST engine scan C:\Documents and Settings\Owner
15:02:32.687 File: C:\Documents and Settings\Owner\Desktop\mailbot\gmail.exe **INFECTED** Win32:Trojan-gen
16:50:51.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
16:50:51.406 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


VirSCAN.org Scanned Report :


Scanned time : 2011/06/20 16:58:07 (EDT)
Scanner results: Scanners did not find malware!
File Name : bla.txt
File Size : 76 byte
File Type : ASCII text, with no line terminators
MD5 : 57d4834b2c14eb11787b9c4793479a11
SHA1 : a17d493bda49eaa69a690c5541c9baef098e73c5
Online report : http://file.virscan....0cdcba1d53.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110618050619 2011-06-18 5.79 -
AhnLab V3 2011.06.21.00 2011.06.21 2011-06-21 1.53 -
AntiVir 8.2.5.20 7.11.10.40 2011-06-20 0.27 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.01 -
Authentium 5.1.1 201106201450 2011-06-20 1.44 -
AVAST! 4.7.4 110620-2 2011-06-20 0.00 -
AVG 8.5.850 271.1.1/3715 2011-06-20 0.24 -
BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
ClamAV 0.96.5 13216 2011-06-20 0.00 -
Comodo 4.0 9137 2011-06-20 1.36 -
CP Secure 1.3.0.5 2011.06.21 2011-06-21 0.01 -
Dr.Web 5.0.2.3300 2011.06.21 2011-06-21 13.01 -
F-Prot 4.4.4.56 20110620 2011-06-20 1.42 -
F-Secure 7.02.73807 2011.06.20.05 2011-06-20 9.42 -
Fortinet 4.2.257 13.347 2011-06-20 0.11 -
GData 22.682/22.175 20110620 2011-06-20 9.38 -
ViRobot 20110620 2011.06.20 2011-06-20 0.38 -
Ikarus T3.1.32.20.0 2011.06.20.78638 2011-06-20 4.57 -
JiangMin 13.0.900 2011.06.20 2011-06-20 2.79 -
Kaspersky 5.5.10 2011.06.20 2011-06-20 0.04 -
KingSoft 2009.2.5.15 2011.6.20.18 2011-06-20 0.86 -
McAfee 5400.1158 6383 2011-06-20 9.18 -
Microsoft 1.6903 2011.06.20 2011-06-20 6.29 -
NOD32 3.0.21 6224 2011-06-20 0.00 -
Norman 6.07.10 6.07.00 2011-06-19 14.02 -
Panda 9.05.01 2011.06.19 2011-06-19 3.46 -
Trend Micro 9.200-1012 8.236.15 2011-06-20 0.02 -
Quick Heal 11.00 2011.06.20 2011-06-20 0.92 -
Rising 20.0 23.63.00.03 2011-06-20 0.21 -
Sophos 3.20.2 4.66 2011-06-21 3.64 -
Sunbelt 3.9.2495.2 9640 2011-06-20 0.69 -
Symantec 1.3.0.24 20110620.004 2011-06-20 0.20 -
nProtect 20110601.01 3460661 2011-06-01 6.30 -
The Hacker 6.7.0.1 v00176 2011-04-18 0.47 -
VBA32 3.12.16.2 20110620.1235 2011-06-20 4.27 -
VirusBuster 5.3.0.4 14.0.88.0/5428480 2011-06-20 0.00 -

Edited by peter23fulton, 20 June 2011 - 03:03 PM.

  • 0

#10
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
We'll now remove a rootkit which is present on your PC. Follow the two steps below carefully. Once they have been completed, copy and paste the two logs into your next reply.



1)
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, click the Reboot Now button to immediately reboot. The report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.




2)
Download ComboFix from one of these locations:

Link 1
Link 2


IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply.




In your next reply
Please post the contents of...
TDSSKiller log
ComboFix log

  • 0

#11
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I can't get the Kaspersky program to run. I downloaded it to my desktop and double clicked on it but it does not open.

I tried renaming it, running in safe mode but it won't open or run for me.
  • 0

#12
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Ok, thanks for the info. Can you try running ComboFix to see if this runs or not. If it doesn't run in Normal Mode, try it in Safe Mode.
  • 0

#13
peter23fulton

peter23fulton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ran comboFix

here is the log

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
  • 0

#14
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
I'll need to see all of the contents of the ComboFix log, as there are signs of other infections which I need to know if ComboFix has processed.

The log can be found at C:\ComboFix.txt. If you could highlight all of the text and paste it in your next reply please.
  • 0

#15
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP