Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

cycbot.b


  • This topic is locked This topic is locked

#1
debodun

debodun

    Member

  • Member
  • PipPipPip
  • 566 posts
Two days ago, a popup message from Microsoft Security Essentials appeared on my monitor saying it had detected a possible risk and sugested I run the cleaning process, which I did. Then it said for the cleaning to be effective, I must restart the computer, which I did. When it re-booted, it didn't open to thr desktop as it usually does, it displayed the Documents and Settings folder contents. When I closed this screen, it displayed the desktop, but there were no icons there. I rebooted again and the same thing happened. I couldn't access the computer because of this, so I took it to a repair shop. The tech there said it was probably a virus. This was two days ago and I haven't heard anythung back about it from ths shop. I wanted to know if this was a known virus, what it is called and what should I do if it happens again to avoid having to lug the HP desktop 12 miles to the repair shop. I'm writing this from a public computer, so I may not check in again for a day or two. Thanks for any info.
  • 0

Advertisements


#2
debodun

debodun

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 566 posts
I was recently infected with the cycbot.c virus. I am obsessive about protecting my system and visit roughly the same Web sites every day which I know are non-threatening and I don't open emails that look suspicious. I had to take my desktop to a repair shop where I was charged $135 to remove the virus since it prevented me from accessing my desktop icons to open anything. When I asked the tech how I acquired this virus, he said "Probably a social networking or gaming site." I do play some online games at funtrivia and candystand, but as I mentioned, they are sites I've been using for a long time and never had a problem with them and I don't do Facebook or any other social networking. Also, when I asked him why my Microsoft Security Essentials didn't catch it (a program he installed 2 months ago), he just shrugged and said, "No anti-virus program is perfect." So how do I determine where I contracted this virus and why wasn't it "caught" by MSE?
  • 0

#3
debodun

debodun

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 566 posts
Last week I was infected with this virus. I took my tower to the repair shop to have it removed, but it keeps coming back, especially if I leave my computer on and unattended for a few minutes. How do I permanently eliminate it out of my system?
  • 0

#4
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi debodun,

I've merged your three topics.

So how do I determine where I contracted this virus and why wasn't it "caught" by MSE?

I can't really help you with that. You could have contracted it because you downloaded illegal/pirated software for example or because your operating system or other important software is out-of-date. You can't really be sure. The computer repair shop is right about why MSE didn't caught it: there isn't any anti-virus that detects everything, and also it takes some time until a virus definition is added to an anti-virus (they have to acquire a sample and analyses it first), so maybe MSE didn't detect the virus back then but it does now.

Let's start with the removal now. I need some more information to work with first:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

  • 0

#5
debodun

debodun

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 566 posts
Here's the OTL scan report:

OTL logfile created on: 7/12/2011 1:40:05 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\DD
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.53 Mb Total Physical Memory | 355.56 Mb Available Physical Memory | 46.33% Memory free
1.46 Gb Paging File | 1.11 Gb Available in Paging File | 75.97% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 51.47 Gb Free Space | 69.07% Space Free | Partition Type: NTFS

Computer Name: USER-1A8421BD68 | User Name: Deborah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/12 13:39:12 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\DD\OTL.exe
PRC - [2011/06/22 05:56:18 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/17 22:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe


========== Modules (SafeList) ==========

MOD - [2011/07/12 13:39:12 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\DD\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2005/03/30 16:46:56 | 000,411,920 | ---- | M] (Eastman Kodak Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)


========== Driver Services (SafeList) ==========

DRV - [2011/07/12 13:03:19 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56B1F491-7012-4A0F-9293-7F5FD7830974}\MpKsl2e1b8b1d.sys -- (MpKsl2e1b8b1d)
DRV - [2010/07/09 12:18:56 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Program Files\CPUID\PC Wizard 2010\pcwiz_x32.sys -- (cpuz134)
DRV - [2009/12/18 11:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/06/16 14:41:02 | 000,037,150 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam)
DRV - [2005/03/31 08:00:08 | 000,152,081 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit)
DRV - [2005/03/31 07:47:56 | 000,070,262 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP)
DRV - [2005/03/31 07:47:50 | 000,008,022 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps)
DRV - [2005/03/31 07:47:48 | 000,038,673 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K)
DRV - [2005/03/31 07:47:42 | 000,061,564 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint)
DRV - [2004/10/01 10:24:00 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/02/22 07:10:48 | 000,026,505 | R--- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8150.SYS -- (USB-100)
DRV - [2001/08/17 12:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 12:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 12:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 12:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 12:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511)
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:64202

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 64202
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/26 16:50:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/22 05:56:23 | 000,000,000 | ---D | M]

[2009/01/28 17:24:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Deborah\Application Data\Mozilla\Extensions
[2011/05/20 07:51:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\sjp2qtcz.default\extensions
[2009/09/25 18:08:03 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\sjp2qtcz.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(2)
[2011/07/11 11:27:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/09 11:17:51 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2011/06/29 09:58:08 | 000,435,992 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 15006 more lines...
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKLM..\Run: [TkBellExe] File not found
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll (Sun Microsystems, Inc.)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1306016923015 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Deborah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Deborah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/03 20:52:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/11 17:02:12 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Deborah\Recent
[2011/07/09 20:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Deborah\Local Settings\Application Data\PCHealth
[2011/07/09 19:55:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/12 13:08:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/07/12 13:02:57 | 804,884,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/12 13:02:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/12 09:47:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/07/11 12:24:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/11 06:34:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/10 13:10:16 | 000,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/10 10:39:06 | 000,004,128 | ---- | M] () -- C:\Documents and Settings\Deborah\Application Data\8376.D38
[2011/07/03 15:14:07 | 000,001,911 | ---- | M] () -- C:\WINDOWS\ENTPACK.INI
[2011/07/01 18:01:11 | 000,000,142 | ---- | M] () -- C:\WINDOWS\funcrd95.ini
[2011/06/29 09:58:08 | 000,435,992 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/06/22 09:05:06 | 000,435,816 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110629-095808.backup
[2011/06/19 16:22:17 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/06/17 18:16:50 | 000,000,445 | ---- | M] () -- C:\WINDOWS\EntPack.dat
[2011/06/15 16:35:09 | 000,000,224 | ---- | M] () -- C:\WINDOWS\FUJIGOLF.INI
[2011/06/15 15:22:10 | 000,432,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/15 15:22:10 | 000,067,428 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/15 15:12:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/15 13:03:47 | 000,435,662 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110622-090506.backup
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/06 05:43:22 | 000,004,128 | ---- | C] () -- C:\Documents and Settings\Deborah\Application Data\8376.D38
[2011/05/21 18:09:15 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2011/05/21 18:09:15 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/02/23 03:31:35 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
[2009/03/28 14:42:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\ssresources.dll
[2009/03/28 14:42:44 | 000,020,481 | ---- | C] () -- C:\WINDOWS\System32\SystemsHook.dll
[2008/12/07 17:27:40 | 000,001,744 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/08/05 18:37:31 | 000,000,445 | ---- | C] () -- C:\WINDOWS\EntPack.dat
[2008/07/30 04:20:02 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/07/04 07:09:36 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\ptime.dat
[2008/07/01 19:00:45 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini
[2008/06/28 10:09:03 | 000,001,632 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/06/23 17:13:26 | 000,001,461 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/06/22 07:20:05 | 000,000,224 | ---- | C] () -- C:\WINDOWS\FUJIGOLF.INI
[2008/06/22 07:18:32 | 000,024,624 | ---- | C] () -- C:\WINDOWS\FUJIGOLF.DAT
[2008/06/20 17:26:55 | 000,001,498 | ---- | C] () -- C:\WINDOWS\NWC.INI
[2008/06/20 17:26:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NWRgstry.ini
[2008/06/20 17:25:42 | 000,000,004 | ---- | C] () -- C:\WINDOWS\rclat2wb.dat
[2008/06/20 17:24:42 | 000,000,142 | ---- | C] () -- C:\WINDOWS\funcrd95.ini
[2008/06/20 17:23:09 | 000,000,301 | ---- | C] () -- C:\WINDOWS\ARCADE.INI
[2008/06/20 17:18:51 | 000,001,911 | ---- | C] () -- C:\WINDOWS\ENTPACK.INI
[2008/06/20 17:06:13 | 000,000,197 | ---- | C] () -- C:\WINDOWS\HTMLREF.INI
[2008/06/20 17:05:59 | 000,004,005 | ---- | C] () -- C:\WINDOWS\STELLA.INI
[2008/06/18 17:19:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/06/15 12:45:42 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Deborah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/08 19:21:10 | 000,004,735 | ---- | C] () -- C:\WINDOWS\psdxport.ini
[2008/06/08 19:21:10 | 000,000,074 | ---- | C] () -- C:\WINDOWS\psdewin.ini
[2008/06/06 17:44:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/03 20:55:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/06/03 20:48:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/06/03 15:28:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/06/03 15:27:05 | 000,316,360 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,432,664 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,067,428 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/09/08 17:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[1999/01/22 14:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 04:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[1995/07/11 03:50:00 | 000,002,089 | ---- | C] () -- C:\WINDOWS\System32\Msnell32.dll

========== LOP Check ==========

[2011/05/21 15:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/05/11 16:42:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters Inc
[2008/06/06 17:49:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2009/01/07 19:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/05/16 11:17:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\ElevatedDiagnostics
[2009/10/19 15:46:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\Leadertech
[2009/04/07 15:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\Noteworthy Software
[2008/06/23 21:17:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\PolyView
[2008/06/04 12:02:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\Simple Star
[2008/06/04 12:04:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\Snapfish
[2011/05/18 08:33:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\SystemRequirementsLab
[2008/07/04 07:30:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deborah\Application Data\Tams11
[2011/07/12 09:47:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/07/12 13:08:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >
  • 0

#6
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:64202
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 64202
    FF - prefs.js..network.proxy.type: 0
    O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O33 - MountPoints2\D\Shell - "" = AutoRun
    O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe
    O33 - MountPoints2\E\Shell - "" = AutoRun
    O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\autorun.exe
    [2011/07/10 10:39:06 | 000,004,128 | ---- | M] () -- C:\Documents and Settings\Deborah\Application Data\8376.D38
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done





Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:

    Click me

    If you can't disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#7
debodun

debodun

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 566 posts
I don't have the Windows XP CD which it says to insert into the CD drive.
  • 0

#8
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Which tool asks you to insert the CD? OTL or ComboFix?

Neither of them should ask for a Windows CD. Please run the OTL or ComboFix instructions again.
  • 0

#9
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP