Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fake Alert/win32 Trojan


  • This topic is locked This topic is locked

#1
blackion29

blackion29

    New Member

  • Member
  • Pip
  • 1 posts
Hello My name is Brandon. Thank you for taking the time to read my post.

This afternoon I was browsing an Age of Conan forum looking for a keyboard configuration addon. I clicked a link in the forum and it closed the screen downloading a fake antivirus scanning program. I was running Microsoft Security Essentials at the time and had UAC on. The trojan/malware immediatly locked me out of MSE and from starting the task manager to close the program. I was able to safely restart my pc into safe mode without using the power button. After booting into safe mode without networking I ran super antispyware and it found nothing. I then ran Malwarebytes and it found three different malware files in my local/apps/data folder. I don't remember their names. I quarentined these items and then deleted them from the program. I proceeded to run eset's on acces scanner and it found three more files named trojans with a series of three letters after them. (I wish I had written them down.)Eset cleaned the files successfully. I then restarted and connected my external HDD to the pc and ran a windows image restore that I had saved from 5 months earlier from a clean install.

Basically I would like to know if I have anything lingering around because I did not do a format/clean install.

Edit: It was a fake alert.

Thank you very much again for your time.

Brandon




OTL logfile created on: 8/4/2011 3:25:22 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Brandon\Documents
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.93 Gb Total Physical Memory | 6.66 Gb Available Physical Memory | 84.02% Memory free
15.86 Gb Paging File | 14.69 Gb Available in Paging File | 92.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921.51 Gb Total Space | 813.88 Gb Free Space | 88.32% Space Free | Partition Type: NTFS
Drive D: | 480.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 967.72 Mb Total Space | 967.67 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: BRANDON-PC | User Name: Brandon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\Users\Brandon\My Documents\OTL.exe
PRC - [2011/07/08 03:16:28 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/01/17 16:07:04 | 000,355,432 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
PRC - [2003/05/18 14:55:04 | 000,299,008 | ---- | M] (Blizzard Entertainment) -- C:\Users\Brandon\AppData\Local\Temp\war3_Install.exe


========== Modules (SafeList) ==========

MOD - File not found -- C:\Users\Brandon\My Documents\OTL.exe
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/01/11 03:34:00 | 000,075,136 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/10/16 20:47:34 | 000,411,432 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/04/15 23:42:22 | 002,533,400 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/04/15 23:42:18 | 000,325,656 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/10/27 11:05:02 | 000,349,800 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/11/11 17:44:26 | 000,034,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64k.sys -- (Point64)
DRV:64bit: - [2009/09/17 16:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/08/13 23:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/15 23:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/17 12:54:46 | 000,040,976 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV:64bit: - [2009/06/17 12:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 12:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/06/10 16:35:35 | 000,620,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2011/01/17 16:07:02 | 000,014,440 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\EVGA Precision\RTCore64.sys -- (RTCore64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/08/03 23:27:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/08/03 23:27:48 | 000,000,000 | ---D | M]

[2010/09/23 05:57:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brandon\AppData\Roaming\Mozilla\Extensions
[2010/09/23 20:43:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brandon\AppData\Roaming\Mozilla\Firefox\Profiles\cwytjavu.default\extensions
[2011/08/03 23:27:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
File not found (No name found) --
[2011/07/08 03:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/02/22 03:46:55 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/05/18 14:54:20 | 000,061,440 | R--- | M] () - D:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2003/02/12 03:01:48 | 000,000,050 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{138f901e-c70a-11df-a31c-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{138f901e-c70a-11df-a31c-806e6f6e6963}\Shell\AutoRun\command - "" = D:\autoplay.exe -- [2003/05/18 14:54:20 | 000,061,440 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/04 03:23:58 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon\Documents\OTL.exe
[2011/08/04 03:13:36 | 000,000,000 | ---D | C] -- C:\Users\Brandon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Warcraft III
[2011/08/04 03:13:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Warcraft III
[2011/08/04 03:13:35 | 000,126,976 | ---- | C] (Blizzard Entertainment) -- C:\Windows\War3Unin.exe
[2011/08/04 03:10:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Warcraft III
[2011/08/04 00:04:45 | 013,050,160 | ---- | C] (Funcom ) -- C:\Users\Brandon\Documents\ageofconan-en.exe
[2011/08/03 23:53:32 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/08/03 23:52:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2011/08/03 23:52:12 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2011/08/03 23:33:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2011/08/03 23:22:34 | 003,447,576 | ---- | C] (Piriform Ltd) -- C:\Users\Brandon\Documents\ccsetup309.exe
[2011/08/03 23:09:06 | 000,000,000 | ---D | C] -- C:\Users\Brandon\AppData\Local\Funcom
[2011/08/03 23:08:55 | 000,000,000 | ---D | C] -- C:\ProgramData\media center programs
[2011/08/03 23:08:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Funcom
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/04 03:27:26 | 000,060,036 | ---- | M] () -- C:\Windows\War3Unin.dat
[2011/08/04 03:27:25 | 000,139,264 | ---- | M] (Blizzard Entertainment) -- C:\Windows\War3Unin.exe
[2011/08/04 03:27:25 | 000,002,829 | ---- | M] () -- C:\Windows\War3Unin.pif
[2011/08/04 03:24:00 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon\Documents\OTL.exe
[2011/08/04 02:52:38 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/04 02:52:38 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/04 02:44:17 | 000,001,549 | ---- | M] () -- C:\Users\Brandon\Desktop\AgeOfConan - Shortcut.lnk
[2011/08/04 00:05:04 | 013,050,160 | ---- | M] (Funcom ) -- C:\Users\Brandon\Documents\ageofconan-en.exe
[2011/08/04 00:04:52 | 000,001,532 | ---- | M] () -- C:\Users\Brandon\Documents\Document.rtf
[2011/08/04 00:01:38 | 000,743,036 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/08/04 00:01:38 | 000,634,808 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/08/04 00:01:38 | 000,111,342 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/08/03 23:56:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/03 23:56:44 | 2090,115,071 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/03 23:54:50 | 000,002,262 | ---- | M] () -- C:\Users\Brandon\Documents\cc_20110803_235448.reg
[2011/08/03 23:54:42 | 000,056,778 | ---- | M] () -- C:\Users\Brandon\Documents\cc_20110803_235439.reg
[2011/08/03 23:53:32 | 000,000,826 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/08/03 23:41:11 | 000,001,441 | ---- | M] () -- C:\Users\Brandon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/08/03 23:40:19 | 000,363,528 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/08/03 23:37:21 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/08/03 23:37:19 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2011/08/03 23:33:35 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/08/03 23:33:28 | 000,756,668 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/08/03 23:27:51 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/08/03 23:23:35 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/03 23:22:40 | 003,447,576 | ---- | M] (Piriform Ltd) -- C:\Users\Brandon\Documents\ccsetup309.exe
[2011/08/03 23:05:25 | 000,000,193 | ---- | M] () -- C:\Windows\WORDPAD.INI
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,025,912 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/04 03:13:36 | 000,019,297 | ---- | C] () -- C:\Windows\War3Unin.dat
[2011/08/04 03:13:36 | 000,002,829 | ---- | C] () -- C:\Windows\War3Unin.pif
[2011/08/04 02:44:17 | 000,001,549 | ---- | C] () -- C:\Users\Brandon\Desktop\AgeOfConan - Shortcut.lnk
[2011/08/03 23:54:49 | 000,002,262 | ---- | C] () -- C:\Users\Brandon\Documents\cc_20110803_235448.reg
[2011/08/03 23:54:40 | 000,056,778 | ---- | C] () -- C:\Users\Brandon\Documents\cc_20110803_235439.reg
[2011/08/03 23:53:32 | 000,000,826 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/08/03 23:37:21 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/08/03 23:37:19 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2011/08/03 22:59:10 | 2090,115,071 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/11 03:17:42 | 000,270,904 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/01/11 03:17:36 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010/12/29 22:07:14 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/12/28 06:14:11 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2010/09/30 02:50:51 | 000,000,036 | ---- | C] () -- C:\Users\Brandon\AppData\Local\housecall.guid.cache
[2010/09/24 01:49:46 | 000,007,605 | ---- | C] () -- C:\Users\Brandon\AppData\Local\Resmon.ResmonCfg
[2010/09/23 15:31:13 | 000,000,095 | ---- | C] () -- C:\Users\Brandon\AppData\Local\fusioncache.dat
[2010/09/23 14:27:26 | 000,756,668 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/01/22 17:02:23 | 000,221,184 | ---- | C] () -- C:\Windows\SysWow64\drivers\ServiceHelp.dll
[2010/01/22 17:02:09 | 000,013,368 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsUpIO.sys
[2010/01/22 17:01:46 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2010/01/22 17:01:46 | 000,013,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2010/01/22 16:50:08 | 000,011,529 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2010/01/22 16:50:06 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010/01/22 16:50:05 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2010/01/22 16:50:05 | 000,006,387 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:59:36 | 000,982,196 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2009/07/13 17:59:36 | 000,139,824 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/07/13 17:59:36 | 000,097,448 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2009/07/13 17:59:35 | 000,417,344 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2010/09/29 21:18:43 | 000,000,000 | ---D | M] -- C:\Users\Brandon\AppData\Roaming\Leadertech
[2010/10/18 14:14:35 | 000,000,000 | ---D | M] -- C:\Users\Brandon\AppData\Roaming\OpenOffice.org
[2011/03/09 21:45:38 | 000,000,000 | ---D | M] -- C:\Users\Brandon\AppData\Roaming\RIFT
[2011/01/18 23:29:56 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Edited by blackion29, 04 August 2011 - 03:10 AM.

  • 0

Advertisements


#2
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Hi, Brandon! Welcome to GeeksToGo! My name is BlackOxide and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :unsure:

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just incase you are unable to access this site.

Please note the following:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply, unless I specifically need you to attach them.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for me to analyse and fix your PC in the long run.
  • I will always try and respond to replies as soon as possible, but please be patient as some logs require more time than others to fully analyse.
  • If you are not sure of anything along the way, just ask.

OK, lets start :)



If you did a full image restore you should be ok, but if you'd like to get back to me with the following logs, I'll check it over for you :yes:



1)
OTL Quick Scan
  • Double click on the OTL icon to run it.
  • When the window appears, underneath Output at the top, make sure Standard Output is selected.
  • Tick the Scan All Users box at the top
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window.
  • Please post the contents of this log




2)
Download aswMBR.exe (1.8mb) to your desktop.

Double click aswMBR.exe to run it.

Click the "Scan" button to start the scan.

Posted Image


On completion of the scan click save log, save it to your desktop and post it in your next reply.

Posted Image




In your next reply
Please post the contents of...
OTL log
aswMBR log

  • 0

#3
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP