Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Series of virus

Started by Snypa86 , Sep 07 2011 12:19 PM

  • This topic is locked This topic is locked

#16
michaelg9
Posted 09 September 2011 - 09:47 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
When using OTL for a fix, you should press Run Fix
When using otl for a scan you should press Run Scan or Quick Scan (I'll tell you which one in each case)

For the laptop issue you PMed me, if you don't have any problems with the computer and the scans are coming clean, there is no need to post another topic here

These are some left overs from an infection that was present, but they are stored in a strange folder


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2006/11/02 11:30:40 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini
    [2011/09/07 15:34:07 | 000,002,144 | -HS- | M] () -- C:\windows\assembly\tmp\click.tlb
    [2011/09/07 17:52:10 | 000,002,540 | -HS- | M] () -- C:\windows\assembly\tmp\loader.tlb
    [2011/07/23 23:09:51 | 000,002,048 | ---- | M] () -- C:\windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    [2011/07/23 23:10:57 | 000,002,560 | ---- | M] () -- C:\windows\assembly\tmp\U\000000c0.@
    [2011/07/23 23:10:57 | 000,002,048 | ---- | M] () -- C:\windows\assembly\tmp\U\000000cb.@
    [2011/08/14 23:00:25 | 000,001,536 | ---- | M] () -- C:\windows\assembly\tmp\U\000000cf.@
    [2011/07/23 23:10:57 | 000,017,920 | ---- | M] () -- C:\windows\assembly\tmp\U\80000000.@
    [2011/09/07 19:36:39 | 000,070,144 | ---- | M] () -- C:\windows\assembly\tmp\U\800000c0.@
    [2011/09/07 15:30:07 | 000,027,136 | ---- | M] () -- C:\windows\assembly\tmp\U\800000cb.@
    [2011/09/07 20:24:40 | 000,000,000 | ---- | M] () -- C:\windows\assembly\tmp\U\800000cf.$

    :Services

    :Reg

    :Files
    C:\windows\system32\drivers\etc\hosts

    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.



Next:

Run another scan with Malware Bytes and Avast.
Remove anything found and tell me if they found anything and what was that
  • 0

Advertisements

#17
Snypa86
Posted 09 September 2011 - 01:08 PM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

OTL


OTL logfile created on: 9/9/2011 11:56:56 AM - Run 5
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\patrick\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.52 Gb Available Physical Memory | 65.11% Memory free
7.92 Gb Paging File | 6.48 Gb Available in Paging File | 81.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.58 Gb Total Space | 177.88 Gb Free Space | 62.07% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.80 Gb Free Space | 96.52% Space Free | Partition Type: FAT32

Computer Name: PATRICK-PC | User Name: patrick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/07 01:54:50 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\patrick\Desktop\OTL.exe
PRC - [2011/06/13 21:34:37 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\realplayer\Update\realsched.exe
PRC - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/09/23 16:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
PRC - [2009/04/16 21:42:58 | 000,020,544 | ---- | M] (TOSHIBA) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
PRC - [2009/03/30 19:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2009/03/10 21:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/03/06 20:27:10 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2009/04/14 20:57:28 | 000,251,392 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2009/03/17 14:48:54 | 000,084,480 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/03/06 21:30:32 | 000,488,288 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/02/19 17:53:28 | 000,055,808 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\rselect\RSelSvc.exe -- (RSELSVC)
SRV:64bit: - [2008/10/16 21:05:00 | 001,449,984 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:64bit: - [2008/10/16 20:27:20 | 000,826,368 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:64bit: - [2008/03/18 15:26:56 | 000,015,872 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\SysNative\agr64svc.exe -- (AgereModemAudio)
SRV:64bit: - [2007/11/21 19:53:16 | 000,135,168 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV - [2010/07/28 17:36:52 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/04/16 21:42:58 | 000,020,544 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe -- (camsvc)
SRV - [2009/03/30 19:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2009/03/30 00:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/03/10 21:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2009/03/06 20:27:10 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe -- (ConfigFree Gadget Service)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/01/13 03:41:44 | 000,273,488 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011/01/13 03:40:20 | 000,051,792 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011/01/13 03:37:34 | 000,029,264 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011/01/13 03:37:23 | 000,062,032 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/01/13 03:37:12 | 000,020,560 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2010/09/23 00:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/06/23 09:21:34 | 000,318,568 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2009/03/18 14:46:44 | 000,032,832 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\pgeffect.sys -- (PGEffect)
DRV:64bit: - [2009/03/18 13:20:08 | 000,265,776 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/03/11 19:35:48 | 000,071,168 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RTSTOR64.SYS -- (RTSTOR)
DRV:64bit: - [2009/03/03 15:14:24 | 008,040,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/03/02 19:20:18 | 000,035,840 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BVRPMPR5a64.SYS -- (BVRPMPR5a64)
DRV:64bit: - [2009/02/11 20:26:18 | 000,407,576 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/01/27 22:12:14 | 000,504,912 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\tos_sps64.sys -- (tos_sps64)
DRV:64bit: - [2008/11/17 10:50:30 | 004,751,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64) Intel®
DRV:64bit: - [2008/03/21 15:47:14 | 001,253,376 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2007/12/11 17:03:36 | 000,027,272 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2007/11/09 17:00:30 | 000,026,968 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2007/07/03 21:05:18 | 000,114,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdserd.sys -- (sscdserd) SAMSUNG Mobile Modem Diagnostic Serial Port (WDM)
DRV:64bit: - [2007/07/03 21:04:44 | 000,142,504 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdmdm.sys -- (sscdmdm)
DRV:64bit: - [2007/07/03 21:04:16 | 000,016,040 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdmdfl.sys -- (sscdmdfl)
DRV:64bit: - [2007/07/03 21:02:12 | 000,105,128 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV:64bit: - [2006/11/20 01:11:06 | 000,008,704 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\FwLnk.sys -- (FwLnk)
DRV - [2003/07/30 05:02:00 | 000,047,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Stopped] -- C:\Windows\system32\DRIVERS\PxHelp64.sys -- (PxHelp64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.71\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.71\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/08/31 16:55:27 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/09/09 10:57:15 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{25A69E9C-CD10-42B0-A99F-A0C2FBF785EC}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\patrick\Pictures\2009-11-04 Mixed\Mixed 133.JPG
O24 - Desktop BackupWallPaper: C:\Users\patrick\Pictures\2009-11-04 Mixed\Mixed 133.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/09/08 15:41:14 | 000,000,016 | -H-- | M] () - F:\AUTORUN.INF -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/09 11:03:28 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/09/09 11:03:27 | 000,000,000 | ---D | C] -- C:\Users\patrick\AppData\Local\temp
[2011/09/09 11:02:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/09/08 15:47:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011/09/08 15:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2011/09/08 15:40:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
[2011/09/08 15:40:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda USB Vaccine
[2011/09/08 10:14:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/09/08 10:14:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2011/09/08 10:13:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2011/09/07 20:58:00 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/09/07 20:57:01 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Users\patrick\Desktop\OTL.exe
[2011/09/07 20:34:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/09/07 20:34:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/09/07 20:34:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/09/07 20:33:54 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/09/07 20:33:50 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/07 20:30:57 | 004,201,032 | R--- | C] (Swearware) -- C:\Users\patrick\Desktop\ComboFix.exe
[2011/09/07 20:30:52 | 000,000,000 | ---D | C] -- C:\Users\patrick\Desktop\tdsskiller
[2011/09/07 17:52:14 | 000,000,000 | ---D | C] -- C:\Users\patrick\Desktop\RK_Quarantine
[2011/09/06 23:59:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/09/06 23:59:37 | 000,273,488 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2011/09/06 23:59:37 | 000,020,560 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2011/09/06 23:59:36 | 000,029,264 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2011/09/06 23:59:35 | 000,062,032 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2011/09/06 23:59:35 | 000,051,792 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2011/09/06 23:59:24 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/06 23:59:23 | 000,188,216 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2011/08/18 03:11:32 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software

========== Files - Modified Within 30 Days ==========

[2011/09/09 11:59:53 | 000,707,392 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/09/09 11:59:53 | 000,607,406 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/09/09 11:59:53 | 000,105,014 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/09/09 11:52:38 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/09 11:52:34 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/09 11:52:34 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/09 11:52:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/09 11:52:18 | 4156,542,976 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/09 11:10:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/09 10:57:15 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/09/09 10:42:50 | 004,201,032 | R--- | M] (Swearware) -- C:\Users\patrick\Desktop\ComboFix.exe
[2011/09/07 16:36:46 | 000,001,460 | ---- | M] () -- C:\Users\patrick\AppData\Local\d3d9caps64.dat
[2011/09/07 02:10:28 | 000,418,952 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/09/07 01:54:50 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\patrick\Desktop\OTL.exe
[2011/09/07 00:12:25 | 000,000,121 | ---- | M] () -- C:\Windows\wininit.ini
[2011/09/06 23:59:38 | 000,001,807 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/06 23:59:35 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2011/09/05 12:05:38 | 000,002,036 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/08/18 02:31:31 | 952,948,500 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2011/09/07 20:34:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/09/07 20:34:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/09/07 20:34:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/09/07 20:34:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/09/07 20:34:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/09/07 19:35:24 | 4156,542,976 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/07 00:12:25 | 000,000,121 | ---- | C] () -- C:\Windows\wininit.ini
[2011/09/06 23:59:38 | 000,001,807 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/07/23 23:48:30 | 000,721,764 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/07/23 22:57:04 | 000,246,272 | ---- | C] () -- C:\Windows\unrar.exe
[2011/06/03 09:38:28 | 000,001,460 | ---- | C] () -- C:\Users\patrick\AppData\Local\d3d9caps64.dat
[2011/02/13 02:23:58 | 000,000,680 | ---- | C] () -- C:\Users\patrick\AppData\Local\d3d9caps.dat
[2010/08/05 13:40:14 | 000,004,096 | -H-- | C] () -- C:\Users\patrick\AppData\Local\keyfile3.drm
[2009/12/14 20:14:33 | 000,222,552 | ---- | C] () -- C:\Windows\RM.exe
[2009/12/14 19:52:26 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/12/14 17:28:02 | 000,000,000 | ---- | C] () -- C:\Users\patrick\AppData\Roaming\wklnhst.dat
[2009/12/03 22:36:55 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/12/03 22:36:24 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/12/03 22:35:57 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/10/11 04:30:37 | 000,017,043 | ---- | C] () -- C:\Users\patrick\AppData\Roaming\UserTile.png
[2009/09/28 17:36:05 | 000,005,632 | ---- | C] () -- C:\Users\patrick\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/28 16:25:53 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/09/08 03:28:20 | 000,000,013 | RHS- | C] () -- C:\Windows\SysWow64\drivers\fbd.sys
[2009/06/16 20:23:35 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2009/05/03 03:00:45 | 000,209,040 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeW7.dll
[2009/05/03 03:00:45 | 000,196,752 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeP6.dll
[2009/05/03 03:00:45 | 000,192,656 | ---- | C] () -- C:\Windows\SysWow64\IVIresizePX.dll
[2009/05/03 03:00:44 | 000,204,944 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeA6.dll
[2009/05/03 03:00:44 | 000,196,752 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeM6.dll
[2009/05/03 03:00:44 | 000,024,720 | ---- | C] () -- C:\Windows\SysWow64\IVIresize.dll
[2009/05/03 01:26:27 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2009/03/03 15:12:44 | 000,445,796 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2009/03/03 15:12:44 | 000,147,172 | ---- | C] () -- C:\Windows\SysWow64\igfcg550.bin
[2009/03/03 15:12:42 | 002,026,604 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2008/01/20 22:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2006/11/02 11:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 08:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 08:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 05:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2003/07/31 10:09:30 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\px.ini
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI
[2002/05/24 04:00:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\lockout.dll
[2002/05/24 04:00:00 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\lockres.dll

========== LOP Check ==========

[2011/01/20 04:18:48 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\CometPlayer
[2010/08/04 22:22:42 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\iWin
[2009/09/13 04:28:22 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\Leadertech
[2011/08/05 20:18:51 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\mjusbsp
[2010/10/12 21:43:23 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\PDF Viewer
[2009/12/14 20:24:57 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\Smith Micro
[2011/03/25 20:10:39 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\TeamViewer
[2009/12/14 17:28:05 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\Template
[2010/12/27 22:38:15 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\TigerPlayer
[2009/09/08 03:56:47 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\TOSHIBA
[2009/09/09 05:14:35 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\WildTangent
[2009/09/08 03:27:56 | 000,000,000 | ---D | M] -- C:\Users\patrick\AppData\Roaming\WinBatch
[2011/09/09 11:51:42 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >


MBAM


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7685

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

9/9/2011 3:03:52 PM
mbam-log-2011-09-09 (15-03-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 339414
Time elapsed: 47 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AVAST

I attached a picture of a print screen of what Avast found

Attached Thumbnails

  • prntscrn.jpg

  • 0

#18
michaelg9
Posted 09 September 2011 - 03:05 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
Avast is acting a little strange. RKreport is just the roguekiller's log and it's a text file so it's a false positive.
First and last entry are quarantined by OTL and Combofix so they're not dangerous
Now for the GAC_32 and GAC_64 folders, this is the strangest part. These two are normal folders with many windows data in them, I have them on my system too. They can't be deleted without any bad consequences and I think avast doesn't detect folders.
What I can think is that there is a file inside of each one with a non displayable character as a name, so let's check it out:


Posted Image OTL Custom Scan
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears,click the None button
  • Under the Custom Scans/Fixes box copy and paste this in:

    C:\windows\assembly\GAC_32\*
    C:\windows\assembly\GAC_64\*
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt in Notepad window.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

  • 0

#19
Snypa86
Posted 09 September 2011 - 03:10 PM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

OTL



OTL logfile created on: 9/9/2011 5:09:04 PM - Run 6
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\patrick\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.23 Gb Available Physical Memory | 57.50% Memory free
7.94 Gb Paging File | 6.33 Gb Available in Paging File | 79.68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.58 Gb Total Space | 176.07 Gb Free Space | 61.44% Space Free | Partition Type: NTFS

Computer Name: PATRICK-PC | User Name: patrick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< C:\windows\assembly\GAC_32\* >
File not found -- C:\windows\assembly\GAC_32\

< C:\windows\assembly\GAC_64\* >
File not found -- C:\windows\assembly\GAC_64\

< End of report >
  • 0

#20
michaelg9
Posted 09 September 2011 - 03:38 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

Open notepad and paste the following inside:

@echo off
cd C:\windows\assembly\GAC_32
dir /a > C:\Users\patrick\Desktop\dira.txt
cd C:\windows\assembly\GAC_64
dir /a > C:\Users\patrick\Desktop\dirb.txt
end



Go to File > Save as...
Save it as list.bat in your Desktop
You should see a file like this (named list):
Posted Image
Run it.
It should create two text files at your Desktop:

dira.txt
dirb.txt


Copy their contents here
  • 0

#21
Snypa86
Posted 09 September 2011 - 03:43 PM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

dira

Volume in drive C is TI100680V0E
Volume Serial Number is BE70-76E3

Directory of C:\Windows\assembly\GAC_32

09/09/2011 10:54 AM <DIR> .
09/09/2011 10:54 AM <DIR> ..
09/07/2011 07:35 PM 25,600
08/05/2011 08:17 PM <DIR> CustomMarshalers
08/05/2011 08:17 PM <DIR> ehexthost32
08/05/2011 08:17 PM <DIR> ISymWrapper
08/05/2011 08:17 PM <DIR> Microsoft.Ink
08/05/2011 08:17 PM <DIR> Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Microsoft.Transactions.Bridge.Dtc
08/05/2011 08:17 PM <DIR> mscorlib
08/05/2011 08:17 PM <DIR> napcrypt
08/05/2011 08:17 PM <DIR> naphlpr
08/05/2011 08:17 PM <DIR> Policy.1.0.Microsoft.Ink
08/05/2011 08:17 PM <DIR> Policy.1.0.Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Policy.1.2.Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Policy.1.7.Microsoft.Ink
08/05/2011 08:17 PM <DIR> PresentationCore
08/05/2011 08:17 PM <DIR> System.Data
08/05/2011 08:17 PM <DIR> System.Data.OracleClient
08/05/2011 08:17 PM <DIR> System.EnterpriseServices
08/05/2011 08:17 PM <DIR> System.Printing
08/05/2011 08:17 PM <DIR> System.Transactions
08/05/2011 08:17 PM <DIR> System.Web
1 File(s) 25,600 bytes
22 Dir(s) 189,055,873,024 bytes free


dirb


Volume in drive C is TI100680V0E
Volume Serial Number is BE70-76E3

Directory of C:\Windows\assembly\GAC_64

09/09/2011 10:54 AM <DIR> .
09/09/2011 10:54 AM <DIR> ..
09/07/2011 07:35 PM 33,792
08/05/2011 08:17 PM <DIR> BDATunePIA
08/05/2011 08:17 PM <DIR> CustomMarshalers
08/05/2011 08:17 PM <DIR> ISymWrapper
08/05/2011 08:17 PM <DIR> mcstoredb
08/05/2011 08:17 PM <DIR> mcupdate
08/05/2011 08:17 PM <DIR> Mcx2Dvcs
08/05/2011 08:17 PM <DIR> Microsoft.Ink
08/05/2011 08:17 PM <DIR> Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Microsoft.MediaCenter.Interop
08/05/2011 08:17 PM <DIR> Microsoft.MediaCenter.iTV.Media
08/05/2011 08:17 PM <DIR> Microsoft.MediaCenter.Mheg
08/05/2011 08:17 PM <DIR> Microsoft.Transactions.Bridge.Dtc
08/05/2011 08:17 PM <DIR> mscorlib
08/05/2011 08:17 PM <DIR> napcrypt
08/05/2011 08:17 PM <DIR> naphlpr
08/05/2011 08:17 PM <DIR> Policy.1.0.Microsoft.Ink
08/05/2011 08:17 PM <DIR> Policy.1.0.Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Policy.1.2.Microsoft.Interop.Security.AzRoles
08/05/2011 08:17 PM <DIR> Policy.1.7.Microsoft.Ink
08/05/2011 08:17 PM <DIR> PresentationCore
08/05/2011 08:17 PM <DIR> System.Data
08/05/2011 08:17 PM <DIR> System.Data.OracleClient
08/05/2011 08:17 PM <DIR> System.EnterpriseServices
08/05/2011 08:17 PM <DIR> System.Printing
08/05/2011 08:17 PM <DIR> System.Transactions
08/05/2011 08:17 PM <DIR> System.Web
1 File(s) 33,792 bytes
28 Dir(s) 189,055,868,928 bytes free
  • 0

#22
michaelg9
Posted 09 September 2011 - 03:50 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
OK :) We found it. There are two 'unnamed' files in these directories, and these are what avast is detecting.
Open up avast as previously when you showed me the scan results and move to chest the two following entries:

C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_32


Then we're done. I just need you to tell me if there are any problems with the computer before give you my closing speech
  • 0

#23
Snypa86
Posted 09 September 2011 - 04:03 PM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Ok, quick question, what option do i choose for the other things? I will move the two files you stated to chest, but what do I do with the other 3?
I selected "delete" for the text file, but not sure about the others.

Edited by Snypa86, 09 September 2011 - 04:04 PM.

  • 0

#24
michaelg9
Posted 10 September 2011 - 02:50 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
The others are in OTL and comboFix quarantine so they'll be removed following the clean-up:

Happy to hear that you're clean finally :unsure:

Congratulations! Your logs are clean! :) Now that you are clean, please follow these precautions in order to keep safe:


Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer.


Next:


Uninstall ComboFix from your computer:
  • Click on Start > Run
  • Type Combofix /Uninstall in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
    Posted Image

Next:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL for the last time and hit the cleanup button. It will remove all the programs we have used plus itself.

Next:

Note: If you are using Firefox I would suggest the use of these add-ons:
  • NoScript - for blocking ads and other potential website attacks.
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.


Next:


Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.



Next:


Additional security programs - For additional security, the use of these tools is important:
  • Malwarebytes Anti-Malware. - Update the free version and scan with it often. It is an excellent scanning tool to have on your side.
  • The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial

Next:

Upgrading Java:
  • Go here and click Do I have Java
  • It will check your current version and then offer to update to the latest version, if there are any.


Next:


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Next:


Keep a backup of your important files to prevent future data loss.


Happy safe computing !! :yes:
  • 0

#25
Snypa86
Posted 10 September 2011 - 09:36 AM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Thank You Michael. Glad to know that you were able to get this under control with your skill. Everything seems stable and running good except doing a Windows update. I keep getting an error Code 643. I know this may not be your area, but have you ever experienced this before?
  • 0

Advertisements

#26
michaelg9
Posted 10 September 2011 - 09:51 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Are you trying to download an update for Net Framework? If yes, that's a common error. A solution is to uninstall Net Framework and then download and install its latest version directly from Microsoft Site.
So are you trying to download an update for Net Framework?
  • 0

#27
Snypa86
Posted 10 September 2011 - 09:53 AM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Net framework seems to be one of the updates that needs to be installed. Will try your method and see how that pans out for me and the situation.
  • 0

#28
michaelg9
Posted 10 September 2011 - 09:58 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
If you need help tell me
What is the other update?
  • 0

#29
Snypa86
Posted 10 September 2011 - 10:21 AM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I tried rebooting, that didn't work. I tried using "install updates before shutdown", that didnt seem to work either. There are 4 updates, see attached pic below:

Attached Thumbnails

  • Untitled.jpg

  • 0

#30
Snypa86
Posted 10 September 2011 - 10:24 AM

Snypa86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Just ran it again, it said 2 was successful and 2 weren't. The two that are left back are the 27.7MB and the 37.7MB.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP