Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slow, infected laptop


  • This topic is locked This topic is locked

#1
LukeMcD

LukeMcD

    Member

  • Member
  • PipPipPip
  • 102 posts
My brother's laptop is on the verge of death and it doesn't help that he doesn't have any clues as the how the viruses may have got there :)

Been into safe mode, deep scanned with MBAM and removed everything there, log back on and then MSE says threats detected.

The laptop is sluggish and in the past month sites like ebay redirect etc. and the obvious porn pop ups

Where do I start?

Edited by LukeMcD, 02 October 2011 - 02:01 PM.

  • 0

Advertisements


#2
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Welcome to GTG. Let's help you out with your malware issue(s).

Before we start, make sure you carefully read what I have to say. Don't skip anything. You may even want to have this all printed out in case you're forced to exit this window.

Also, expect some delay with my responses later on as I'm still in training and need to have all of my fixes approved before I can submit them.

Step 1

aswMBR

  • Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the [Scan] button to start scan
  • On completion of the scan click [Save log], save it to your desktop and post in your next reply


Step 2

OTL

Download OTL.exe from here and save it to the Desktop.

Open OTL and click the Quick Scan button. Make sure you post the log it produces in your next reply.
  • 0

#3
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
bad news.

i did the aswMBR scan and saved the log, then midway through the OTL scan the laptop powered off.

Every time I restart the laptop it just says "missing operating system".
  • 0

#4
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Here is what you need to do.

  • Connect your USB stick to a clean computer.
  • From the clean computer, copy the following and paste it into a Notepad file.

    /md5start
    UXTHEME.DLL
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    userinit.exe
    explorer.exe
    winlogon.exe
    ntoskrnl.exe
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\System32\config\*.sav


  • Save the Notepad file to your USB stick. Save it as scan.txt
  • Download OTLPEStd.exe to your desktop.
  • Once downloaded, insert a blank CD in your burner and click on OTLPEStd.exe. The executable includes the OTLPE_New_Std.iso and a copy of imgburn, a program to burn .iso files. When executed, the application will extract both and start the burning process automatically.
  • Once the CD is burned, boot the Non working computer using the boot CD you just created. For more information, click here
    • Don't forget to connect the USB stick to the computer before you boot from the CD.
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under the Custom Scan box paste the contents of the Notepad file that you previously saved to your USB stick (scan.txt)
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#5
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
OK I turned the laptop on today and it boots up normally so I tried the OTL scan again. Same thing happened, it powered off and said OS not found.

I did the steps to create the CD and I put CDROM at 1st priority for boot up and it still attempts to load the OS.
  • 0

#6
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts

OK I turned the laptop on today and it boots up normally so I tried the OTL scan again. Same thing happened, it powered off and said OS not found.

I did the steps to create the CD and I put CDROM at 1st priority for boot up and it still attempts to load the OS.


Can you login at the moment? If so, forget about the OTL scan and just post the aswMBR scan log that I asked for in my first post.

What Windows is it by the way?
  • 0

#7
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
looks like the OTL log also saved oddly enough even after the OS problem

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-03 18:22:38
-----------------------------
18:22:38.776    OS Version: Windows 6.0.6000 
18:22:38.776    Number of processors: 1 586 0x1601
18:22:38.776    ComputerName: MARTAIN-PC  UserName: Martain
18:22:46.568    Initialize success
18:23:12.239    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
18:23:12.250    Disk 0 Vendor: Hitachi_HTS542580K9SA00 BBBOC31P Size: 76319MB BusType: 3
18:23:14.279    Disk 0 MBR read successfully
18:23:14.285    Disk 0 MBR scan
18:23:14.289    Disk 0 TDL4@MBR code has been found
18:23:14.293    Disk 0 MBR hidden
18:23:14.300    Disk 0 MBR [TDL4]  **ROOTKIT**
18:23:14.305    Disk 0 trace - called modules:
18:23:14.314    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8503c4d0]<<
18:23:14.321    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a80700]
18:23:14.327    3 ntoskrnl.exe[820a80af] -> nt!IofCallDriver -> [0x8441c838]
18:23:14.335    5 acpi.sys[8047b32a] -> nt!IofCallDriver -> [0x84412bb0]
18:23:14.341    \Driver\atapi[0x84fffab0] -> IRP_MJ_CREATE -> 0x8503c4d0
18:23:14.348    Scan finished successfully
18:23:51.621    Disk 0 MBR has been saved successfully to "F:\MBR.dat"
18:23:51.724    The log file has been saved successfully to "F:\aswMBR.txt"



OTL logfile created on: 03/10/2011 18:24:16 - Run 1
OTL by OldTimer - Version 3.2.29.1     Folder = F:\
Windows Vista Home Basic Edition  (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
1013.40 Mb Total Physical Memory | 233.78 Mb Available Physical Memory | 23.07% Memory free
2.22 Gb Paging File | 1.30 Gb Available in Paging File | 58.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 32.51 Gb Total Space | 0.47 Gb Free Space | 1.44% Space Free | Partition Type: NTFS
Drive D: | 32.26 Gb Total Space | 32.17 Gb Free Space | 99.72% Space Free | Partition Type: NTFS
Drive F: | 60.73 Mb Total Space | 37.03 Mb Free Space | 60.98% Space Free | Partition Type: FAT
 
Computer Name: MARTAIN-PC | User Name: Martain | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/10/03 18:17:48 | 000,582,656 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2011/09/04 18:34:58 | 000,137,536 | ---- | M] (Facebook Inc.) -- C:\Users\Martain\AppData\Local\Facebook\Update\FacebookUpdate.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,228,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/10/29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2006/11/02 10:45:59 | 000,116,736 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV - File not found [Auto | Stopped] --  -- (LiveUpdate Notice Ex)
SRV - File not found [Auto | Stopped] --  -- (CLTNetCnService)
SRV - [2011/09/26 13:00:17 | 000,041,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\obegen.exe -- (obegen)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/01/29 18:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)
SRV - [2007/07/31 14:15:55 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/06/22 02:25:46 | 000,118,464 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2007/06/22 02:25:44 | 000,257,736 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2007/06/22 02:24:12 | 001,076,832 | ---- | M] (Cyberlink) [Disabled | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2007/06/05 18:13:28 | 000,024,576 | ---- | M] () [Disabled | Stopped] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/05/22 23:00:02 | 000,135,168 | ---- | M] (Acer Inc.) [Disabled | Stopped] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/05/17 06:15:22 | 000,163,840 | ---- | M] (acer) [Disabled | Stopped] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/04/26 00:34:30 | 000,457,512 | ---- | M] (HiTRSUT) [Disabled | Stopped] -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/03/14 18:52:30 | 000,024,576 | ---- | M] (Acer Inc.) [Disabled | Stopped] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/02/13 14:26:50 | 000,053,248 | ---- | M] (Acer Inc.) [Disabled | Stopped] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/01/26 22:24:42 | 000,050,688 | ---- | M] () [Disabled | Stopped] -- C:\Acer\ALaunch\ALaunchSvc.exe -- (ALaunchService)
SRV - [2006/11/24 20:57:54 | 000,107,008 | ---- | M] () [Disabled | Stopped] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2011/10/03 18:18:45 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1733BB72-7441-4F8C-8957-53FD41D58478}\MpKslae482b6c.sys -- (MpKslae482b6c)
DRV - [2011/10/02 20:47:16 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1733BB72-7441-4F8C-8957-53FD41D58478}\MpKslbc210d5e.sys -- (MpKslbc210d5e)
DRV - [2011/10/01 17:15:47 | 000,028,752 | ---- | M] () [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1733BB72-7441-4F8C-8957-53FD41D58478}\MpKsle19d267c.sys -- (MpKsle19d267c)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2008/09/02 09:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2008/09/02 09:00:00 | 000,099,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2007/06/18 11:03:32 | 000,737,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/06/14 03:33:26 | 000,154,624 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/01/30 06:23:30 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/12/08 02:12:02 | 000,076,584 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2006/11/02 14:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
[color=#E56717]========== FireFox ==========[/color]
 
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {2AAE53E8-258E-4B63-A156-108607283E21}:1.9.1
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_UK&apn_uid=60DDF12B-76F8-42B5-970B-09C79539A2EF&apn_ptnrs=OE&apn_sauid=D66240B2-47E3-4EF0-A05D-DFB9CD329B50&apn_dtid=VIN007YYGB&q="
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Martain\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/21 13:17:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/07 20:12:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{2AAE53E8-258E-4B63-A156-108607283E21}: C:\Users\Martain\AppData\Local\{2AAE53E8-258E-4B63-A156-108607283E21} [2011/08/01 22:22:05 | 000,000,000 | ---D | M]
 
[2010/06/08 19:23:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Martain\AppData\Roaming\Mozilla\Extensions
[2010/01/29 15:15:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Martain\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/10/01 14:44:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Martain\AppData\Roaming\Mozilla\Firefox\Profiles\ksagft2t.default\extensions
[2010/06/08 19:27:18 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Martain\AppData\Roaming\Mozilla\Firefox\Profiles\ksagft2t.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/07/11 18:40:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Martain\AppData\Roaming\Mozilla\Firefox\Profiles\ksagft2t.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/08/01 13:55:52 | 000,002,571 | ---- | M] () -- C:\Users\Martain\AppData\Roaming\Mozilla\Firefox\Profiles\ksagft2t.default\searchplugins\askcom.xml
[2010/06/08 19:22:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/01 22:22:05 | 000,000,000 | ---D | M] (XULRunner) -- C:\USERS\MARTAIN\APPDATA\LOCAL\{2AAE53E8-258E-4B63-A156-108607283E21}
[2011/09/04 17:00:07 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/04 17:00:07 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/04 17:00:07 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/04 17:00:07 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
 
Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [eRecoveryService]  File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [{2FD82EB9-6D05-C065-264C-EC9D878F2838}] C:\Users\Martain\AppData\Roaming\Kydew\dydy.exe ()
O4 - HKCU..\Run: [Facebook Update] C:\Users\Martain\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [PkjAindr] C:\Windows\system32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5BD64290-995E-4DFF-A1AA-4F07B6EA49B3}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Filter\x-sdch - No CLSID value found
O20 - AppInit_DLLs: (nmklo) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe) -C:\Windows\System32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe File not found
O20 - Winlogon\Notify\mifadok: DllName - (C:\Windows\system32\config\systemprofile\AppData\Local\mifadok.dll) - C:\Windows\System32\config\systemprofile\AppData\Local\mifadok.dll ()
O24 - Desktop WallPaper: C:\Users\Martain\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Martain\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/09/19 18:46:32 | 000,000,090 | ---- | M] () - F:\AUTORUN.INF -- [ FAT ]
O33 - MountPoints2\{000a8d25-1809-11e0-9e72-001b38546b6f}\Shell\AutoRun\command - "" = G:\Get_Started_for_Win.exe
O33 - MountPoints2\{40594801-8c02-11de-8cb7-001b38546b6f}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- [2008/04/14 05:42:42 | 000,028,672 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Get_Started_for_Win.exe
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Get_Started_for_Win.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/10/01 14:43:16 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Local\AskToolbar
[2011/09/30 10:16:15 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Ywwoat
[2011/09/30 10:16:15 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Kydew
[2011/09/26 14:47:57 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Xuezr
[2011/09/26 14:47:57 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Ixyv
[2011/09/16 21:23:38 | 000,000,000 | ---D | C] -- C:\Users\Martain\Desktop\OLDEES
[2011/09/07 18:17:26 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Wyh
[2011/09/07 18:17:26 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Byd
[2011/09/07 11:30:00 | 000,000,000 | ---D | C] -- C:\ProgramData\bG01610EnBcD01610
[2011/09/04 18:35:01 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Local\Facebook
[2007/09/27 22:42:30 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2007/07/31 14:43:36 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\Interop.Shell32.dll
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/10/03 18:46:05 | 000,000,112 | ---- | M] () -- C:\ProgramData\naAR43Hs.dat
[2011/10/03 18:43:18 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At48.job
[2011/10/03 18:43:16 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At47.job
[2011/10/03 18:43:14 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At46.job
[2011/10/03 18:43:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At45.job
[2011/10/03 18:43:10 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At44.job
[2011/10/03 18:43:04 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At43.job
[2011/10/03 18:43:01 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At42.job
[2011/10/03 18:42:57 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At41.job
[2011/10/03 18:42:54 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At40.job
[2011/10/03 18:42:51 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At39.job
[2011/10/03 18:42:48 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At38.job
[2011/10/03 18:42:42 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At37.job
[2011/10/03 18:42:38 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At36.job
[2011/10/03 18:42:24 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At35.job
[2011/10/03 18:42:20 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At34.job
[2011/10/03 18:42:15 | 000,041,984 | ---- | M] () -- C:\Windows\System32\wbegew.exe
[2011/10/03 18:42:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At33.job
[2011/10/03 18:42:09 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At32.job
[2011/10/03 18:42:07 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At31.job
[2011/10/03 18:42:04 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At30.job
[2011/10/03 18:42:02 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At29.job
[2011/10/03 18:41:57 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At28.job
[2011/10/03 18:41:55 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At27.job
[2011/10/03 18:41:51 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At26.job
[2011/10/03 18:41:49 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At25.job
[2011/10/03 18:41:44 | 000,000,001 | ---- | M] () -- C:\Windows\System32\e28R26x.com.b
[2011/10/03 18:40:09 | 000,147,456 | ---- | M] (Burr Isolde Wallace ElisabethHelvetica Rowe TimSloane) -- C:\Windows\System32\e28R26x.com
[2011/10/03 18:40:07 | 000,000,936 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000UA.job
[2011/10/03 18:40:07 | 000,000,914 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000Core.job
[2011/10/03 18:39:04 | 000,041,984 | ---- | M] () -- C:\Windows\System32\eterve.exe
[2011/10/03 18:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At19.job
[2011/10/03 18:34:46 | 000,041,984 | ---- | M] () -- C:\Windows\System32\xbegew.exe
[2011/10/03 18:25:34 | 000,041,984 | ---- | M] () -- C:\Windows\System32\jfinj.exe
[2011/10/03 18:25:29 | 000,631,670 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/03 18:25:29 | 000,112,216 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/03 18:19:28 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/03 18:19:28 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/03 18:18:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/03 18:18:13 | 1063,272,448 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/02 20:38:43 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2011/10/02 20:37:08 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At21.job
[2011/10/01 14:37:06 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At15.job
[2011/09/30 18:44:33 | 133,613,325 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/30 10:07:56 | 000,000,129 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2011/09/29 15:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At16.job
[2011/09/29 15:34:03 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At22.job
[2011/09/28 21:50:11 | 000,224,256 | ---- | M] () -- C:\Windows\System32\0.323795679431334.exe
[2011/09/28 21:49:19 | 000,224,256 | ---- | M] () -- C:\Windows\System32\0.7469201992968123.exe
[2011/09/26 22:37:15 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At23.job
[2011/09/26 17:37:10 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At18.job
[2011/09/26 16:37:09 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At17.job
[2011/09/26 14:41:41 | 000,112,921 | ---- | M] () -- C:\Windows\System32\0.19145395014203392.exe
[2011/09/26 13:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At14.job
[2011/09/26 13:12:22 | 000,621,064 | ---- | M] () -- C:\ProgramData\QIjLeJwkSi.exe
[2011/09/26 13:00:17 | 000,041,984 | ---- | M] () -- C:\Windows\System32\obegen.exe
[2011/09/26 01:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/09/25 19:37:01 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At20.job
[2011/09/24 12:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At13.job
[2011/09/24 11:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At12.job
[2011/09/24 10:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At11.job
[2011/09/24 09:37:03 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At10.job
[2011/09/22 22:25:33 | 000,113,196 | ---- | M] () -- C:\Windows\System32\0.8033262975401785.exe
[2011/09/22 08:37:31 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At9.job
[2011/09/17 17:46:04 | 000,041,984 | ---- | M] () -- C:\Windows\System32\iweryy.exe
[2011/09/16 23:37:10 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At24.job
[2011/09/07 11:31:02 | 000,000,593 | ---- | M] () -- C:\Users\Public\Desktop\Security Protection.lnk
[2011/09/05 12:39:56 | 000,045,056 | ---- | M] () -- C:\Windows\System32\gbegew.exe
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/10/03 18:34:46 | 000,041,984 | ---- | C] () -- C:\Windows\System32\xbegew.exe
[2011/10/03 18:25:34 | 000,041,984 | ---- | C] () -- C:\Windows\System32\jfinj.exe
[2011/10/02 20:28:28 | 1063,272,448 | -HS- | C] () -- C:\hiberfil.sys
[2011/10/01 14:39:48 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/09/28 21:50:11 | 000,224,256 | ---- | C] () -- C:\Windows\System32\0.323795679431334.exe
[2011/09/28 21:49:19 | 000,224,256 | ---- | C] () -- C:\Windows\System32\0.7469201992968123.exe
[2011/09/26 14:40:49 | 000,112,921 | ---- | C] () -- C:\Windows\System32\0.19145395014203392.exe
[2011/09/26 13:12:25 | 000,504,832 | ---- | C] () -- C:\ProgramData\QIjLeJwkSi.exe
[2011/09/26 13:00:17 | 000,041,984 | ---- | C] () -- C:\Windows\System32\obegen.exe
[2011/09/22 22:25:28 | 000,113,196 | ---- | C] () -- C:\Windows\System32\0.8033262975401785.exe
[2011/09/17 17:46:04 | 000,041,984 | ---- | C] () -- C:\Windows\System32\iweryy.exe
[2011/09/07 11:31:02 | 000,000,593 | ---- | C] () -- C:\Users\Public\Desktop\Security Protection.lnk
[2011/09/05 12:39:55 | 000,045,056 | ---- | C] () -- C:\Windows\System32\gbegew.exe
[2011/09/04 18:35:10 | 000,000,936 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000UA.job
[2011/09/04 18:35:07 | 000,000,914 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000Core.job
[2011/08/12 12:06:42 | 000,000,129 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/08/02 09:35:33 | 000,000,112 | ---- | C] () -- C:\ProgramData\naAR43Hs.dat
[2011/08/01 22:22:07 | 000,000,120 | ---- | C] () -- C:\Users\Martain\AppData\Local\Rforagoxoyi.dat
[2011/08/01 22:22:07 | 000,000,000 | ---- | C] () -- C:\Users\Martain\AppData\Local\Utiwecidu.bin
[2009/11/27 11:42:20 | 000,000,256 | ---- | C] () -- C:\Windows\System32\pool.bin
[2009/08/19 16:08:57 | 000,075,064 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2009/05/18 20:53:11 | 000,005,972 | ---- | C] () -- C:\Users\Martain\AppData\Local\d3d9caps.dat
[2008/01/19 15:58:14 | 000,004,166 | ---- | C] () -- C:\Users\Martain\AppData\Roaming\wklnhst.dat
[2008/01/02 17:57:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/01/02 17:47:22 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/01/02 17:47:22 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/01/02 17:47:22 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/11/25 21:57:55 | 000,033,792 | ---- | C] () -- C:\Users\Martain\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/27 23:16:58 | 000,000,030 | ---- | C] () -- C:\Windows\SETPANEL.INI
[2007/09/27 23:16:50 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
[2007/09/27 22:42:30 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2007/07/31 16:01:29 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2007/07/31 14:50:23 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2007/07/31 14:44:29 | 000,076,584 | ---- | C] () -- C:\Windows\System32\drivers\int15.sys
[2007/07/31 14:44:29 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2007/07/31 14:43:32 | 000,331,776 | ---- | C] () -- C:\Windows\System32\ScrollBarLib.dll
[2007/07/31 13:07:10 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/07/31 13:07:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1280.dll
[2007/04/26 00:33:22 | 000,266,240 | ---- | C] () -- C:\Windows\System32\NotesExtmngr.dll
[2007/04/26 00:32:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\NotesActnMenu.dll
[2007/04/26 00:32:46 | 000,086,016 | ---- | C] () -- C:\Windows\System32\MSNSpook.dll
[2007/04/26 00:31:00 | 000,028,672 | ---- | C] () -- C:\Windows\System32\BatchCrypto.dll
[2007/04/26 00:30:52 | 000,073,728 | ---- | C] () -- C:\Windows\System32\APISlice.dll
[2007/04/26 00:30:44 | 000,063,488 | ---- | C] () -- C:\Windows\System32\ShowErrMsg.dll
[2006/12/25 23:44:48 | 000,022,016 | ---- | C] () -- C:\Windows\System32\MailFormat_U.dll
[2006/11/13 13:50:06 | 000,071,680 | ---- | C] () -- C:\Windows\System32\HTCA_SelfExtract.bin
[2006/11/02 13:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:44:53 | 000,335,376 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 11:33:01 | 000,631,670 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,112,216 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 08:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 08:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2001/12/27 00:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2011/09/14 14:20:20 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Byd
[2009/01/27 13:51:52 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\FrostWire
[2011/09/26 20:17:52 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Ixyv
[2011/09/30 10:16:15 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Kydew
[2009/08/30 22:17:27 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Mumble
[2009/11/27 11:44:19 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Research In Motion
[2011/08/27 16:45:02 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Saviqo
[2008/01/19 15:58:16 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Template
[2009/01/26 10:59:56 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\TSO
[2011/09/14 22:40:34 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Wyh
[2011/09/26 18:12:33 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Xuezr
[2011/08/02 10:19:49 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Ysdee
[2011/10/03 18:22:21 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Ywwoat
[2011/08/14 00:37:15 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/09/24 09:37:03 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2011/09/24 10:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2011/09/24 11:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2011/09/24 12:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2011/09/26 13:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2011/10/01 14:37:06 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2011/09/29 15:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2011/09/26 16:37:09 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2011/09/26 17:37:10 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2011/10/03 18:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2011/09/26 01:37:00 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2011/09/25 19:37:01 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At20.job
[2011/10/02 20:37:08 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2011/09/29 15:34:03 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At22.job
[2011/09/26 22:37:15 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2011/09/16 23:37:10 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At24.job
[2011/10/03 18:41:49 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2011/10/03 18:41:51 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At26.job
[2011/10/03 18:41:55 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2011/10/03 18:41:57 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At28.job
[2011/10/03 18:42:02 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2011/10/03 18:42:04 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At30.job
[2011/10/03 18:42:07 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2011/10/03 18:42:09 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At32.job
[2011/10/03 18:42:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2011/10/03 18:42:20 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At34.job
[2011/10/03 18:42:24 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2011/10/03 18:42:38 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At36.job
[2011/10/03 18:42:42 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2011/10/03 18:42:48 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At38.job
[2011/10/03 18:42:51 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2011/10/03 18:42:54 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At40.job
[2011/10/03 18:42:57 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At41.job
[2011/10/03 18:43:01 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At42.job
[2011/10/03 18:43:04 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At43.job
[2011/10/03 18:43:10 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At44.job
[2011/10/03 18:43:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At45.job
[2011/10/03 18:43:14 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At46.job
[2011/10/03 18:43:16 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At47.job
[2011/10/03 18:43:18 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At48.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2011/08/02 09:47:22 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2011/09/22 08:37:31 | 000,000,342 | ---- | M] () -- C:\Windows\Tasks\At9.job
[2011/10/03 18:40:07 | 000,000,914 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000Core.job
[2011/10/03 18:40:07 | 000,000,936 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4032212466-3733557631-834355897-1000UA.job
[2011/10/02 20:43:01 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
 
[color=#E56717]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 64 bytes -> C:\Users\Martain\Desktop\whole world init.mp4:TOC.WMV
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:AA9519A6

< End of report >

  • 0

#8
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
You have an infected MBR and rootkit and lotsss of malicious files.

Anyway, fix is waiting to be approved. Just a matter of time before I post it. So don't go away for good. :)
  • 0

#9
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Step 1

aswMBR

  • Re-run aswMBR.exe.
  • Click [Scan].
  • On completion of the scan, click the [Fix] button.
  • Once done, run aswMBR again and click Scan.
  • On completion of the scan, click [Save log], save it to your desktop and post in your next reply.


Step 2

OTL Fix

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :OTL
    O4 - HKCU..\Run: [{2FD82EB9-6D05-C065-264C-EC9D878F2838}] C:\Users\Martain\AppData\Roaming\Kydew\dydy.exe ()
    O4 - HKCU..\Run: [PkjAindr] C:\Windows\system32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe File not found
    O20 - AppInit_DLLs: (nmklo) - File not found
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe) -C:\Windows\System32\config\systemprofile\AppData\Local\heukxntb\pkjaindr.exe File not found
    O20 - Winlogon\Notify\mifadok: DllName - (C:\Windows\system32\config\systemprofile\AppData\Local\mifadok.dll) - C:\Windows\System32\config\systemprofile\AppData\Local\mifadok.dll ()
    O33 - MountPoints2\{000a8d25-1809-11e0-9e72-001b38546b6f}\Shell\AutoRun\command - "" = G:\Get_Started_for_Win.exe
    O33 - MountPoints2\{40594801-8c02-11de-8cb7-001b38546b6f}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- [2008/04/14 05:42:42 | 000,028,672 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Get_Started_for_Win.exe
    O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Get_Started_for_Win.exe
    [2011/09/30 10:16:15 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Ywwoat
    [2011/09/30 10:16:15 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Kydew
    [2011/09/26 14:47:57 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Xuezr
    [2011/09/26 14:47:57 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Ixyv
    [2011/09/07 18:17:26 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Wyh
    [2011/09/07 18:17:26 | 000,000,000 | ---D | C] -- C:\Users\Martain\AppData\Roaming\Byd
    [2011/09/07 11:30:00 | 000,000,000 | ---D | C] -- C:\ProgramData\bG01610EnBcD01610
    [2011/10/03 18:46:05 | 000,000,112 | ---- | M] () -- C:\ProgramData\naAR43Hs.dat
    [2011/10/03 18:42:15 | 000,041,984 | ---- | M] () -- C:\Windows\System32\wbegew.exe
    [2011/10/03 18:41:44 | 000,000,001 | ---- | M] () -- C:\Windows\System32\e28R26x.com.b
    [2011/10/03 18:40:09 | 000,147,456 | ---- | M] (Burr Isolde Wallace ElisabethHelvetica Rowe TimSloane) -- C:\Windows\System32\e28R26x.com
    [2011/10/03 18:39:04 | 000,041,984 | ---- | M] () -- C:\Windows\System32\eterve.exe
    [2011/10/03 18:34:46 | 000,041,984 | ---- | M] () -- C:\Windows\System32\xbegew.exe
    [2011/10/03 18:25:34 | 000,041,984 | ---- | M] () -- C:\Windows\System32\jfinj.exe
    [2011/09/28 21:50:11 | 000,224,256 | ---- | M] () -- C:\Windows\System32\0.323795679431334.exe
    [2011/09/28 21:49:19 | 000,224,256 | ---- | M] () -- C:\Windows\System32\0.7469201992968123.exe
    [2011/09/26 14:41:41 | 000,112,921 | ---- | M] () -- C:\Windows\System32\0.19145395014203392.exe
    [2011/09/26 13:12:22 | 000,621,064 | ---- | M] () -- C:\ProgramData\QIjLeJwkSi.exe
    [2011/09/26 13:00:17 | 000,041,984 | ---- | M] () -- C:\Windows\System32\obegen.exe
    [2011/09/22 22:25:33 | 000,113,196 | ---- | M] () -- C:\Windows\System32\0.8033262975401785.exe
    [2011/09/17 17:46:04 | 000,041,984 | ---- | M] () -- C:\Windows\System32\iweryy.exe
    [2011/09/07 11:31:02 | 000,000,593 | ---- | M] () -- C:\Users\Public\Desktop\Security Protection.lnk
    [2011/09/05 12:39:56 | 000,045,056 | ---- | M] () -- C:\Windows\System32\gbegew.exe
    [2011/08/01 22:22:07 | 000,000,120 | ---- | C] () -- C:\Users\Martain\AppData\Local\Rforagoxoyi.dat
    [2011/08/01 22:22:07 | 000,000,000 | ---- | C] () -- C:\Users\Martain\AppData\Local\Utiwecidu.bin
    [2011/08/02 10:19:49 | 000,000,000 | ---D | M] -- C:\Users\Martain\AppData\Roaming\Ysdee
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:AA9519A6
    
    :FILES
    C:\Windows\system32\config\systemprofile\AppData\Local\heukxntb
    C:\Windows\Tasks\At*.*
    
    :COMMANDS
    [resethosts]
    [emptytemp]
    
  • Click the Run Fix button at the top.
  • Let the program run unhindered, and allow the computer to reboot when it is done.
  • Post the contents of the log that appears.


Step 3

OTL Scan

Run OTL.
  • Check All under Extra Registry checkbox section.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    msconfig
    safebootminimal
    safebootnetwork
    activex
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\*.*
    %systemroot%\Tasks\*.job
    
  • Click the Run Scan button at the top.
  • Make sure you post the log it produces in your next reply.

  • 0

#10
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
when the laptop went to restart it just shutdown. i turned it on myself and it seems as a result of that the first log got lost:

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP00000063C2707000DA5F7844 not found!

Registry entries deleted on Reboot...

During the second scan it just turned itself off.
  • 0

Advertisements


#11
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Ok, right before the screen when Windows loads, press F8 repeatedly until you get a list of menus with Safe Mode and such. Do you see "Repair Your Computer" among the list?
  • 0

#12
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Yeah, "Repair your computer" is there.
  • 0

#13
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Step 1

  • If your computer's on, please restart it and repeatedly tap F8 right before the Windows loading screen.
  • Move the cursor to "Repair Your Computer" if you are not already on it and then press ENTER.
  • Select a keyboard layout, and then click Next.
  • On the System Recovery Options menu, click Command Prompt to open it.
  • In the Command Prompt, please type in the following (pressing Enter after each line):

    C:
    bootrec /fixmbr
    exit
    
  • Restart the computer.


Step 2

aswMBR

  • Double click the aswMBR.exe to run it
  • Click the [Scan] button to start scan
  • On completion of the scan click [Save log], save it to your desktop and post in your next reply

  • 0

#14
LukeMcD

LukeMcD

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Repair your computer just takes me to something that looks like something similar to a logon screen with the only option being "other user" and the option to type in a username and password. I tried typing in the account on the computer and it wouldnt let me in
  • 0

#15
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Do you get an error message? And if so, what is it?

Try the Administrator account also.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP