Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hidden syste32 windows folder


  • This topic is locked This topic is locked

#1
Mihailo Popovic

Mihailo Popovic

    New Member

  • Member
  • Pip
  • 1 posts
Suddenly missing folder system32, when show hidden and system files after that is showed but still hidden.
Please help

Here is log of OTL:

OTL logfile created on: 4.10.2011 16:44:51 - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3, v.3311 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.3311)
Locale: 0000081A | Country: Serbia and Montenegro | Language: SRL | Date Format: d.M.yyyy

1006,95 Mb Total Physical Memory | 492,99 Mb Available Physical Memory | 48,96% Memory free
2,37 Gb Paging File | 1,98 Gb Available in Paging File | 83,58% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40,00 Gb Total Space | 32,57 Gb Free Space | 81,41% Space Free | Partition Type: NTFS
Drive D: | 100,00 Gb Total Space | 98,38 Gb Free Space | 98,38% Space Free | Partition Type: NTFS

Computer Name: MALI | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.10.04 16:42:40 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2011.09.26 15:03:47 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008.02.13 00:59:34 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011.09.26 15:03:46 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2001.08.23 21:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011.09.21 14:49:12 | 000,090,112 | ---- | M] (Intracom S.A.) [Disabled | Stopped] -- C:\WINDOWS\nMtsk.exe -- (nMtskService)


========== Driver Services (SafeList) ==========

DRV - [2011.09.21 14:49:12 | 000,059,260 | ---- | M] (Intracom S.A.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nMUSB.sys -- (netModUSBService)
DRV - [2010.01.08 10:17:48 | 000,143,360 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eu.ask.com/?l...o=102809&gct=hp
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32 File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"


FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.09.26 15:03:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011.09.01 12:56:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011.08.23 21:16:36 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\1peqvrjh.default\searchplugins\askcom.xml
[2011.09.01 12:56:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.09.26 15:03:47 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.08.30 21:41:02 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2001.08.23 21:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Intel Display Control] C:\WINDOWS\system32\igfxcm32.exe File not found
O4 - HKLM..\Run: [Intel System Core] C:\WINDOWS\system32\igfxpt32.exe (Viufetndc Odcrc)
O4 - HKCU..\Run: [MSConfig] C:\Documents and Settings\User\pdbi.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{464801E6-5D4A-4CDD-9EE5-EFA8662BDD6D}: NameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.08.29 16:13:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\AutoRun\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\explore\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\open\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\search\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.10.04 16:23:22 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011.10.04 16:23:22 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011.10.04 16:05:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011.10.04 06:19:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011.10.04 06:19:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011.10.04 05:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Solid State Networks
[2011.10.04 05:12:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011.09.26 14:05:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011.09.22 12:13:09 | 000,000,000 | ---D | C] -- C:\Program Files\PC-home
[2011.09.22 10:11:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\ApplicationHistory
[2011.09.22 09:05:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\AskToolbar
[2011.09.21 15:47:49 | 000,333,312 | ---- | C] (YourCompany) -- C:\Documents and Settings\User\bm.exe
[2011.09.21 13:59:20 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.10.06 04:49:00 | 000,437,428 | ---- | M] () -- C:\Documents and Settings\User\Desktop\3196_001.pdf
[2011.10.06 04:49:00 | 000,227,524 | ---- | M] () -- C:\Documents and Settings\User\Desktop\AB4Y677.PDF
[2011.10.06 04:49:00 | 000,106,982 | ---- | M] () -- C:\Documents and Settings\User\Desktop\3199_001.pdf
[2011.10.05 00:26:00 | 001,417,419 | ---- | M] () -- C:\Documents and Settings\User\Desktop\lindam spec. sanit..jpg
[2011.10.04 16:08:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.10.04 16:05:43 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011.10.04 06:23:43 | 000,047,109 | -H-- | M] () -- C:\WINDOWS\System32\userdiff.sav
[2011.10.04 05:55:05 | 000,000,443 | ---- | M] () -- C:\Documents and Settings\User\Desktop\razmena.lnk
[2011.10.04 04:08:46 | 000,000,010 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011.10.04 02:23:37 | 001,840,391 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Zbirka_matematika_na_srpskom.pdf
[2011.10.04 02:23:16 | 003,900,803 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ZBIRKA SRPSKI JEZIK novo.pdf
[2011.10.04 01:24:00 | 001,409,949 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NIP SPEC. 01.jpg
[2011.10.04 01:24:00 | 001,201,788 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NIP SPEC. 02.jpg
[2011.10.01 23:13:55 | 000,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011.10.01 23:13:55 | 000,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011.10.01 23:12:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.09.28 13:05:47 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft Office Excel 2007.lnk
[2011.09.22 12:15:18 | 000,000,971 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Zuma Deluxe.lnk
[2011.09.22 09:03:08 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\User\Desktop\My Documents.lnk
[2011.09.21 15:47:49 | 000,333,312 | ---- | M] (YourCompany) -- C:\Documents and Settings\User\bm.exe
[2011.09.21 15:46:16 | 000,047,109 | -H-- | M] () -- C:\Documents and Settings\User\userdiff.sav
[2011.09.21 15:46:16 | 000,033,792 | -H-- | M] () -- C:\Documents and Settings\User\pdbi.exe
[2011.09.21 14:52:12 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Carina.lnk
[2011.09.21 14:49:12 | 000,204,800 | ---- | M] () -- C:\WINDOWS\nMconfig.exe
[2011.09.21 14:49:12 | 000,090,112 | ---- | M] (Intracom S.A.) -- C:\WINDOWS\nMtsk.exe
[2011.09.21 14:49:12 | 000,059,260 | ---- | M] (Intracom S.A.) -- C:\WINDOWS\System32\drivers\nMUSB.sys
[2011.09.21 14:49:12 | 000,045,056 | ---- | M] () -- C:\WINDOWS\System32\nMenum.dll
[2011.09.21 14:49:12 | 000,036,864 | ---- | M] () -- C:\WINDOWS\System32\CAPI2032.dll
[2011.09.21 14:25:39 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Intermex CAR.lnk
[2011.09.21 14:00:43 | 000,001,863 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2011.09.17 10:07:05 | 010,662,635 | ---- | M] () -- C:\Documents and Settings\User\Desktop\car461.09.exe
[2011.09.06 22:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011.09.06 22:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.10.04 04:13:18 | 000,227,524 | ---- | C] () -- C:\Documents and Settings\User\Desktop\AB4Y677.PDF
[2011.10.04 04:13:03 | 000,437,428 | ---- | C] () -- C:\Documents and Settings\User\Desktop\3196_001.pdf
[2011.10.04 04:13:00 | 000,106,982 | ---- | C] () -- C:\Documents and Settings\User\Desktop\3199_001.pdf
[2011.10.04 02:23:24 | 001,840,391 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Zbirka_matematika_na_srpskom.pdf
[2011.10.04 02:22:48 | 003,900,803 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ZBIRKA SRPSKI JEZIK novo.pdf
[2011.10.03 03:47:03 | 001,417,419 | ---- | C] () -- C:\Documents and Settings\User\Desktop\lindam spec. sanit..jpg
[2011.10.02 00:47:04 | 001,201,788 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NIP SPEC. 02.jpg
[2011.10.02 00:47:01 | 001,409,949 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NIP SPEC. 01.jpg
[2011.09.22 13:02:40 | 000,000,010 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2011.09.22 12:15:18 | 000,000,971 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Zuma Deluxe.lnk
[2011.09.22 09:03:08 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\User\Desktop\My Documents.lnk
[2011.09.21 15:46:16 | 000,047,109 | -H-- | C] () -- C:\WINDOWS\System32\userdiff.sav
[2011.09.21 15:46:16 | 000,047,109 | -H-- | C] () -- C:\Documents and Settings\User\userdiff.sav
[2011.09.21 15:46:16 | 000,033,792 | -H-- | C] () -- C:\Documents and Settings\User\pdbi.exe
[2011.09.21 14:52:12 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Carina.lnk
[2011.09.21 14:25:06 | 010,662,635 | ---- | C] () -- C:\Documents and Settings\User\Desktop\car461.09.exe
[2011.09.21 14:00:43 | 000,001,863 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2011.08.29 17:59:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.08.29 17:57:28 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.08.29 16:29:57 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2011.08.29 16:17:10 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011.08.29 16:09:43 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008.02.13 02:12:24 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006.12.31 17:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005.05.06 12:19:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\nMconfig.exe
[2004.07.06 12:19:56 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\nMenum.dll
[2001.08.23 21:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001.08.23 21:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001.08.23 21:00:00 | 000,380,350 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001.08.23 21:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001.08.23 21:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001.08.23 21:00:00 | 000,052,764 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001.08.23 21:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001.08.23 21:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001.08.23 21:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001.08.23 21:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001.07.16 11:27:08 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\CAPI2032.dll

========== LOP Check ==========

[2011.10.04 06:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 979751 bytes -> C:\WINDOWS\Temp:temp

< End of report >
  • 0

Advertisements


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :yes:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Do you recognize these files?

[2011.10.06 04:49:00 | 000,437,428 | ---- | M] () -- C:\Documents and Settings\User\Desktop\3196_001.pdf
[2011.10.06 04:49:00 | 000,227,524 | ---- | M] () -- C:\Documents and Settings\User\Desktop\AB4Y677.PDF
[2011.10.06 04:49:00 | 000,106,982 | ---- | M] () -- C:\Documents and Settings\User\Desktop\3199_001.pdf


Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [Intel Display Control] C:\WINDOWS\system32\igfxcm32.exe File not found
    O4 - HKLM..\Run: [Intel System Core] C:\WINDOWS\system32\igfxpt32.exe (Viufetndc Odcrc)
    O4 - HKCU..\Run: [MSConfig] C:\Documents and Settings\User\pdbi.exe ()
    O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\AutoRun\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
    O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\explore\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
    O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\open\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
    O33 - MountPoints2\{0f431e16-d488-11e0-be32-7071bcb07ee6}\Shell\search\command - "" = E:\~TrashBin\xCuAnZlGimAplWa.exe
    [2011.09.21 15:46:16 | 000,047,109 | -H-- | M] () -- C:\Documents and Settings\User\userdiff.sav
    [2011.09.21 15:46:16 | 000,033,792 | -H-- | M] () -- C:\Documents and Settings\User\pdbi.exe
    [2011.09.21 15:46:16 | 000,047,109 | -H-- | C] () -- C:\WINDOWS\System32\userdiff.sav
    [2011.09.21 15:46:16 | 000,047,109 | -H-- | C] () -- C:\Documents and Settings\User\userdiff.sav
    [2011.09.21 15:46:16 | 000,033,792 | -H-- | C] () -- C:\Documents and Settings\User\pdbi.exe
    @Alternate Data Stream - 979751 bytes -> C:\WINDOWS\Temp:temp
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: C:\Documents and Settings\User\bm.exe
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.



Please post the results in your next reply
  • 0

#3
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP