Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Recurring kwrd.dll and Windows Assembly infections

Started by bpearce2001 , Oct 14 2011 08:48 AM

  • This topic is locked This topic is locked

#1
bpearce2001
Posted 14 October 2011 - 08:48 AM

bpearce2001

    New Member

  • Member
  • Pip
  • 9 posts
On Oct. 6th I was given a computer to try and help get rid of a virus.

I initially ran malware bytes with the following results:
Files Infected:
c:\Windows\System32\eszitsoslh.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\System32\jjegqyxwkvozy1d.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\eszitsoslh.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\jjegqyxwkvozy1d.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I then ran a scan using Avast with the following results:

Started on: Friday, October 07, 2011 3:24:13 PM
*

10/7/2011 5:27:05 PM C:\Windows\assembly\tmp\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...

I then ran a boot time scan the next morning with the following results:
10/08/2011 07:21
Scan of all local drives

File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\b.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Windows\assembly\tmp\U\00000002.@|>[Embedded_R#00290] is infected by Win32:Malware-gen, Moved to chest
File C:\Windows\assembly\tmp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj], Moved to chest
Number of searched folders: 66631
Number of tested files: 1140979
Number of infected files: 6

I ran another Avast scan with no infections being found.

An hour later after connecting to the internet I was getting trojan alerts. I again ran avast with the following results:
*

10/8/2011 11:58:05 AM C:\Windows\assembly\TMP\kwrd.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
10/8/2011 12:05:12 PM C:\Windows\assembly\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/8/2011 1:27:08 PM C:\Windows\assembly\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
*
The next morning I ran the boot time scan with these results:

10/09/2011 08:29
Scan of all local drives

File C:\Windows\assembly\tmp\U\00000002.@|>[Embedded_R#00290] is infected by Win32:Malware-gen, Moved to chest
File C:\Windows\assembly\tmp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj], Moved to chest
Number of searched folders: 66606
Number of tested files: 1141461
Number of infected files: 2

I connected again to the internet and again started getting trojan alerts. Ran Avast again with these results:
10/9/2011 10:28:23 AM C:\Windows\ASSEMBLY\TMP\kwrd.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
10/9/2011 10:28:42 AM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 10:35:47 AM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 2:23:54 PM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 3:27:20 PM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...

*

It appears to be the same thing recurring every time. Malware bytes no longer finds anything even when Avast finds the infections.

I have attached my OTL report as it was too long to cut/paste and I'm hoping someone will be able to help me finally get rid of this thing.

Attached Files

  • Attached File  OTL.zip   953.62KB   198 downloads

  • 0

Advertisements

#2
Essexboy
Posted 14 October 2011 - 01:00 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there

I will need to run a stronger tool initially

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#3
bpearce2001
Posted 14 October 2011 - 02:28 PM

bpearce2001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is my combofix report:
ComboFix 11-10-14.03 - carlos 10/14/2011 14:30:00.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3838.2280 [GMT -5:00]
Running from: c:\users\carlos\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\System64
c:\windows\SysWow64\IqIAiGdLjVx2n6E.exe
c:\windows\SysWow64\rb5fXkx2n6Eq.exe
c:\windows\SysWow64\T7BmhyGZypfkvdj.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
.
.
2011-10-14 20:08 . 2011-10-14 20:12 -------- d-----w- c:\users\carlos\AppData\Local\temp
2011-10-14 20:08 . 2011-10-14 20:08 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2011-10-14 20:08 . 2011-10-14 20:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-09 22:28 . 2011-10-09 22:29 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2011-10-09 22:28 . 2011-10-09 22:29 -------- d-----w- c:\program files\Common Files\McAfee
2011-10-09 22:28 . 2011-10-09 22:29 -------- d-----w- c:\program files\McAfee
2011-10-09 22:27 . 2011-10-09 22:29 -------- d-----w- c:\program files (x86)\McAfee
2011-10-09 22:18 . 2011-10-10 01:29 -------- d-----w- c:\programdata\McAfee
2011-10-08 16:17 . 2011-10-08 16:17 -------- d-----w- c:\users\carlos\AppData\Local\VS Revo Group
2011-10-08 16:17 . 2009-12-30 16:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-10-08 16:17 . 2011-10-08 16:17 -------- d-----w- c:\program files\VS Revo Group
2011-10-07 20:23 . 2011-09-06 20:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-07 20:23 . 2011-09-06 20:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-07 20:23 . 2011-09-06 20:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-07 20:23 . 2011-09-06 20:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-07 20:23 . 2011-09-06 20:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-07 20:23 . 2011-09-06 20:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-07 20:23 . 2011-09-06 20:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-10-07 20:21 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-10-07 20:21 . 2011-09-06 20:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-10-07 20:21 . 2011-10-07 20:21 -------- d-----w- c:\programdata\AVAST Software
2011-10-07 20:21 . 2011-10-07 20:21 -------- d-----w- c:\program files\AVAST Software
2011-10-06 19:02 . 2011-10-06 19:02 -------- d-----w- c:\programdata\Malwarebytes
2011-10-06 19:02 . 2011-10-06 19:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-06 19:02 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-06 18:59 . 2011-10-06 18:59 -------- d-----w- c:\users\carlos\AppData\Roaming\a8YePuFJZjBx2m6
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\CF4mH5sWJdLgZhX
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\arNAbp4HW79qw
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\CLwx4dYBimKjP2d
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\CECtv5gUAm8jP2s
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\B1aECtbsTViH8
2011-10-06 18:58 . 2011-10-06 18:58 -------- d-----w- c:\users\carlos\AppData\Roaming\cG4aQH6sW
2011-10-06 18:57 . 2011-10-06 18:57 -------- d-----w- c:\users\carlos\AppData\Roaming\AjxnRIbWYPaglvW
2011-10-06 18:57 . 2011-10-06 18:57 -------- d-----w- c:\users\carlos\AppData\Roaming\AN39rSHZ048O
2011-10-06 18:57 . 2011-10-06 18:57 -------- d-----w- c:\users\carlos\AppData\Roaming\bXYrxu2Dna6KfTj
2011-10-06 18:57 . 2011-10-06 18:57 -------- d-----w- c:\users\carlos\AppData\Roaming\bVrlOBxPySioFa5
2011-10-06 18:57 . 2011-10-06 18:57 -------- d-----w- c:\users\carlos\AppData\Roaming\BhqCIzy0Sbp5HWf
2011-10-06 18:56 . 2011-10-06 18:56 -------- d-----w- c:\users\carlos\AppData\Roaming\ARjBx2m6RqIy
2011-10-06 18:55 . 2011-10-06 18:55 -------- d-----w- c:\users\carlos\AppData\Roaming\Cvo3GQd8LTj
2011-10-06 18:55 . 2011-10-06 18:55 -------- d-----w- c:\users\carlos\AppData\Roaming\CgZqhXwkeOtPyA
2011-10-06 18:53 . 2011-10-06 18:53 -------- d-----w- c:\users\carlos\AppData\Roaming\aLx5Un9ARy
2011-10-06 18:53 . 2011-10-06 18:53 -------- d-----w- c:\users\carlos\AppData\Roaming\CK8fR9jelBzy1So
2011-10-06 18:53 . 2011-10-06 18:53 -------- d-----w- c:\users\carlos\AppData\Roaming\CK8f9XUeIzxu2bm
2011-10-06 18:53 . 2011-10-06 18:53 -------- d-----w- c:\users\carlos\AppData\Roaming\dBc2m6RwIxvo
2011-10-06 18:52 . 2011-10-06 18:52 -------- d-----w- c:\users\carlos\AppData\Roaming\aTxawbflHYAQjo8
2011-10-06 18:52 . 2011-10-06 18:52 -------- d-----w- c:\users\carlos\AppData\Roaming\AGQd8LTjeBO2
2011-10-06 18:52 . 2011-10-06 18:52 -------- d-----w- c:\users\carlos\AppData\Roaming\aA4dTBumKw
2011-10-06 18:51 . 2011-10-06 18:51 -------- d-----w- c:\users\carlos\AppData\Roaming\CfEL8gTZqYw
2011-10-06 18:51 . 2011-10-06 18:51 -------- d-----w- c:\users\carlos\AppData\Roaming\av3Q8qzSG7
2011-10-06 18:51 . 2011-10-06 18:51 -------- d-----w- c:\users\carlos\AppData\Roaming\av3Q8fqzSG
2011-10-06 18:51 . 2011-10-06 18:51 -------- d-----w- c:\users\carlos\AppData\Roaming\aSpJfXkNvn
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\CBrzPNyxAuSoFpG
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\BpmG5sQJ6E8R9Tw
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\CKRhwCIzy1S
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\D9ugAsV6Uoe
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\dBumRjkzxvi3GQd
2011-10-06 18:50 . 2011-10-06 18:50 -------- d-----w- c:\users\carlos\AppData\Roaming\AgPmCi7kc
2011-10-06 18:49 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\AXwjUVelItPyAuD
2011-10-06 18:48 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\CJEgqXUlt0Avo4
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\d4esyZ3zYQxgmth
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\AWBWBJt8u
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\CwnXv9AfNKxTiT3
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\ABF9uKNQY
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\AIbfyQCi7
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\C2Kr4ZPHUvde2K
2011-10-06 18:48 . 2011-10-06 18:48 -------- d-----w- c:\users\carlos\AppData\Roaming\AXlNv4Q8U
2011-10-06 18:47 . 2011-10-06 18:47 -------- d-----w- c:\users\carlos\AppData\Roaming\Bq0HYcKIbfNGjuK
2011-10-06 18:46 . 2011-10-06 18:46 -------- d-----w- c:\users\carlos\AppData\Roaming\D1gA8A8NdOd
2011-10-06 18:46 . 2011-10-06 18:46 -------- d-----w- c:\users\carlos\AppData\Roaming\DF3pmG5aQ6W8Rhq
2011-10-06 18:45 . 2011-10-06 18:45 -------- d-----w- c:\users\carlos\AppData\Roaming\AF4pG5sQJERheBP
2011-10-06 18:45 . 2011-10-06 18:45 -------- d-----w- c:\users\carlos\AppData\Roaming\CsJ7EgRqhXVlzy
2011-10-06 18:45 . 2011-10-06 18:45 -------- d-----w- c:\users\carlos\AppData\Roaming\AVxn58Yec
2011-10-06 18:44 . 2011-10-06 18:44 -------- d-----w- c:\users\carlos\AppData\Roaming\cc9ihFV5tdcTmNf
2011-10-06 18:44 . 2011-10-06 18:44 -------- d-----w- c:\users\carlos\AppData\Roaming\btWNr8cLmVhSNd
2011-10-06 18:44 . 2011-10-06 18:44 -------- d-----w- c:\users\carlos\AppData\Roaming\a1L4wnY2ho
2011-10-06 18:44 . 2011-10-06 18:44 -------- d-----w- c:\users\carlos\AppData\Roaming\D1SbFpGQJKfTqCI
2011-10-06 18:44 . 2011-10-06 18:44 -------- d-----w- c:\users\carlos\AppData\Roaming\daRqrv5LV04tD6Z
2011-10-06 18:43 . 2011-10-06 18:43 -------- d-----w- c:\users\carlos\AppData\Roaming\D3sZrcG7hO1aEX
2011-10-06 18:43 . 2011-10-06 18:43 -------- d-----w- c:\users\carlos\AppData\Roaming\ArvpdTV2a
2011-10-06 18:43 . 2011-10-06 18:43 -------- d-----w- c:\users\carlos\AppData\Roaming\BRhVOBtzPyAiDoF
2011-10-06 18:43 . 2011-10-06 18:43 -------- d-----w- c:\users\carlos\AppData\Roaming\bxKbrQ0gDwQPKuR
2011-10-06 18:41 . 2011-10-06 18:41 -------- d-----w- c:\users\carlos\AppData\Roaming\aEK8fRZhTwUeI
2011-10-06 18:41 . 2011-10-06 18:41 -------- d-----w- c:\users\carlos\AppData\Roaming\dA1uvSoF3
2011-10-06 18:41 . 2011-10-06 18:41 -------- d-----w- c:\users\carlos\AppData\Roaming\BwjCelIBrPx1So3
2011-10-06 18:41 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\DEKgRZYXUltN1D
2011-10-06 18:41 . 2011-10-06 18:41 -------- d-----w- c:\users\carlos\AppData\Roaming\D01DHJEgqktvndh
2011-10-06 18:39 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\a0HYi7V2ElofOng
2011-10-06 18:39 . 2011-10-06 18:39 -------- d-----w- c:\users\carlos\AppData\Roaming\bYoVpeGNfbjDqfc
2011-10-06 18:39 . 2011-10-06 18:39 -------- d-----w- c:\users\carlos\AppData\Roaming\DfBJlnZc6BmUdA7
2011-10-06 18:39 . 2011-10-06 18:39 -------- d-----w- c:\users\carlos\AppData\Roaming\bfBJlnZc6BmUdA7
2011-10-06 18:39 . 2011-10-06 18:39 -------- d-----w- c:\users\carlos\AppData\Roaming\d2q5VsO60E0gbC5
2011-10-06 18:39 . 2011-10-06 18:39 -------- d-----w- c:\users\carlos\AppData\Roaming\AR1PhpeQVatJtJD
2011-10-06 18:38 . 2011-10-06 18:38 -------- d-----w- c:\users\carlos\AppData\Roaming\BumKUuag0GTPHgU
2011-10-06 18:37 . 2011-10-06 18:37 -------- d-----w- c:\users\carlos\AppData\Roaming\COnj2XohbXiY3h5
2011-10-06 18:37 . 2011-10-06 18:37 -------- d-----w- c:\users\carlos\AppData\Roaming\ABrzONyxAuSb
2011-10-06 18:36 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\aXwkUVelOtPyi2F
2011-10-06 18:36 . 2011-10-06 18:36 -------- d-----w- c:\users\carlos\AppData\Roaming\bXlNv4Q8TlNSpJf
2011-10-06 18:35 . 2011-10-06 18:35 -------- d-----w- c:\users\carlos\AppData\Roaming\AoZxJk3As
2011-10-06 18:35 . 2011-10-06 18:35 -------- d-----w- c:\users\carlos\AppData\Roaming\BEfRZhwjCIzxu
2011-10-06 18:34 . 2011-10-06 18:34 -------- d-----w- c:\users\carlos\AppData\Roaming\bEL9gTjCwrN0SiD
2011-10-06 18:34 . 2011-10-06 18:34 -------- d-----w- c:\users\carlos\AppData\Roaming\C4HWf8ZYkr0v45E
2011-10-06 18:34 . 2011-10-06 18:34 -------- d-----w- c:\users\carlos\AppData\Roaming\d0Sbo4HWf
2011-10-06 18:34 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\clt0Avo4H
2011-10-06 18:34 . 2011-10-06 18:34 -------- d-----w- c:\users\carlos\AppData\Roaming\cv47RwOyi2Fms7K
2011-10-06 18:34 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\b0S1Dn4am5d
2011-10-06 18:34 . 2011-10-06 18:34 -------- d-----w- c:\users\carlos\AppData\Roaming\cWK7RL9gTqYeIOt
2011-10-06 18:33 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\d4xqoUGzLpIWch5
2011-10-06 18:33 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\C6yLbYal7bVEAZo
2011-10-06 18:33 . 2011-10-06 18:33 -------- d-----w- c:\users\carlos\AppData\Roaming\CnUsPfSX3walWPR
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\CQeFhv8OaCDg0Jl
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\AD9oZvTpCnIsbrE
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\coL1Wz5Y3
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\AoL1Wz5Y3
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\aFdYByF7hIumKwz
2011-10-06 18:32 . 2011-10-06 18:32 -------- d-----w- c:\users\carlos\AppData\Roaming\BWZrcWrFLRtHjbj
2011-10-06 18:31 . 2011-10-06 18:31 -------- d-----w- c:\users\carlos\AppData\Roaming\ADna5JEghwVO
2011-10-06 18:31 . 2011-10-06 18:31 -------- d-----w- c:\users\carlos\AppData\Roaming\CfRL9gTXqYeIrOt
2011-10-06 18:31 . 2011-10-06 18:31 -------- d-----w- c:\users\carlos\AppData\Roaming\d9hTUlrNAvo3GQd
2011-10-06 18:31 . 2011-10-06 18:31 -------- d-----w- c:\users\carlos\AppData\Roaming\CZ9hTUlrNAvo3G
2011-10-06 18:30 . 2011-10-06 18:30 -------- d-----w- c:\users\carlos\AppData\Roaming\cjP2aRCA3dqzuDa
2011-10-06 18:30 . 2011-10-06 18:30 -------- d-----w- c:\users\carlos\AppData\Roaming\BLnPXQ2NjJn0VE3
2011-10-06 18:30 . 2011-10-06 18:30 -------- d-----w- c:\users\carlos\AppData\Roaming\aIf3zZmSVEoBRpx
2011-10-06 18:28 . 2011-10-06 18:28 -------- d-----w- c:\users\carlos\AppData\Roaming\azNycA1uvb4m56E
2011-10-06 18:28 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\AsWJ7dEL8RhXkVl
2011-10-06 18:28 . 2011-10-07 00:39 -------- d-----w- c:\users\carlos\AppData\Roaming\B3onF4mH5W7EgZh
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 12:18 . 2009-02-28 20:42 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-06 12:18 . 2009-02-28 20:42 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-06 12:18 . 2009-02-28 20:42 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-18 13:44 . 2009-02-28 20:42 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-17 61440]
"LchDrvKey"="c:\windows\LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="c:\windows\CNYHKey.exe" [2008-04-24 339968]
"Smart Copy"="c:\program files (x86)\IOI\Smart Copy\ButtonMonitor.exe" [2008-05-21 53248]
"P2Go_Menu"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Whitney2_S2P"="c:\program files (x86)\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe" [2007-01-23 253952]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-02-05 520192]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
R2 gupdate1c9e479f98e4a5f;Google Update Service (gupdate1c9e479f98e4a5f);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-03 133104]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-03 133104]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-06 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2008-07-25 15928]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\FileCure Default.job
- c:\program files (x86)\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00]
.
2011-10-14 c:\windows\Tasks\FileCure Startup.job
- c:\program files (x86)\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-03 18:24]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-03 18:24]
.
2011-10-13 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\windows\system32\rundll32.exe [2006-11-02 09:45]
.
2011-10-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1584184]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2008-07-25 57928]
"combofix"="c:\combofix\CF16681.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=dx4200-09
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:58606
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{46a21652-3f93-437d-aac0-caa1f6713da0} - (no file)
Wow6432Node-HKLM-Run-eRecoveryService - (no file)
SafeBoot-WRConsumerService
WebBrowser-{46A21652-3F93-437D-AAC0-CAA1F6713DA0} - (no file)
AddRemove-Citrix ICA Web Client - c:\windows\system32\ctxsetup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2011-10-14 15:19:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-14 20:19
.
Pre-Run: 484,761,350,144 bytes free
Post-Run: 483,773,341,696 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 200EF9CE85A3CB05DAD244B7B7182B36
  • 0

#4
Essexboy
Posted 14 October 2011 - 02:38 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK that is the main one gone - lets now start removing the rubbish left over, once this run is complete can you let me know what the current problems are

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Reg

    :Files
    c:\users\carlos\AppData\Roaming\a8YePuFJZjBx2m6
    c:\users\carlos\AppData\Roaming\CF4mH5sWJdLgZhX
    c:\users\carlos\AppData\Roaming\arNAbp4HW79qw
    c:\users\carlos\AppData\Roaming\CLwx4dYBimKjP2d
    c:\users\carlos\AppData\Roaming\CECtv5gUAm8jP2s
    c:\users\carlos\AppData\Roaming\B1aECtbsTViH8
    c:\users\carlos\AppData\Roaming\cG4aQH6sW
    c:\users\carlos\AppData\Roaming\AjxnRIbWYPaglvW
    c:\users\carlos\AppData\Roaming\AN39rSHZ048O
    c:\users\carlos\AppData\Roaming\bXYrxu2Dna6KfTj
    c:\users\carlos\AppData\Roaming\bVrlOBxPySioFa5
    c:\users\carlos\AppData\Roaming\BhqCIzy0Sbp5HWf
    c:\users\carlos\AppData\Roaming\ARjBx2m6RqIy
    c:\users\carlos\AppData\Roaming\Cvo3GQd8LTj
    c:\users\carlos\AppData\Roaming\CgZqhXwkeOtPyA
    c:\users\carlos\AppData\Roaming\aLx5Un9ARy
    c:\users\carlos\AppData\Roaming\CK8fR9jelBzy1So
    c:\users\carlos\AppData\Roaming\CK8f9XUeIzxu2bm
    c:\users\carlos\AppData\Roaming\dBc2m6RwIxvo
    c:\users\carlos\AppData\Roaming\aTxawbflHYAQjo8
    c:\users\carlos\AppData\Roaming\AGQd8LTjeBO2
    c:\users\carlos\AppData\Roaming\aA4dTBumKw
    c:\users\carlos\AppData\Roaming\CfEL8gTZqYw
    c:\users\carlos\AppData\Roaming\av3Q8qzSG7
    c:\users\carlos\AppData\Roaming\av3Q8fqzSG
    c:\users\carlos\AppData\Roaming\aSpJfXkNvn
    c:\users\carlos\AppData\Roaming\CBrzPNyxAuSoFpG
    c:\users\carlos\AppData\Roaming\BpmG5sQJ6E8R9Tw
    c:\users\carlos\AppData\Roaming\CKRhwCIzy1S
    c:\users\carlos\AppData\Roaming\D9ugAsV6Uoe
    c:\users\carlos\AppData\Roaming\dBumRjkzxvi3GQd
    c:\users\carlos\AppData\Roaming\AgPmCi7kc
    c:\users\carlos\AppData\Roaming\AXwjUVelItPyAuD
    c:\users\carlos\AppData\Roaming\CJEgqXUlt0Avo4
    c:\users\carlos\AppData\Roaming\d4esyZ3zYQxgmth
    c:\users\carlos\AppData\Roaming\AWBWBJt8u
    c:\users\carlos\AppData\Roaming\CwnXv9AfNKxTiT3
    c:\users\carlos\AppData\Roaming\ABF9uKNQY
    c:\users\carlos\AppData\Roaming\AIbfyQCi7
    c:\users\carlos\AppData\Roaming\C2Kr4ZPHUvde2K
    c:\users\carlos\AppData\Roaming\AXlNv4Q8U
    c:\users\carlos\AppData\Roaming\Bq0HYcKIbfNGjuK
    c:\users\carlos\AppData\Roaming\D1gA8A8NdOd
    c:\users\carlos\AppData\Roaming\DF3pmG5aQ6W8Rhq
    c:\users\carlos\AppData\Roaming\AF4pG5sQJERheBP
    c:\users\carlos\AppData\Roaming\CsJ7EgRqhXVlzy
    c:\users\carlos\AppData\Roaming\AVxn58Yec
    c:\users\carlos\AppData\Roaming\cc9ihFV5tdcTmNf
    c:\users\carlos\AppData\Roaming\btWNr8cLmVhSNd
    c:\users\carlos\AppData\Roaming\a1L4wnY2ho
    c:\users\carlos\AppData\Roaming\D1SbFpGQJKfTqCI
    c:\users\carlos\AppData\Roaming\daRqrv5LV04tD6Z
    c:\users\carlos\AppData\Roaming\D3sZrcG7hO1aEX
    c:\users\carlos\AppData\Roaming\ArvpdTV2a
    c:\users\carlos\AppData\Roaming\BRhVOBtzPyAiDoF
    c:\users\carlos\AppData\Roaming\bxKbrQ0gDwQPKuR
    c:\users\carlos\AppData\Roaming\aEK8fRZhTwUeI
    c:\users\carlos\AppData\Roaming\dA1uvSoF3
    c:\users\carlos\AppData\Roaming\BwjCelIBrPx1So3
    c:\users\carlos\AppData\Roaming\DEKgRZYXUltN1D
    c:\users\carlos\AppData\Roaming\a0HYi7V2ElofOng
    c:\users\carlos\AppData\Roaming\bYoVpeGNfbjDqfc
    c:\users\carlos\AppData\Roaming\DfBJlnZc6BmUdA7
    c:\users\carlos\AppData\Roaming\bfBJlnZc6BmUdA7
    c:\users\carlos\AppData\Roaming\d2q5VsO60E0gbC5
    c:\users\carlos\AppData\Roaming\AR1PhpeQVatJtJD
    c:\users\carlos\AppData\Roaming\BumKUuag0GTPHgU
    c:\users\carlos\AppData\Roaming\ABrzONyxAuSb
    c:\users\carlos\AppData\Roaming\aXwkUVelOtPyi2F
    c:\users\carlos\AppData\Roaming\bXlNv4Q8TlNSpJf
    c:\users\carlos\AppData\Roaming\AoZxJk3As
    c:\users\carlos\AppData\Roaming\BEfRZhwjCIzxu
    c:\users\carlos\AppData\Roaming\bEL9gTjCwrN0SiD
    c:\users\carlos\AppData\Roaming\C4HWf8ZYkr0v45E
    c:\users\carlos\AppData\Roaming\d0Sbo4HWf
    c:\users\carlos\AppData\Roaming\clt0Avo4H
    c:\users\carlos\AppData\Roaming\cv47RwOyi2Fms7K
    c:\users\carlos\AppData\Roaming\b0S1Dn4am5d
    c:\users\carlos\AppData\Roaming\cWK7RL9gTqYeIOt
    c:\users\carlos\AppData\Roaming\d4xqoUGzLpIWch5
    c:\users\carlos\AppData\Roaming\C6yLbYal7bVEAZo
    c:\users\carlos\AppData\Roaming\CnUsPfSX3walWPR
    c:\users\carlos\AppData\Roaming\CQeFhv8OaCDg0Jl
    c:\users\carlos\AppData\Roaming\AD9oZvTpCnIsbrE
    c:\users\carlos\AppData\Roaming\coL1Wz5Y3
    c:\users\carlos\AppData\Roaming\AoL1Wz5Y3
    c:\users\carlos\AppData\Roaming\aFdYByF7hIumKwz
    c:\users\carlos\AppData\Roaming\BWZrcWrFLRtHjbj
    c:\users\carlos\AppData\Roaming\ADna5JEghwVO
    c:\users\carlos\AppData\Roaming\CfRL9gTXqYeIrOt
    c:\users\carlos\AppData\Roaming\d9hTUlrNAvo3GQd
    c:\users\carlos\AppData\Roaming\CZ9hTUlrNAvo3G
    c:\users\carlos\AppData\Roaming\cjP2aRCA3dqzuDa
    c:\users\carlos\AppData\Roaming\BLnPXQ2NjJn0VE3
    c:\users\carlos\AppData\Roaming\aIf3zZmSVEoBRpx
    c:\users\carlos\AppData\Roaming\AsWJ7dEL8RhXkVl
    c:\users\carlos\AppData\Roaming\B3onF4mH5W7EgZh
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#5
bpearce2001
Posted 17 October 2011 - 11:20 AM

bpearce2001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I had to zip the file and attach it again, but here it is. I had to take the computer back to my son's house, but I still have remote access to it if I need to do anything more. It appears to be running ok now.

Attached Files


  • 0

#6
Essexboy
Posted 17 October 2011 - 11:47 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Still a shed load of old folders to kill - :)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Download the attached zip file and extract the fix.txt to your desktop

Run OTL
  • Then click the Run Fix button at the top
  • A dialogue will appear asking for the location of the fix.txt
  • Select the fix.txt that you have just unzipped
  • Press the run fix button again
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#7
Essexboy
Posted 21 October 2011 - 12:46 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP