Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus 2011


  • Please log in to reply

#1
Jacob0812

Jacob0812

    New Member

  • Member
  • Pip
  • 5 posts
I have webroot spysweeper on my wife's computer. I was recently infected with the Cloud 2012 Antivirus rogue. I am not 100% sure how to remove it, but the screen that comes up on my computer says and it repeatedly pops up where I try to close it and it then just reappears that the computer is infected and potentially can cause other computers in the network risk too. I was searching online on my computer how to fix it and this was the website it gave me.

As I was using this process I found a website that told me to go into the task manager and then processes and I did that and may have accidently deleted something needed. Not 100% sure on that. I did not delete what it said make sure not to delete.

Would love help with this if anyone knows how to fix it.

OTL logfile created on: 11/27/2011 9:12:15 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\owner\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.28 Gb Available Physical Memory | 66.07% Memory free
3.87 Gb Paging File | 3.19 Gb Available in Paging File | 82.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 220.40 Gb Total Space | 176.10 Gb Free Space | 79.90% Space Free | Partition Type: NTFS
Drive D: | 12.29 Gb Total Space | 2.06 Gb Free Space | 16.75% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: owner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/27 09:11:08 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
PRC - [2011/11/27 08:34:39 | 000,284,160 | ---- | M] () -- C:\Program Files (x86)\LP\6D67\CE5.exe
PRC - [2011/11/27 00:32:53 | 000,187,904 | ---- | M] () -- C:\Program Files (x86)\24F2E\lvvm.exe
PRC - [2011/11/26 19:52:09 | 000,172,544 | ---- | M] () -- C:\Users\owner\AppData\Roaming\7CE24\B6C8C.exe
PRC - [2011/09/12 21:31:41 | 003,381,184 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe
PRC - [2011/08/24 17:29:02 | 003,997,912 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files (x86)\Webroot\Security\Current\plugins\antimalware\AEI.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/27 08:34:39 | 000,284,160 | ---- | M] () -- C:\Program Files (x86)\LP\6D67\CE5.exe
MOD - [2011/11/27 00:32:53 | 000,187,904 | ---- | M] () -- C:\Program Files (x86)\24F2E\lvvm.exe
MOD - [2011/11/26 19:52:09 | 000,172,544 | ---- | M] () -- C:\Users\owner\AppData\Roaming\7CE24\B6C8C.exe


========== Win32 Services (SafeList) ==========

SRV - [2011/09/12 21:31:41 | 003,381,184 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe -- (WRConsumerService)
SRV - [2011/08/24 17:29:02 | 003,997,912 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe -- (WebrootSpySweeperService)
SRV - [2011/08/03 20:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) [Unknown | Stopped] -- C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe -- (NIS)
SRV - [2011/06/21 14:57:34 | 000,085,560 | ---- | M] (Hewlett-Packard Company) [Auto | Stopped] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe -- (HP Support Assistant Service)
SRV - [2011/03/28 16:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) [Auto | Stopped] -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/04/29 11:21:18 | 000,436,736 | ---- | M] (Conexant Systems, Inc.) [Auto | Stopped] -- C:\Windows\SysWOW64\XAudio64.dll -- (HsfXAudioService)
SRV - [2008/01/08 11:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)
SRV - [2008/01/08 11:02:12 | 000,394,608 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/08/21 18:53:36 | 000,451,704 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\symtdiv.sys -- (SYMTDIv)
DRV:64bit: - [2011/08/21 18:53:35 | 000,221,304 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\symefa64.sys -- (SymEFA)
DRV:64bit: - [2011/08/03 20:19:26 | 000,593,544 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\cchpx64.sys -- (ccHP)
DRV:64bit: - [2011/07/11 09:07:54 | 000,136,224 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ssidrv.sys -- (ssidrv)
DRV:64bit: - [2011/07/11 09:07:50 | 000,056,920 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\ssfmonm.sys -- (ssfmonm)
DRV:64bit: - [2011/03/10 22:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 22:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/09/26 19:15:22 | 002,374,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/06/02 12:55:05 | 000,173,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2010/05/25 19:48:00 | 000,699,960 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/04/28 21:03:51 | 000,150,064 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\ironx64.sys -- (SymIRON)
DRV:64bit: - [2010/04/21 18:29:51 | 000,505,392 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2010/04/21 18:29:51 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\srtspx64.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV:64bit: - [2009/08/29 16:17:18 | 000,433,200 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1109000.00C\symds64.sys -- (SymDS)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 15:31:10 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/06/18 20:12:32 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/06/10 13:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 13:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 13:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 12:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 12:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 16:46:50 | 000,216,064 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2009/05/22 22:52:30 | 000,215,040 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/05/18 12:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/29 11:21:08 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2009/04/29 07:48:32 | 000,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV:64bit: - [2009/02/12 22:24:56 | 001,485,824 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2009/02/12 22:20:56 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2009/02/12 22:19:34 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2006/06/18 06:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2010/07/09 20:44:46 | 000,942,640 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx64.sys -- (BHDrvx64)
DRV - [2010/06/02 13:12:20 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2010/06/02 13:12:20 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/28 11:33:18 | 000,463,408 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100730.001\IDSviA64.sys -- (IDSVia64)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQNOT/1
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQNOT/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://g.msn.com/CQNOT/1 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://g.msn.com/CQNOT/1 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://qwest.live.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.6.0: C:\Users\owner\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009/11/01 00:16:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2011/07/23 19:19:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6 [2011/11/27 08:27:37 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/11/27 00:34:29 | 000,001,445 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 46.4.179.84 yahoo.com
O1 - Hosts: 212.124.122.156 google.com
O1 - Hosts: 46.4.179.84 myspace.com
O1 - Hosts: 212.124.122.156 msn.com
O1 - Hosts: 46.4.179.84 ebay.com
O1 - Hosts: 46.4.179.84 amazon.com
O1 - Hosts: 212.124.122.156 youtube.com
O1 - Hosts: 46.4.179.84 craigslist.org
O1 - Hosts: 212.124.122.156 wikipedia.org
O1 - Hosts: 46.4.179.110 cnn.com
O1 - Hosts: 46.4.179.84 facebook.com
O1 - Hosts: 46.4.179.110 go.com
O1 - Hosts: 46.4.179.84 live.com
O1 - Hosts: 46.4.179.84 blogger.com
O1 - Hosts: 46.4.179.110 aol.com
O1 - Hosts: 46.4.179.84 microsoft.com
O1 - Hosts: 46.4.179.110 comcast.net
O1 - Hosts: 46.4.179.84 imdb.com
O1 - Hosts: 46.4.179.84 digg.com
O1 - Hosts: 46.4.179.84 flickr.com
O1 - Hosts: 46.4.179.84 Expedia.com
O1 - Hosts: 46.4.179.84 Monster.com
O1 - Hosts: 212.124.122.156 Paypal.com
O1 - Hosts: 46.4.179.84 Weather.com
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll (Yontoo Technology, Inc.)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O4:64bit: - HKLM..\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe (Conexant Systems, Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [62D.exe] C:\Program Files (x86)\LP\8C27\62D.exe ()
O4 - HKLM..\Run: [Qwest Personal Digital Vault] C:\Program Files (x86)\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe ()
O4 - HKLM..\Run: [QwestTouchPointAgent] C:\Program Files (x86)\Qwest\Desktop\QwestTouchPointAgent.exe (Qwest Communications)
O4 - HKLM..\Run: [WebrootTrayApp] C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe (Webroot Software, Inc. )
O4 - HKCU..\Run: [62D.exe] C:\Users\owner\AppData\Roaming\Microsoft\8C27\62D.exe ()
O4 - HKCU..\Run: [limewire plus+] "C:\Program Files (x86)\Limewire Plus+\limewire.exe" -h File not found
O4 - HKCU..\Run: [mE0Sb34JLgqYwUl8234A] C:\Users\owner\AppData\Roaming\qA0uvSiVx\Cloud AV 2012v121.exe (Microsoft Corporation)
O4 - HKCU..\Run: [qItxuGWELZYOtiD] C:\Users\owner\AppData\Roaming\dwme.exe ()
O4 - HKCU..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
F3:64bit: - HKCU WinNT: Load - (C:\Users\owner\AppData\Roaming\24F2E\lvvm.exe) - File not found
F3 - HKCU WinNT: Load - (C:\Users\owner\AppData\Roaming\24F2E\lvvm.exe) - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8:64bit: - Extra context menu item: Crawler Search - tbr:iemenu File not found
O8 - Extra context menu item: Crawler Search - tbr:iemenu File not found
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{83A4FC1C-3E91-42B9-ABCC-6EC0061AF54E}: DhcpNameServer = 192.168.0.1 205.171.3.25
O18:64bit: - Protocol\Handler\inbox - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\tbr - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O18 - Protocol\Handler\tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKCU Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\owner\AppData\Roaming\7CE24\8816D.exe) -C:\Users\owner\AppData\Roaming\7CE24\8816D.exe ()
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30:64bit: - LSA: Authentication Packages - (ows\w) - File not found
O30 - LSA: Authentication Packages - (ows\w) - File not found
O30:64bit: - LSA: Security Packages - (lorer\ShellExecuteHooks) - File not found
O30:64bit: - LSA: Security Packages - (ions\IEInstal.exe) - File not found
O30:64bit: - LSA: Security Packages - (e) - File not found
O30 - LSA: Security Packages - (lorer\ShellExecuteHooks) - File not found
O30 - LSA: Security Packages - (ions\IEInstal.exe) - File not found
O30 - LSA: Security Packages - (e) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/27 09:11:05 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2011/11/27 08:27:28 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\PjYYCekIVzONx0c
[2011/11/27 08:27:28 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\pG55aQH6dK7fLgX
[2011/11/27 00:32:08 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012
[2011/11/27 00:32:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\rUVrlOBtx0c1
[2011/11/27 00:32:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\oO0Sns9Zkxn78hw
[2011/11/26 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\l4pmH5sQJdKgZhX
[2011/11/26 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\FjUVelIBtPyAuDo
[2011/11/26 19:51:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\24F2E
[2011/11/26 01:49:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LP
[2011/11/26 01:45:42 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\dfRqA23GsTCt
[2011/11/26 01:45:40 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\blPNDmJ6dlyuSma
[2011/11/26 01:45:31 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\24F2E
[2011/11/26 01:45:16 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\7CE24
[2011/11/26 01:45:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\wRhyi56fTY
[2011/11/26 01:45:03 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\qA0uvSiVx
[2011/11/26 01:45:01 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\S8fRZhTXwUeIrPy
[2011/04/23 00:55:33 | 000,586,752 | -HS- | C] (Microsoft Corporation) -- C:\Users\owner\AppData\Local\cje.exe
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/27 09:11:08 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2011/11/27 08:57:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/27 08:57:33 | 1556,500,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/27 08:27:38 | 000,001,875 | ---- | M] () -- C:\Users\owner\Desktop\Cloud AV 2012.lnk
[2011/11/27 00:41:21 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/27 00:41:21 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/26 19:59:06 | 000,729,556 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/26 19:59:06 | 000,626,266 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/26 19:59:06 | 000,107,614 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/26 01:50:05 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\At1.job
[2011/11/26 01:49:25 | 000,284,160 | ---- | M] () -- C:\Users\owner\AppData\Roaming\iexplore.exe
[2011/11/26 01:45:44 | 000,001,207 | ---- | M] () -- C:\Users\owner\AppData\Roaming\ahst.lni
[2011/11/26 01:45:07 | 000,284,160 | ---- | M] () -- C:\Users\owner\AppData\Roaming\dwme.exe
[2011/11/17 01:01:00 | 000,354,008 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/27 00:32:12 | 000,001,875 | ---- | C] () -- C:\Users\owner\Desktop\Cloud AV 2012.lnk
[2011/11/26 01:49:41 | 000,000,384 | ---- | C] () -- C:\Windows\tasks\At1.job
[2011/11/26 01:46:35 | 000,284,160 | ---- | C] () -- C:\Users\owner\AppData\Roaming\iexplore.exe
[2011/11/26 01:45:43 | 000,001,207 | ---- | C] () -- C:\Users\owner\AppData\Roaming\ahst.lni
[2011/11/26 01:45:07 | 000,284,160 | ---- | C] () -- C:\Users\owner\AppData\Roaming\dwme.exe
[2011/08/25 16:02:28 | 000,000,947 | ---- | C] () -- C:\Users\owner\AppData\Roaming\QwestConsumer.exe
[2011/04/30 22:02:38 | 000,001,854 | ---- | C] () -- C:\Users\owner\AppData\Roaming\GhostObjGAFix.xml
[2011/04/23 02:12:25 | 000,008,904 | -HS- | C] () -- C:\ProgramData\i7j6mq22mht3ey16q0i52200mb67457w541ko0
[2011/04/23 02:12:25 | 000,008,888 | -HS- | C] () -- C:\Users\owner\AppData\Local\i7j6mq22mht3ey16q0i52200mb67457w541ko0
[2010/12/13 03:05:06 | 000,030,424 | ---- | C] () -- C:\Windows\SysWow64\wrLZMA.dll
[2010/08/25 19:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 19:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 19:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2010/02/15 18:47:22 | 000,000,000 | ---- | C] () -- C:\Users\owner\AppData\Roaming\wklnhst.dat
[2010/01/22 11:24:30 | 000,000,333 | ---- | C] () -- C:\Windows\SysWow64\RStoneLog2.ini
[2010/01/22 11:24:30 | 000,000,274 | ---- | C] () -- C:\Windows\SysWow64\RStoneLog.ini
[2009/09/29 14:25:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL
[2009/08/13 14:51:30 | 000,134,592 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/07/13 21:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 18:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 18:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 16:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 15:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 13:59:36 | 001,498,564 | ---- | C] () -- C:\Windows\SysWow64\igkrng400.bin
[2009/07/13 13:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 13:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/11/27 00:32:44 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\24F2E
[2011/11/27 08:34:10 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\7CE24
[2011/11/26 01:45:40 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\blPNDmJ6dlyuSma
[2011/11/26 01:45:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\dfRqA23GsTCt
[2011/11/26 19:51:51 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\FjUVelIBtPyAuDo
[2011/11/26 19:51:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\l4pmH5sQJdKgZhX
[2011/11/27 00:32:07 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\oO0Sns9Zkxn78hw
[2011/11/27 08:27:28 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\pG55aQH6dK7fLgX
[2011/11/27 08:27:36 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\PjYYCekIVzONx0c
[2011/11/26 01:45:03 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\qA0uvSiVx
[2011/11/27 00:32:08 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\rUVrlOBtx0c1
[2011/11/26 01:45:01 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\S8fRZhTXwUeIrPy
[2010/02/15 18:47:22 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Template
[2010/06/02 12:55:42 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Tific
[2011/11/26 01:45:07 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\wRhyi56fTY
[2011/11/26 01:50:05 | 000,000,384 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/01/04 14:01:56 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU(27).TXT
[2011/07/25 22:12:42 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:OTL
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O4 - HKLM..\Run: [62D.exe] C:\Program Files (x86)\LP\8C27\62D.exe ()
O4 - HKCU..\Run: [62D.exe] C:\Users\owner\AppData\Roaming\Microsoft\8C27\62D.exe ()
O4 - HKCU..\Run: [limewire plus+] "C:\Program Files (x86)\Limewire Plus+\limewire.exe" -h File not found
O4 - HKCU..\Run: [mE0Sb34JLgqYwUl8234A] C:\Users\owner\AppData\Roaming\qA0uvSiVx\Cloud AV 2012v121.exe (Microsoft Corporation)
O4 - HKCU..\Run: [qItxuGWELZYOtiD] C:\Users\owner\AppData\Roaming\dwme.exe ()
F3:64bit: - HKCU WinNT: Load - (C:\Users\owner\AppData\Roaming\24F2E\lvvm.exe) - File not found
F3 - HKCU WinNT: Load - (C:\Users\owner\AppData\Roaming\24F2E\lvvm.exe) - File not found
O8:64bit: - Extra context menu item: Crawler Search - tbr:iemenu File not found
O8 - Extra context menu item: Crawler Search - tbr:iemenu File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O18 - Protocol\Handler\tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O20 - HKCU Winlogon: Shell - (C:\Users\owner\AppData\Roaming\7CE24\8816D.exe) -C:\Users\owner\AppData\Roaming\7CE24\8816D.exe ()
[2011/11/27 08:27:28 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\PjYYCekIVzONx0c
[2011/11/27 08:27:28 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\pG55aQH6dK7fLgX
[2011/11/27 00:32:08 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012
[2011/11/27 00:32:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\rUVrlOBtx0c1
[2011/11/27 00:32:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\oO0Sns9Zkxn78hw
[2011/11/26 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\l4pmH5sQJdKgZhX
[2011/11/26 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\FjUVelIBtPyAuDo
[2011/11/26 19:51:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\24F2E
[2011/11/26 01:49:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LP
[2011/11/26 01:45:42 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\dfRqA23GsTCt
[2011/11/26 01:45:40 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\blPNDmJ6dlyuSma
[2011/11/26 01:45:31 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\24F2E
[2011/11/26 01:45:16 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\7CE24
[2011/11/26 01:45:07 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\wRhyi56fTY
[2011/11/26 01:45:03 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\qA0uvSiVx
[2011/11/26 01:45:01 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\S8fRZhTXwUeIrPy
[2011/04/23 00:55:33 | 000,586,752 | -HS- | C] (Microsoft Corporation) -- C:\Users\owner\AppData\Local\cje.exe
[2011/11/27 08:27:38 | 000,001,875 | ---- | M] () -- C:\Users\owner\Desktop\Cloud AV 2012.lnk
[2011/11/26 01:50:05 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\At1.job
[2011/11/26 01:49:25 | 000,284,160 | ---- | M] () -- C:\Users\owner\AppData\Roaming\iexplore.exe
[2011/11/26 01:45:44 | 000,001,207 | ---- | M] () -- C:\Users\owner\AppData\Roaming\ahst.lni
[2011/11/26 01:45:07 | 000,284,160 | ---- | M] () -- C:\Users\owner\AppData\Roaming\dwme.exe
[2011/11/27 00:32:12 | 000,001,875 | ---- | C] () -- C:\Users\owner\Desktop\Cloud AV 2012.lnk
[2011/11/26 01:49:41 | 000,000,384 | ---- | C] () -- C:\Windows\tasks\At1.job
[2011/11/26 01:46:35 | 000,284,160 | ---- | C] () -- C:\Users\owner\AppData\Roaming\iexplore.exe
[2011/11/26 01:45:43 | 000,001,207 | ---- | C] () -- C:\Users\owner\AppData\Roaming\ahst.lni
[2011/11/26 01:45:07 | 000,284,160 | ---- | C] () -- C:\Users\owner\AppData\Roaming\dwme.exe
[2011/04/23 02:12:25 | 000,008,904 | -HS- | C] () -- C:\ProgramData\i7j6mq22mht3ey16q0i52200mb67457w541ko0
[2011/04/23 02:12:25 | 000,008,888 | -HS- | C] () -- C:\Users\owner\AppData\Local\i7j6mq22mht3ey16q0i52200mb67457w541ko0
[2011/11/27 00:32:44 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\24F2E
[2011/11/27 08:34:10 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\7CE24
[2011/11/26 01:45:40 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\blPNDmJ6dlyuSma
[2011/11/26 01:45:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\dfRqA23GsTCt
[2011/11/26 19:51:51 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\FjUVelIBtPyAuDo
[2011/11/26 19:51:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\l4pmH5sQJdKgZhX
[2011/11/27 00:32:07 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\oO0Sns9Zkxn78hw
[2011/11/27 08:27:28 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\pG55aQH6dK7fLgX
[2011/11/27 08:27:36 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\PjYYCekIVzONx0c
[2011/11/26 01:45:03 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\qA0uvSiVx
[2011/11/27 00:32:08 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\rUVrlOBtx0c1
[2011/11/26 01:45:01 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\S8fRZhTXwUeIrPy
[2010/02/15 18:47:22 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Template
[2010/06/02 12:55:42 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Tific
[2011/11/26 01:45:07 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\wRhyi56fTY
[2011/11/26 01:50:05 | 000,000,384 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/01/04 14:01:56 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU(27).TXT

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
C:\Windows\Tasks\At*.job
C:\Users\owner\AppData\Roaming\*.exe
    
:Commands
[RESETHOSTS]
[EMPTYJAVA]
[purity]
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Save the log it creates and copy and paste it into your next reply. If it hangs then cancel it and try it again without the following two lines:

:processes
killallprocesses


If one of the following will not run then just skip to the next one then go back and try the things that wouldn't run again after finishing the others.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

Rightclick on Malwarebytes' Anti-Malware and select Run As Administrator and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator

change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply


Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.


Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)




1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#3
Jacob0812

Jacob0812

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ron, you say after running OTL to save the log it creates and copy and paste it into your next reply? What does that mean exactly?

Like my reply on here? Or is reply a term I don't understand?

I ran the first part. Are you saying I should download malware anti-malware as well as Combofix, TDSSKiller?

I am trying to make sure I do everything you are asking/telling me to do. I am not a super computer literate person, but understood the first part enough to start the otl thing. I wanted to know what the next steps are as well as, when you say next reply. Do you mean when I reply on geekstogo to you or is there an actual reply action?

- Jacob
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Yes. Copy and Paste it into the next Reply you make to this thread. (This first log is not so critical. I just want to make sure it ran correctly so if you didn't catch the log that's OK. Just go on.)

Yes we need to download, save to your desktop, and run all of the programs. Each one will create a log and I will need to copy and paste each log into a reply. Doesn't matter if it is one reply or many. There will probably be more programs later on depending on what the first scans find.
  • 0

#5
Jacob0812

Jacob0812

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok so, I did the first step, but then when I logged my wife's comp off after, it came back on but isn't logging straight into the wireless router we have the way it did. Like it is offering no internet. Is any of that connected or is that a seperate thing. If it knocked out because of any of this, how do I get it back to resume the work?
  • 0

#6
Jacob0812

Jacob0812

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
my wifes laptop is a CQ60-615DX Notebook
, It is Intel celeron inside an Windows 7
  • 0

#7
Jacob0812

Jacob0812

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I actually figured out the internet part. Hahaha. Just had to hit a button, lol.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Good. Continue with the other scans
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP