Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DOS\Alureon.e

Started by Nickod , Nov 29 2011 06:48 PM

  • Please log in to reply

#1
Nickod
Posted 29 November 2011 - 06:48 PM

Nickod

    New Member

  • Member
  • Pip
  • 1 posts
I got this virus a while a go and have asked how to fix it at the microsoft answers site and the answers didn't help me at all, including a fresh reinstall. I did reinstall my windows 7, but it backed up a lot of my data, and the virus was still on the system. I had to reinstall once because the virus stopped me from starting up. So now on my new installation and still virused.

Here's my microsoft answer stuff. My link

Along with the DOS\Alureon.e, I also have the Rootkit.boot.SST.B

Here's my OTL, if needed anything else, just ask. from bleeping computer I also have a DDS.txt and an attach.txt if needed also.


OTL logfile created on: 11/29/2011 7:41:57 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Michael Nicodemus\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.84 Gb Total Physical Memory | 2.42 Gb Available Physical Memory | 62.85% Memory free
7.68 Gb Paging File | 6.11 Gb Available in Paging File | 79.55% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 290.09 Gb Total Space | 140.84 Gb Free Space | 48.55% Space Free | Partition Type: NTFS
Drive D: | 100.00 Mb Total Space | 61.63 Mb Free Space | 61.63% Space Free | Partition Type: NTFS
Drive E: | 3.00 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 1.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 644.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive H: | 297.44 Gb Total Space | 144.18 Gb Free Space | 48.47% Space Free | Partition Type: NTFS

Computer Name: MICK | User Name: Michael Nicodemus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/29 19:41:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Michael Nicodemus\Downloads\OTL.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/15 00:39:54 | 000,420,920 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\ppgooglenaclpluginchrome.dll
MOD - [2011/11/15 00:39:53 | 003,702,840 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll
MOD - [2011/11/15 00:38:16 | 000,122,952 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\avutil-51.dll
MOD - [2011/11/15 00:38:15 | 000,222,280 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\avformat-53.dll
MOD - [2011/11/15 00:38:14 | 001,746,504 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\avcodec-53.dll
MOD - [2011/11/14 21:36:18 | 008,593,056 | ---- | M] () -- C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\gcswf32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 18:31:10 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/06/19 21:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 15:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/06/10 15:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/08/03 05:35:54 | 000,011,392 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SFEP.sys -- (SFEP)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 13 70 43 69 EE AE CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Michael Nicodemus\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Michael Nicodemus\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: NPLastPass (Enabled) = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.75.9_0\nplastpass.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: LastPass = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.80.3_0\
CHR - Extension: Fantapper = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgcjecomkebbohfjgmncelbhogbbokf\1.0.2_1\
CHR - Extension: Fantapper = C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgcjecomkebbohfjgmncelbhogbbokf\1.0.2_1\.svn\text-base\.svn-base

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/25 14:12:32 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/07/14 04:29:38 | 000,000,122 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2010/02/21 13:44:43 | 000,027,992 | R--- | M] (magicJack L.P.) - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2010/02/21 13:44:43 | 000,016,158 | R--- | M] () - F:\autorun.ico -- [ CDFS ]
O32 - AutoRun File - [2010/02/21 13:44:43 | 000,000,308 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2010/02/21 13:44:43 | 000,682,760 | R--- | M] (magicJack L.P.) - F:\autorunu.exe -- [ CDFS ]
O32 - AutoRun File - [2009/06/18 16:12:18 | 000,000,088 | ---- | M] () - G:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{283017b1-1a9f-11e1-80ba-0024be3aeb21}\Shell - "" = AutoRun
O33 - MountPoints2\{283017b1-1a9f-11e1-80ba-0024be3aeb21}\Shell\AutoRun\command - "" = G:\WD SmartWare.exe -- [2009/10/14 16:28:45 | 003,271,968 | ---- | M] (Western Digital)
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/29 19:34:54 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2011/11/29 19:34:44 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2011/11/29 19:33:44 | 000,000,000 | -H-D | C] -- C:\Windows\AxInstSV
[2011/11/29 19:07:24 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Macromedia
[2011/11/29 19:07:24 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Adobe
[2011/11/29 18:58:25 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/11/29 18:55:49 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Local\Google
[2011/11/29 18:38:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2011/11/29 18:38:02 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2011/11/29 18:38:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/11/29 18:20:13 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011/11/29 18:20:13 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Searches
[2011/11/29 18:20:13 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/11/29 18:20:13 | 000,000,000 | -H-D | C] -- C:\Users\Michael Nicodemus\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2011/11/29 18:20:02 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Identities
[2011/11/29 18:19:56 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Contacts
[2011/11/29 18:19:53 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Local\VirtualStore
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\AppData\Local\Temporary Internet Files
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Templates
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Start Menu
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\SendTo
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Recent
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\PrintHood
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\NetHood
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Documents\My Videos
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Documents\My Pictures
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Documents\My Music
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Local Settings
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\AppData\Local\History
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Cookies
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\Application Data
[2011/11/29 18:19:26 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\AppData\Local\Application Data
[2011/11/29 18:19:25 | 000,000,000 | --SD | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Videos
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Saved Games
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Pictures
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Music
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Links
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Favorites
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Downloads
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Documents
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\Desktop
[2011/11/29 18:19:25 | 000,000,000 | R--D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/11/29 18:19:25 | 000,000,000 | -HSD | C] -- C:\Users\Michael Nicodemus\My Documents
[2011/11/29 18:19:25 | 000,000,000 | -H-D | C] -- C:\Users\Michael Nicodemus\AppData
[2011/11/29 18:19:25 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Local\Temp
[2011/11/29 18:19:25 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Local\Microsoft
[2011/11/29 18:19:25 | 000,000,000 | ---D | C] -- C:\Users\Michael Nicodemus\AppData\Roaming\Media Center Programs
[2011/11/29 10:18:08 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2011/11/29 10:15:52 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2011/11/29 10:14:27 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2011/11/29 09:53:40 | 000,000,000 | ---D | C] -- C:\Windows.old.000
[2011/11/27 18:59:52 | 000,000,000 | -HSD | C] -- C:\found.003
[2011/11/27 18:27:00 | 000,000,000 | -HSD | C] -- C:\Boot
[2011/11/27 18:15:11 | 000,000,000 | ---D | C] -- C:\Windows.old
[2011/11/27 16:42:24 | 000,000,000 | -HSD | C] -- C:\Recovery
[2011/11/26 20:18:37 | 000,000,000 | ---D | C] -- C:\Old
[2011/11/25 14:12:18 | 000,000,000 | ---D | C] -- C:\sh4ldr

========== Files - Modified Within 30 Days ==========

[2011/11/29 19:35:46 | 000,717,260 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/29 19:35:46 | 000,617,460 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/29 19:35:46 | 000,104,702 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/29 19:33:03 | 000,013,584 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/29 19:33:03 | 000,013,584 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/29 19:29:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/29 19:28:47 | 3094,622,208 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/29 19:00:04 | 000,000,956 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1792018480-3360126170-1170686554-1001UA.job
[2011/11/29 19:00:04 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1792018480-3360126170-1170686554-1001Core.job
[2011/11/29 18:58:39 | 000,002,372 | ---- | M] () -- C:\Users\Michael Nicodemus\Desktop\Google Chrome.lnk
[2011/11/29 18:38:36 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/11/29 18:38:14 | 000,731,106 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/29 18:27:03 | 000,001,441 | ---- | M] () -- C:\Users\Michael Nicodemus\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/29 10:31:57 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/11/29 10:18:59 | 000,041,962 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2011/11/29 10:18:59 | 000,041,962 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2011/11/29 10:14:14 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/11/25 15:18:05 | 000,099,951 | ---- | M] () -- C:\test.xml
[2011/11/25 14:12:32 | 000,000,000 | ---- | M] () -- C:\autoexec.bat

========== Files Created - No Company Name ==========

[2011/11/29 18:58:39 | 000,002,372 | ---- | C] () -- C:\Users\Michael Nicodemus\Desktop\Google Chrome.lnk
[2011/11/29 18:55:54 | 000,000,956 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1792018480-3360126170-1170686554-1001UA.job
[2011/11/29 18:55:53 | 000,000,904 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1792018480-3360126170-1170686554-1001Core.job
[2011/11/29 18:38:36 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/11/29 18:38:14 | 000,731,106 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/29 18:38:06 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/11/29 18:27:02 | 000,001,441 | ---- | C] () -- C:\Users\Michael Nicodemus\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/29 18:20:19 | 000,001,413 | ---- | C] () -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/11/29 18:20:15 | 000,001,447 | ---- | C] () -- C:\Users\Michael Nicodemus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/11/29 18:19:25 | 000,000,290 | ---- | C] () -- C:\Users\Michael Nicodemus\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/11/29 18:19:25 | 000,000,272 | ---- | C] () -- C:\Users\Michael Nicodemus\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2011/11/29 10:18:50 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2011/11/29 10:18:45 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2011/11/27 18:27:03 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2011/11/27 18:27:00 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2011/11/25 14:12:32 | 000,000,000 | ---- | C] () -- C:\autoexec.bat
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:59:36 | 000,982,196 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2009/07/13 16:59:36 | 000,139,824 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/07/13 16:59:36 | 000,097,448 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2009/07/13 16:59:35 | 000,417,344 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2009/07/14 00:08:49 | 000,001,122 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Edited by Nickod, 29 November 2011 - 06:51 PM.

  • 0

Advertisements

#2
RKinner
Posted 01 December 2011 - 12:12 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator

change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply


Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.




Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP