Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can you get rid of my Trojan Horses? 29Mar2012 - MF [Solved]


  • This topic is locked This topic is locked

#1
mrfecteau

mrfecteau

    Member

  • Member
  • PipPip
  • 17 posts
While surfing I came across some weird activity on my XP machine. AVG Free instantly notified me and I thought I was OK. A few minutes later everything started to disappear. The same popup repeatedly opened; do not remember what it said. Start button when pressed basically showed nothing. Initially ran AVG Free and it took 1 second to scan the whole machine. Did a system restore and ran a full scan in AVG and showed nothing so it seemed things were good with everything back EXCEPT numerous files had the 'Hidden' attribute checked (they were grayed out on my PC).

Thought I was OK until I started using a search engine and noticed that my links were being hijacked. Instead of going to the real link I could see when I hovered over a link that it pointed to (for example) http://www.google.com/go?162879578. Heard about Malwarebyte (MWB) and ran a full scan; while that was running AVG automatically found trojan horse issue as did MWB in it's scan.

From AVG, I think one of the TH's was Generic27; I wish I could remember the other. AVG Rootkit scan was clean.

MWB had these 4 from the log:
Files Detected: 4
C:\System Volume Information\_restore{F850F5DF-BFD9-456F-BC90-491A2F63CCEF}\RP745\A0111890.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F850F5DF-BFD9-456F-BC90-491A2F63CCEF}\RP745\A0111891.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F850F5DF-BFD9-456F-BC90-491A2F63CCEF}\RP745\A0111892.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F850F5DF-BFD9-456F-BC90-491A2F63CCEF}\RP745\A0111893.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

Seems like I am still infected! Current symptoms are files still hidden (I manually fixed many of them already) AND all browser search result links are redirected except a handful of exceptions (I guess they are UBER links :-)).

Found online that the C:\WINDOWS\system32\drivers\etc\hosts file might indicate a TH so I have added the contents below:
# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

94.63.147.16 www.google.com
94.63.147.17 www.bing.com

Thanks so much in advance.
Mark

--- OTL.txt below ---

OTL logfile created on: 3/30/2012 1:03:37 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Mark\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 53.95% Memory free
3.85 Gb Paging File | 3.02 Gb Available in Paging File | 78.37% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 9.20 Gb Free Space | 12.34% Space Free | Partition Type: NTFS
Drive G: | 111.76 Gb Total Space | 38.99 Gb Free Space | 34.88% Space Free | Partition Type: FAT32

Computer Name: UPSTAIRS | User Name: Mark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/30 13:02:18 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL\OTL.exe
PRC - [2012/01/24 18:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/01/13 14:53:16 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/11/28 02:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/10/10 06:23:34 | 000,973,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/07/28 17:34:02 | 000,569,752 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
PRC - [2010/02/17 18:25:12 | 000,152,064 | ---- | M] () -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
PRC - [2010/02/09 15:55:52 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/04 11:57:38 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2006/07/21 16:14:36 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
PRC - [2006/05/04 16:26:36 | 002,808,832 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\alcwzrd.exe
PRC - [2001/05/26 00:56:20 | 000,049,152 | ---- | M] (ScanSoft, Inc) -- C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe


========== Modules (No Company Name) ==========

MOD - [2011/07/18 17:04:08 | 000,296,448 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_04.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/02/17 18:25:12 | 000,152,064 | ---- | M] () -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
MOD - [2010/02/17 18:25:12 | 000,132,096 | ---- | M] () -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkLocalBackup.dll
MOD - [2010/02/09 15:55:52 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
MOD - [2009/01/15 09:19:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2008/07/15 22:28:44 | 000,065,536 | R--- | M] () -- C:\WINDOWS\system32\P17.dll
MOD - [2006/12/04 11:57:38 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/07/28 17:34:02 | 000,569,752 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2010/02/17 18:25:12 | 000,152,064 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe -- (Belkin Local Backup Service)
SRV - [2010/02/09 15:55:52 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe -- (Belkin Network USB Helper)
SRV - [2006/12/04 11:57:38 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGMp50.sys -- (AFGMp50)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/12/07 15:12:24 | 000,025,088 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/12/07 15:12:24 | 000,020,096 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/12/07 15:12:22 | 000,020,736 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/12/07 15:12:22 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandbus.sys -- (Andbus)
DRV - [2010/06/23 18:12:50 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2010/06/20 16:54:15 | 000,138,384 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009/06/22 16:50:00 | 000,246,936 | ---- | M] (silex technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sxuptp.sys -- (sxuptp)
DRV - [2009/01/23 10:49:08 | 000,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2008/08/12 04:41:02 | 001,138,176 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2008/06/04 17:29:10 | 000,673,600 | R--- | M] (VIA - IC Ensemble, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Envy24HF.sys -- (Envy24HFS)
DRV - [2007/10/05 10:19:26 | 000,035,200 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2007/10/05 10:19:26 | 000,014,080 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2007/09/25 10:59:46 | 000,015,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MediaCoder\SysInfo.sys -- (CrystalSysInfo)
DRV - [2007/05/01 16:37:40 | 000,132,232 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiH0464.sys -- (SaiH0464)
DRV - [2007/03/01 17:27:26 | 004,484,608 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/07/05 05:33:24 | 000,472,000 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WPN311.sys -- (AR5211)
DRV - [2005/01/10 06:15:30 | 000,106,496 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/10 06:15:24 | 000,138,752 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/03/21 13:34:08 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/04/11 07:20:16 | 000,011,264 | R--- | M] (Hitachi Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dz2kusb.sys -- (dz2kusb)
DRV - [2002/04/11 07:20:04 | 000,010,496 | R--- | M] (Hitachi Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dz2kscsi.sys -- (dz2kscsi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://by156w.bay156...om/default.aspx [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\..\SearchScopes,DefaultScope = {8867394B-40E1-4E9F-9D92-3A03D425B98C}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{77852BCC-2D3C-4852-A95B-B14014B28ED3}: "URL" = http://www.google.co...erms}&sa=Search
IE - HKCU\..\SearchScopes\{8867394B-40E1-4E9F-9D92-3A03D425B98C}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/...0-00237de33944"
FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.2
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.1
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.0
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:2.0.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.6.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Mark\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Documents and Settings\Mark\Application Data\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/01 09:58:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/02 12:37:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/04 09:11:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/11/25 08:41:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\AVG\AVG2012\Thunderbird\ [2011/12/23 09:26:52 | 000,000,000 | ---D | M]

[2009/06/26 21:28:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2010/12/26 21:07:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/06/26 21:28:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions\[email protected]
[2012/02/14 11:19:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions
[2011/12/08 08:23:07 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2012/01/08 09:43:54 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2011/12/02 23:45:58 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/04/27 19:48:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/25 09:01:45 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/01/29 21:01:03 | 000,001,620 | -H-- | M] () -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\uvu7lknt.default\searchplugins\mozilla-add-ons.xml
[2012/01/08 09:43:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\UVU7LKNT.DEFAULT\EXTENSIONS\{CE6E6E3B-84DD-4CAC-9F63-8D2AE4F30A4B}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\UVU7LKNT.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\UVU7LKNT.DEFAULT\EXTENSIONS\[email protected]
[2012/02/01 09:58:30 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2010/04/16 22:58:05 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/02/02 12:37:01 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/22 14:38:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011/10/01 20:08:38 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/10 15:37:47 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Game Face Plugin (Enabled) = C:\Documents and Settings\Mark\Application Data\Electronic Arts\Game Face\npGameFacePlugin.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\Mark\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Angry Birds = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2.1_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\

O1 HOSTS File: ([2012/03/29 09:57:29 | 000,000,882 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1 File not found
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe (ScanSoft, Inc)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\P17.dll ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O4 - HKCU..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_29.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.co.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} http://www.live365.c...ers/play365.cab (Live365Player Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F4835CCB-39E2-4A5B-94CD-8172E1136FBF}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/03 18:43:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/10/17 09:56:50 | 000,000,036 | RH-- | M] () - G:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2002/10/28 13:03:12 | 000,000,000 | RH-D | M] - G:\autorun -- [ FAT32 ]
O33 - MountPoints2\{220effba-6a7a-11de-9ab6-001111f16027}\Shell\AutoRun\command - "" = G:\rcaeasyrip_setup.exe
O33 - MountPoints2\{220effba-6a7a-11de-9ab6-001111f16027}\Shell\install\command - "" = G:\rcaeasyrip_setup.exe
O33 - MountPoints2\{220effba-6a7a-11de-9ab6-001111f16027}\Shell\usermanualEnglish\command - "" = G:\rcaeasyrip_setup.exe /pdf_English
O33 - MountPoints2\{220effba-6a7a-11de-9ab6-001111f16027}\Shell\usermanualFrench\command - "" = G:\rcaeasyrip_setup.exe /pdf_French
O33 - MountPoints2\{220effba-6a7a-11de-9ab6-001111f16027}\Shell\usermanualSpanish\command - "" = G:\rcaeasyrip_setup.exe /pdf_Spanish
O33 - MountPoints2\{4093d6be-5a36-11df-994c-001111f16027}\Shell\AutoRun\command - "" = H:\DPF_V211.exe
O33 - MountPoints2\{e422119a-e389-11de-98fd-001111f16027}\Shell - "" = AutoRun
O33 - MountPoints2\{e422119a-e389-11de-98fd-001111f16027}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e422119a-e389-11de-98fd-001111f16027}\Shell\AutoRun\command - "" = G:\DigitalPhotoViewer.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/30 13:02:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\OTL
[2012/03/30 10:51:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/29 11:23:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Malwarebytes
[2012/03/29 11:23:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/29 11:23:24 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/29 11:23:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/29 11:22:39 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\mbam--setup-1.60.1.1000.exe
[2012/03/29 11:16:49 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Mark\Recent
[2012/03/29 08:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\Golf 2012
[2012/03/26 11:29:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Mark\Desktop\.picasaoriginals
[2012/03/08 10:02:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/03/08 10:01:11 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/08 10:01:06 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/03/08 09:54:51 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/30 12:58:02 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-115176313-725345543-1004UA.job
[2012/03/30 12:58:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-115176313-725345543-1004Core.job
[2012/03/30 12:15:07 | 000,197,792 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/03/30 10:53:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/30 08:06:29 | 093,113,804 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/03/29 17:47:01 | 000,298,088 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/03/29 11:22:51 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\mbam--setup-1.60.1.1000.exe
[2012/03/29 11:19:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/29 11:03:11 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyLr
[2012/03/29 11:03:11 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyL
[2012/03/29 11:03:08 | 000,000,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\gpKdkXGEfqtSyL
[2012/03/27 13:01:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/03/26 11:29:36 | 000,911,217 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Adria and Griffin.jpeg
[2012/03/19 20:03:44 | 000,155,831 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\YMCA Spring Volleyball Photo Day Sch - March 24.pdf
[2012/03/15 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\OptimizeDaily.job
[2012/03/14 09:08:36 | 000,216,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 08:50:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 07:37:05 | 000,494,004 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/12 07:37:04 | 000,084,548 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/11 03:00:00 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\OptimizeWeekly.job
[2012/03/09 09:19:15 | 000,490,327 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Dental Receipt 20120229 Mark Fecteau.pdf
[2012/03/08 10:02:16 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/02 21:23:48 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2012/03/01 09:41:18 | 000,027,195 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\U9-12 Spring 2012 YMCA Vball Schedule.pdf
[2012/03/01 01:00:00 | 000,000,356 | ---- | M] () -- C:\WINDOWS\tasks\OptimizeMonthly.job
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2049/12/31 17:00:00 | 000,623,844 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\BreakthroughDrills.pdf
[2049/12/31 17:00:00 | 000,491,449 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\BreakthroughPlays.pdf
[2012/03/30 08:14:17 | 000,024,705 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Copy of L05 78133(1).pdf
[2012/03/29 11:03:11 | 000,000,200 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyLr
[2012/03/29 11:03:11 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyL
[2012/03/29 11:03:08 | 000,000,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\gpKdkXGEfqtSyL
[2012/03/26 11:29:36 | 000,911,217 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Adria and Griffin.jpeg
[2012/03/19 20:03:43 | 000,155,831 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\YMCA Spring Volleyball Photo Day Sch - March 24.pdf
[2012/03/09 09:19:15 | 000,490,327 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Dental Receipt 20120229 Mark Fecteau.pdf
[2012/03/08 10:02:16 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/01 09:41:18 | 000,027,195 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\U9-12 Spring 2012 YMCA Vball Schedule.pdf
[2012/02/25 12:41:15 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2012/02/25 12:37:56 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2012/02/25 12:37:56 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2012/02/15 18:16:11 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/29 09:51:29 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2011/08/14 22:01:28 | 000,421,260 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1409082233-115176313-725345543-1004-0.dat
[2011/08/14 22:01:28 | 000,228,570 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/03/29 19:24:07 | 000,048,004 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/01 23:19:39 | 000,060,744 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/24 22:18:34 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

========== LOP Check ==========

[2010/10/17 21:14:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Affinegy
[2008/10/08 19:03:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2011/09/23 09:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/10/18 11:12:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/10/17 21:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Belkin
[2010/10/18 19:56:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/30 10:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/10/03 22:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2012/02/25 12:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/05/24 19:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution
[2009/07/23 18:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2010/02/19 22:29:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010/02/19 22:30:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2010/02/19 21:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2012/01/21 09:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2009/05/24 17:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2011/03/29 19:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/23 08:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\AVG2012
[2011/11/30 12:14:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Broad Intelligence
[2008/11/12 19:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Bullzip
[2012/02/21 17:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Dropbox
[2010/07/01 23:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\EA
[2011/12/29 22:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Electronic Arts
[2009/12/05 09:20:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\flightgear.org
[2009/12/13 22:59:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\fltk.org
[2011/12/03 08:38:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Garmin
[2011/01/03 10:00:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\GrabPro
[2011/09/12 14:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\ICAClient
[2008/12/01 20:56:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Leadertech
[2012/01/30 11:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Notepad++
[2009/01/10 21:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\OpenOffice.org
[2012/02/14 11:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Orbit
[2012/02/25 12:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\pdf995
[2011/01/03 09:46:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\ProgSense
[2010/02/19 21:47:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\ScanSoft
[2011/04/13 18:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\SystemRequirementsLab
[2012/01/21 09:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\TaxCut
[2010/12/26 21:07:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Thunderbird
[2009/05/07 18:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Trellian
[2009/05/24 17:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Ulead Systems
[2008/11/30 14:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Video DVD Maker FREE
[2010/06/25 06:58:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\webex
[2012/03/15 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\OptimizeDaily.job
[2012/03/01 01:00:00 | 000,000,356 | ---- | M] () -- C:\WINDOWS\Tasks\OptimizeMonthly.job
[2012/03/11 03:00:00 | 000,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\OptimizeWeekly.job

========== Purity Check ==========



< End of report >

Edited by mrfecteau, 30 March 2012 - 11:50 AM.

  • 0

Advertisements


#2
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems.

Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way.

One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections.

I will get back to you soon with further instructions. Expect no more than 36 hours between your post and my response unless World War 3 breaks out and I will need at most 48 hours for initial analysis of your OTL log. Good luck!
  • 0

#3
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
One more thing please do not clean your temporary files. This is important.
  • 0

#4
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks...
  • 0

#5
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello mrfecteau. I finished looking at your OTL log. It looks very clean. There are three files to get rid of, 4 to make sure are clean, and 1 to upload to see if it's malicious or not. Also we will run a utility called aswMBR to scan for infetions prevalent these days. And finally a scan with Roguekiller to fix your hidden files. Please do the following:

Step 1

  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the None button.
  • Paste this into the Custom Scans/Fixes section:
    C:\WINDOWS\System32\pdf995mon.dll /md5
    C:\WINDOWS\System32\iacenc.dll /md5
    C:\WINDOWS\System32\nvModes.dat /md5
    C:\WINDOWS\System32\ezsidmv.dat /md5
  • Click the Run Scan button. The scan wont take long.
  • When the scan completes, it will open a notepad window - OTL.Txt.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it in your topic

Step 2

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2012/03/29 11:03:11 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyLr
    [2012/03/29 11:03:11 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyL
    [2012/03/29 11:03:08 | 000,000,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\gpKdkXGEfqtSyL
    
    :Commands
    [purity]
    [resethosts]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)

Step 3

  • Download aswMBR.exe ( 1870KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • It will ask you if you want to download the latest Avast! virus definitions, answer no

    Posted Image
  • Click the Scan button to start scan

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

Step 4

Download RogueKiller to your desktop

  • Quit all running programs
  • run RogueKiller.exe
  • When prompted, type 1 and press enter
  • The RKreport[1].txt shall be generated next to the executable.
  • Press a key to continue
  • When prompted, type 6 and press enter
  • The RKreport[2].txt shall be generated next to the executable.
  • Press a key to continue
  • When prompted, type 0 and press enter to quit
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport text files in your next Reply.

Step 5

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

  • Go to this site
  • Click the browse button on the top of the page
  • Navigate to this file C:\Program Files\MediaCoder\SysInfo.sys and click the open button
  • Click the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button
  • Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Things to see in your next post:
OTL.txt
OTL fix log
aswMBR log
RKreport text files
virscan upload result

  • 0

#6
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks again for helping...

Step 1 Results
OTL logfile created on: 4/4/2012 6:53:11 AM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Mark\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 64.53% Memory free
3.85 Gb Paging File | 3.34 Gb Available in Paging File | 86.79% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 9.08 Gb Free Space | 12.19% Space Free | Partition Type: NTFS
Drive G: | 111.76 Gb Total Space | 38.99 Gb Free Space | 34.88% Space Free | Partition Type: FAT32

Computer Name: UPSTAIRS | User Name: Mark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< C:\WINDOWS\System32\pdf995mon.dll /md5 >
[2012/02/25 12:37:56 | 000,051,716 | ---- | M] () MD5=AF238673651EFC0226EA74239B502A6F -- C:\WINDOWS\System32\pdf995mon.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

< C:\WINDOWS\System32\iacenc.dll /md5 >
[2012/01/11 15:06:47 | 000,003,072 | ---- | M] () MD5=C30B851A482C4549125F4209788791E6 -- C:\WINDOWS\System32\iacenc.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

< C:\WINDOWS\System32\nvModes.dat /md5 >
[2011/08/29 09:52:06 | 000,000,008 | ---- | M] () MD5=D71BCA80702FCB793D230906BA7E168C -- C:\WINDOWS\System32\nvModes.dat
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

< C:\WINDOWS\System32\ezsidmv.dat /md5 >
[2010/06/24 22:18:34 | 000,000,056 | -H-- | M] () MD5=940EFFA9C24C8A5EE77A4E4E1881237C -- C:\WINDOWS\System32\ezsidmv.dat
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

< End of report >
  • 0

#7
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Step 2 Results...
========== OTL ==========
C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyLr moved successfully.
C:\Documents and Settings\All Users\Application Data\-gpKdkXGEfqtSyL moved successfully.
C:\Documents and Settings\All Users\Application Data\gpKdkXGEfqtSyL moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.39.2 log created on 04042012_070714
  • 0

#8
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Step 3 Results...
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-04 07:24:39
-----------------------------
07:24:39.609 OS Version: Windows 5.1.2600 Service Pack 3
07:24:39.609 Number of processors: 2 586 0x401
07:24:39.609 ComputerName: UPSTAIRS UserName: Mark
07:24:40.546 Initialize success
07:24:54.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
07:24:54.312 Disk 0 Vendor: ST380817AS 3.42 Size: 76319MB BusType: 3
07:24:54.343 Disk 0 MBR read successfully
07:24:54.343 Disk 0 MBR scan
07:24:54.343 Disk 0 Windows XP default MBR code
07:24:54.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
07:24:54.343 Disk 0 scanning sectors +156296385
07:24:54.406 Disk 0 scanning C:\WINDOWS\system32\drivers
07:25:02.062 Service scanning
07:25:12.796 Modules scanning
07:25:18.031 Disk 0 trace - called modules:
07:25:18.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
07:25:18.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6aeab8]
07:25:18.062 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000068[0x8a7051f8]
07:25:18.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a6c4d98]
07:25:18.062 Scan finished successfully
07:25:38.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\OTL\MBR.dat"
07:25:38.156 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\OTL\aswMBR.txt"
  • 0

#9
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I am having a problem with Step 4. I ran RK but not sure what to do when it opens. I followed the prompt to press Scan but I am not sure if I am supposed to do anything else. There were further prompts to review the tabs and delete but the steps only discuss producing the report files so I was hesitant to delete anything. Would you clarify the steps for running RK in Step 4? For example, I didn't see anywhere to press 1 etc.

Thanks in advance...

Edited by mrfecteau, 04 April 2012 - 06:35 AM.

  • 0

#10
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Sorry the program was updated and I still had the old instructions. Here are the new ones:

  • Download RogueKiller to the desktop
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the contents of the notepad window into your next post
  • Click on ShtctFix. Click on Report and copy/paste the contents of the notepad window into your next post

  • 0

Advertisements


#11
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Instead of ShtctFix please click ShortcutsFix. Sorry about the mistake the updated instructions have also become a little obsolete lol.
  • 0

#12
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
NP, here is the Scan Output...

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Mark [Admin rights]
Mode: Scan -- Date: 04/04/2012 18:25:22

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380817AS +++++
--- User ---
[MBR] f069fb97013b07005b44eaad2ce1f5b5
[BSP] f63e9d9658e9c1be61952d24249f8794 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WD 1200BB External USB Device +++++
--- User ---
[MBR] 9f4041c9c71d2e55c9dc1d8d2a7e2e72
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Edited by mrfecteau, 04 April 2012 - 04:36 PM.

  • 0

#13
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ShortcutsFix Output...

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Mark [Admin rights]
Mode: Shortcuts HJfix -- Date: 04/04/2012 18:30:14

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 2 / Fail 0
Quick launch: Success 3 / Fail 0
Programs: Success 21139 / Fail 0
Start menu: Success 9 / Fail 0
User folder: Success 21513 / Fail 0
My documents: Success 101 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 18013 / Fail 0
Backup: [FOUND] Success 12 / Fail 209

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\CdRom1 -- 0x5 --> Skipped
[G:] \Device\HarddiskVolume2 -- 0x3 --> Restored

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt
  • 0

#14
mrfecteau

mrfecteau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
VirSCAN output...

VirSCAN.org Scanned Report :
Scanned time : 2012/04/05 07:25:05 (EDT)
Scanner results: Scanners did not find malware!
File Name : SysInfo.sys
File Size : 15152 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : f054744f67576a01139885173392502b
SHA1 : f2cba5d082505cd5d2efc74d7f36bce91543ba01
Online report : http://r.virscan.org...13fec22181c1d4a

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120405130756 2012-04-05 28.88 -
AhnLab V3 2012.03.26.00 2012.03.26 2012-03-26 27.27 -
AntiVir 8.2.10.24 7.11.25.222 2012-03-22 0.28 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.25 -
Arcavir 2011 201204010133 2012-04-01 6.60 -
Authentium 5.1.1 201204041716 2012-04-04 2.32 -
AVAST! 4.7.4 120404-1 2012-04-04 0.17 -
AVG 12.0.1782 2409/4915 2012-04-04 0.26 -
BitDefender 7.90123.7040340 7.41762 2012-04-05 3.94 -
ClamAV 0.97.3 14744 2012-04-05 0.17 -
Comodo 5.1 11994 2012-04-05 7.14 -
CP Secure 1.3.0.5 2012.04.05 2012-04-05 0.20 -
Dr.Web 7.0.1.2210 2012.04.02 2012-04-02 11.87 -
F-Prot 4.6.2.117 20120405 2012-04-05 2.19 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.32 -
Fortinet 4.3.392 15.385 2012-04-04 2.42 -
GData 22.4520 20120405 2012-04-05 13.13 -
ViRobot 20120405 2012.04.05 2012-04-05 9.09 -
Ikarus T3.1.32.20.0 2012.04.05.80876 2012-04-05 6.56 -
JiangMin 13.0.900 2012.04.05 2012-04-05 10.40 -
Kaspersky 5.5.10 2012.04.05 2012-04-05 0.35 -
KingSoft 2009.2.5.15 2012.4.5.14 2012-04-05 6.31 -
McAfee 5400.1158 6670 2012-04-04 8.96 -
Microsoft 1.8202 2012.04.05 2012-04-05 16.51 -
NOD32 3.0.21 7030 2012-04-05 0.20 -
Panda 9.05.01 2012.04.04 2012-04-04 9.97 -
Trend Micro 9.500-1005 8.888.02 2012-04-04 0.21 -
Quick Heal 11.00 2012.04.05 2012-04-05 8.61 -
Rising 20.0 24.04.02.03 2012-04-04 10.47 -
Sophos 3.30.0 4.76 2012-04-05 5.75 -
Sunbelt 3.9.2533.2 11752 2012-04-04 7.96 -
Symantec 1.3.0.24 20120404.004 2012-04-04 1.25 -
nProtect 20120404.01 11077008 2012-04-04 10.28 -
The Hacker 6.7.0.1 v00439 2012-04-04 1.53 -
VBA32 3.12.16.4 20120404.0916 2012-04-04 4.76 -
VirusBuster 5.5.0.2 14.2.11.0/8262559 2012-04-04 0.25 -
  • 0

#15
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hi mrfecteau, things look good. We have one entry to fix using RogueKiller, a reiteration of RogueKiller ShortcutsFix, and a command to run to restore your hidden files.

Step 1

  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan
  • Click on Delete. Click on Report and copy/paste the contents of the notepad window into your next post
  • Click on ShortcutsFix. Click on Report and copy/paste the contents of the notepad window into your next post

Step 2

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
    xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
    xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
    xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
    
    :Commands
    [purity]
    [resethosts]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply as well.

Things to see in your next post:
Roguekiller logs
OTL fix log
OTL.txt

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP