Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware.. 80000000.@ found during a scan

Started by BakaBLC , Jun 20 2012 05:38 PM

  • Please log in to reply

#1
BakaBLC
Posted 20 June 2012 - 05:38 PM

BakaBLC

    New Member

  • Member
  • Pip
  • 8 posts
recently I've noticed my computer running slower and ads playing in the background when I don't have a browser open. I installed Malwarebytes and ran a scan and it detected files called 80000000.@ and 800000cb.@ located in the (C:\Windows\Installer) folder.. I didn't dare remove it though seeing the location of it and some bad experiences when removing infections on my own in the past...thought I'd seek help or advice this time instead. I'm a bit inexperienced with these things so please bare with me if I seem clueless at any time, sorry.. and Thanks in advance.


here's the log from the OTL scan:

jOTL logfile created on: 6/20/2012 6:21:40 PM - Run 1
OTL by OldTimer - Version 3.2.50.0 Folder = C:\Users\Brenda\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 0.65 Gb Available Physical Memory | 23.72% Memory free
5.49 Gb Paging File | 2.46 Gb Available in Paging File | 44.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 315.66 Gb Total Space | 41.04 Gb Free Space | 13.00% Space Free | Partition Type: NTFS
Drive X: | 150.00 Gb Total Space | 63.35 Gb Free Space | 42.23% Space Free | Partition Type: NTFS

Computer Name: BRENDA-PC | User Name: Brenda | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/20 12:16:48 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Brenda\Desktop\OTL.exe
PRC - [2012/06/19 21:34:29 | 000,204,800 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Brenda\AppData\Local\Temp\RtkBtMnt.exe
PRC - [2012/06/18 12:07:29 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/06/18 12:05:07 | 001,535,176 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
PRC - [2011/11/23 06:36:24 | 002,391,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgfws.exe
PRC - [2011/09/09 00:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 10:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 10:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/13 14:37:46 | 000,135,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2008/07/03 11:27:12 | 006,266,880 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/18 12:07:29 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/06/18 12:05:07 | 009,459,912 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_257.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/06/18 12:07:29 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/18 12:05:08 | 000,257,224 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/05/22 01:55:26 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2012/05/03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/22 10:15:32 | 002,230,416 | ---- | M] (Giraffic) [Disabled | Stopped] -- C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe -- (Giraffic)
SRV - [2011/12/04 16:46:07 | 000,603,904 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc)
SRV - [2011/12/04 16:45:57 | 000,360,192 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2011/11/23 06:36:24 | 002,391,832 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgfws.exe -- (avgfws)
SRV - [2011/11/16 03:30:45 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/08/02 10:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/12/13 14:37:46 | 000,135,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2009/12/23 17:34:20 | 000,370,688 | ---- | M] (StarWind Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2008/12/11 17:31:36 | 000,027,904 | ---- | M] (TuneUp Software) [Auto | Stopped] -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (aaekz1rz)
DRV - [2011/12/11 03:37:02 | 000,428,088 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2011/10/07 10:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/09/13 10:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 10:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 05:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 05:14:12 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/05/23 05:03:28 | 000,047,968 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2009/10/05 20:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2008/12/02 02:14:34 | 004,179,968 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EB A9 F8 AE DC A3 CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Veoh Web Player Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://search.condui...rchSource=2&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll File not found
FF - HKLM\Software\MozillaPlugins\@pptv.com/plugin: C:\Program Files\Internet Explorer\PPLite\plugin\npplugin2.dll (PPLive Corporation)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Brenda\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/18 12:07:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/11/06 22:29:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brenda\AppData\Roaming\mozilla\Extensions
[2012/06/06 19:03:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Brenda\AppData\Roaming\mozilla\Firefox\Profiles\nsiu5tzs.default\extensions
[2012/06/06 19:03:44 | 000,000,000 | ---D | M] (Veoh Web Player Community Toolbar) -- C:\Users\Brenda\AppData\Roaming\mozilla\Firefox\Profiles\nsiu5tzs.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
[2011/12/19 21:39:20 | 000,000,933 | ---- | M] () -- C:\Users\Brenda\AppData\Roaming\Mozilla\Firefox\Profiles\nsiu5tzs.default\searchplugins\conduit.xml
[2011/11/15 17:21:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/28 21:34:20 | 000,336,363 | ---- | M] () (No name found) -- C:\USERS\BRENDA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NSIU5TZS.DEFAULT\EXTENSIONS\{19503E42-CA3C-4C27-B1E2-9CDB2170EE34}.XPI
[2012/01/08 20:34:35 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\BRENDA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NSIU5TZS.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/04/27 13:04:52 | 000,159,870 | ---- | M] () (No name found) -- C:\USERS\BRENDA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NSIU5TZS.DEFAULT\EXTENSIONS\[email protected]
[2012/06/18 12:07:30 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/18 12:07:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/18 12:07:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/11/16 04:03:04 | 000,001,306 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AE69A275-93CB-43DF-AD84-B33117C08ECD}: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKCU Winlogon: Shell - (expstart.exe) - C:\Windows\expstart.exe ()
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{da731cc0-2392-11e1-8fb3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{da731cc0-2392-11e1-8fb3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/20 12:16:42 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Brenda\Desktop\OTL.exe
[2012/06/19 23:42:12 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{BBC012F5-2FD9-44FC-B1A8-B29882570C64}
[2012/06/19 21:42:01 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Roaming\Malwarebytes
[2012/06/19 21:41:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/19 21:41:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/19 21:41:49 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/06/19 21:41:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/19 21:29:01 | 000,000,000 | ---D | C] -- C:\Windows\System32\RTCOM
[2012/06/19 21:28:33 | 001,777,664 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\System32\WavesLib.dll
[2012/06/19 21:28:33 | 000,339,968 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\System32\SRSTSXT.dll
[2012/06/19 21:28:33 | 000,185,776 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\System32\SRSTSHD.dll
[2012/06/19 21:28:33 | 000,167,936 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\System32\SRSHP360.dll
[2012/06/19 21:28:33 | 000,135,168 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\System32\SRSWOW.dll
[2012/06/19 21:28:32 | 006,266,880 | ---- | C] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
[2012/06/19 21:28:32 | 001,933,312 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\System32\MaxxAudioEQ.dll
[2012/06/19 21:28:32 | 000,159,744 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\System32\MaxxAudioAPO20.dll
[2012/06/19 21:28:32 | 000,143,360 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\System32\FMAPO.dll
[2012/06/19 21:28:32 | 000,126,976 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\System32\MaxxAudioAPO.dll
[2012/06/19 21:28:32 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2012/06/18 14:32:54 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\Macromedia
[2012/06/18 12:07:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/06/18 12:07:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/06/09 15:51:04 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Roaming\HD Tune Pro
[2012/06/09 15:48:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HD Tune Pro
[2012/06/09 15:48:01 | 000,000,000 | ---D | C] -- C:\Program Files\HD Tune Pro
[2012/06/09 14:45:29 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2012/06/09 14:45:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/06/09 14:45:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/06/05 00:09:08 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{BDA0AE4D-607D-424A-80F9-9F547B52C841}
[2012/05/25 20:02:54 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\fontconfig
[2012/05/25 20:02:47 | 000,000,000 | ---D | C] -- C:\Users\Brenda\.gimp-2.8
[2012/05/25 20:02:46 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\gegl-0.2
[2012/05/24 21:33:20 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP 2
[2012/05/22 01:55:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\Windows\System32\
[2012/06/20 17:03:08 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/20 17:03:08 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/20 16:36:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/20 16:14:16 | 000,000,402 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/06/20 16:00:02 | 000,000,488 | ---- | M] () -- C:\Windows\tasks\1-Click Maintenance.job
[2012/06/20 15:35:03 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000UA.job
[2012/06/20 12:21:39 | 000,334,475 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/06/20 12:16:48 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Brenda\Desktop\OTL.exe
[2012/06/20 11:21:39 | 100,582,230 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/06/20 11:20:25 | 000,016,816 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/20 11:20:25 | 000,016,816 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/20 11:15:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/20 11:14:57 | 2212,995,072 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/19 21:41:52 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/19 21:35:00 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000Core.job
[2012/06/14 20:44:47 | 002,343,344 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/11 02:17:12 | 000,001,268 | ---- | M] () -- C:\Users\Brenda\Desktop\Looking For Angels - Shortcut.lnk
[2012/06/10 19:11:52 | 000,007,602 | ---- | M] () -- C:\Users\Brenda\AppData\Local\Resmon.ResmonCfg
[2012/06/09 15:48:03 | 000,000,937 | ---- | M] () -- C:\Users\Brenda\Desktop\HD Tune Pro.lnk
[2012/06/09 15:11:03 | 000,162,129 | ---- | M] () -- C:\Users\Brenda\Documents\Untitled.wma
[2012/06/09 14:45:29 | 000,002,503 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/06/01 14:58:16 | 000,010,752 | ---- | M] () -- C:\Users\Brenda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/06/01 14:23:58 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/05/28 21:28:55 | 000,625,911 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavifw.avm
[2012/05/25 20:48:46 | 000,002,027 | ---- | M] () -- C:\Users\Brenda\AppData\Local\recently-used.xbel
[2012/05/24 21:22:30 | 246,149,047 | ---- | M] () -- C:\Windows\MEMORY.DMP
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

File not found -- C:\Windows\System32\
[2012/06/19 21:41:52 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/19 21:29:44 | 000,000,553 | ---- | C] () -- C:\Windows\USetup.iss
[2012/06/19 21:28:34 | 000,001,694 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2012/06/19 21:28:34 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2012/06/19 21:28:34 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2012/06/19 21:28:34 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2012/06/11 02:17:12 | 000,001,268 | ---- | C] () -- C:\Users\Brenda\Desktop\Looking For Angels - Shortcut.lnk
[2012/06/09 15:48:03 | 000,000,937 | ---- | C] () -- C:\Users\Brenda\Desktop\HD Tune Pro.lnk
[2012/06/09 15:11:02 | 000,162,129 | ---- | C] () -- C:\Users\Brenda\Documents\Untitled.wma
[2012/06/09 14:45:29 | 000,002,503 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/06/01 14:23:58 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/05/25 20:48:46 | 000,002,027 | ---- | C] () -- C:\Users\Brenda\AppData\Local\recently-used.xbel
[2012/05/24 21:37:30 | 000,001,049 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
[2012/05/21 00:13:06 | 000,018,432 | ---- | C] () -- C:\Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\800000cb.@
[2012/05/21 00:13:06 | 000,012,288 | ---- | C] () -- C:\Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\80000000.@
[2012/05/21 00:13:03 | 000,001,648 | ---- | C] () -- C:\Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\00000001.@
[2012/05/04 15:41:44 | 000,007,602 | ---- | C] () -- C:\Users\Brenda\AppData\Local\Resmon.ResmonCfg
[2012/05/02 16:38:42 | 001,105,920 | ---- | C] () -- C:\Windows\System32\autorungui.dll
[2012/03/07 15:05:45 | 000,000,402 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/02/13 15:19:09 | 000,119,296 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2012/02/13 15:19:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ADsSecurity.dll
[2012/02/13 15:19:08 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dxinputdll.dll
[2012/01/27 05:41:45 | 000,083,072 | ---- | C] () -- C:\Windows\System32\AFCUPDL.exe
[2012/01/17 03:02:01 | 000,001,189 | ---- | C] () -- C:\Users\Brenda\AppData\Roaming\vso_ts_preview.xml
[2012/01/15 22:55:49 | 000,916,480 | ---- | C] () -- C:\Windows\expstart.exe
[2012/01/11 02:26:59 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}\@
[2012/01/11 02:26:59 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\@
[2011/12/20 00:02:39 | 000,034,308 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2011/11/19 23:00:55 | 000,010,752 | ---- | C] () -- C:\Users\Brenda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/18 16:41:08 | 000,000,000 | ---- | C] () -- C:\Windows\PowerReg.dat
[2011/11/14 20:48:51 | 000,000,000 | ---- | C] () -- C:\Windows\jestina_screensaver.ini
[2011/11/06 21:59:37 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/11/06 19:34:56 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/06/10 10:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll

========== LOP Check ==========

[2012/03/28 15:24:04 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\Audacity
[2011/11/06 23:03:47 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\AVG2012
[2011/12/11 02:17:07 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\DAEMON Tools Lite
[2011/11/15 16:55:03 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\GrabPro
[2012/06/09 15:51:04 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\HD Tune Pro
[2012/06/19 23:53:48 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\Orbit
[2011/12/14 05:25:48 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\PlayFirst
[2012/02/13 20:55:53 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\PowerUp Software
[2011/12/31 07:18:49 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\PPLive
[2011/11/15 16:55:10 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\ProgSense
[2011/12/04 16:45:53 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\TuneUp Software
[2012/06/20 02:18:52 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\uTorrent
[2012/02/09 04:35:31 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\Vso
[2012/02/07 21:45:18 | 000,000,000 | ---D | M] -- C:\Users\Brenda\AppData\Roaming\Xilisoft Corporation
[2012/06/20 16:00:02 | 000,000,488 | ---- | M] () -- C:\Windows\Tasks\1-Click Maintenance.job
[2012/06/19 21:35:00 | 000,000,910 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000Core.job
[2012/06/20 15:35:03 | 000,000,932 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000UA.job
[2012/06/20 16:55:16 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Windows\System32\zlib.dll:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Windows\System32\zlib.dll:DocumentSummaryInformation

< End of report >

Edited by BakaBLC, 20 June 2012 - 05:41 PM.

  • 0

Advertisements

#2
RKinner
Posted 21 June 2012 - 10:37 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
This is a fairly new infection so let's collect some more info so we can be sure we get it all.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
csrss.exe
consrv.dll
aaekz1rz.sys
aaekz1rz.exe
aaekz1rz.dll
AFCUPDL.exe
wshelper.dl
wbemess.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
HKCU\software\classes\clsid|{237437bc-65a3-af1b-2595-d722b8b2092d} /rs
HKLM\software\classes\clsid|{237437bc-65a3-af1b-2595-d722b8b2092d} /rs
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /rs
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#3
BakaBLC
Posted 21 June 2012 - 01:12 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
thank you very much for replying.. i've attached the txt files to not make the post too long.. I hope thats ok

Attached File  OTL.Txt   113.23KB   87 downloads

Attached File  Extras.Txt   57.76KB   86 downloads
  • 0

#4
RKinner
Posted 22 June 2012 - 01:18 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Was off island all day today. Just got back and I'm too tired to create a fix tonight. Will work on it tomorrow morning.
  • 0

#5
RKinner
Posted 22 June 2012 - 09:23 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Download the attached wshelper.zip file and save it to your desktop. Right click on it and Extract All. It will create a folder wshelper on your desktop. Inside the folder should be wshelper.dll. Copy the file to c:\windows\system32\ if it will let you. If not put it in c:\


Copy the text in the code box by highlighting and Ctrl + c 


:processes
killallprocesses

:Services
aaekz1rz

:OTL
O20 - HKCU Winlogon: Shell - (expstart.exe) - C:\Windows\expstart.exe ()
O33 - MountPoints2\{da731cc0-2392-11e1-8fb3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{da731cc0-2392-11e1-8fb3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe
[2012/06/20 16:00:02 | 000,000,488 | ---- | M] () -- C:\Windows\Tasks\1-Click Maintenance.job
[2012/06/19 21:35:00 | 000,000,910 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000Core.job
[2012/06/20 15:35:03 | 000,000,932 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2853764733-1156619883-1992211099-1000UA.job

:files
C:\Windows\System32\AFCUPDL.exe
C:\Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}
C:\Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}
sc config aaekz1rz start= disabled /c
sc delete aaekz1rz /c
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters %userprofile%\Desktop\winsock2.reg /c
C:\Windows\System32\services.exe|C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe /replace
C:\Windows\system32\wshelper.dll|C:\wshelper.dll /replace
%windir%\System32\regsvr32.exe %windir%\System32\wshelper.dll /c
netsh winsock reset catalog /c
netsh int ipv4 reset reset.log hit /c


:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}]
[-HKCU\Software\Classes\clsid\{237437bc-65a3-af1b-2595-d722b8b2092d}]

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply. This will also create a file winsock2.reg on your desktop. It is an insurance file. If you can't get on the Internet after the fix, try right clicking on the winsock2.reg and Merge then reboot. If that doesn't help then do a System Restore.

Run OTL, QuickScan and post the log.


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).
sfc  /scannow

(This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Ron
  • 0

#6
BakaBLC
Posted 22 June 2012 - 11:57 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
sorry for replying late, had a busy day, didn't have time to come by the computer ...

Anyways, I ran that custom Fix.. and I got a popup window saying "OTL cannot create file C:\Users\Me\Desktop\cmb.bat" i clicked OK and then it seemed to have just stopped working. The program didn't seem to be doing anything at that point, left it for a long while to see if it continued but there was no change. Ended up closing it up and restarting the pc, since the desktop was disabled.
Tried it again and then got the popup 'The module "C:\Windows\System32\wshelper.dll" was loaded but the entry-point DLLRegisterServer was not found. Make sure that "C:\Windows\System32\wshelper.dll" is a valid DLL file and then try again. I clicked OK and the fix continued then it rebooted the computer.
seems to have completed that time.

The aswMBR scan ran without any problems.

However, during the ComboFix run all seemed well for a while but then in the middle of it my computer blue screened.. it didn't complete the process and no Combofix.txt file seems to have been created.. am a bit scared to try that again at this point, wonder what your advice may be ..
for now I'll include the logs for the steps I managed to complete.


and I apologize if anything in my posts/replies is hard to understand, describing things (especially computer related things) is not my forte.

Attached Files


Edited by BakaBLC, 22 June 2012 - 11:58 PM.

  • 0

#7
RKinner
Posted 23 June 2012 - 01:19 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Looks like your bug invited a friend as a there are new infectors there now which weren't present earlier.

Uninstall
Malwarebytes' Anti-Malware so it won't interfere. Pause AVG.


Copy the text in the code box by highlighting and Ctrl + c 


:processes
killallprocesses

:Services
arunep31

:OTL
[2012/06/22 01:12:34 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{76346360-55A8-4A7B-9892-1386685E8858}
[2012/06/22 01:12:22 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{C1C80189-CCC2-4790-88B3-4F4F1C6C4D9C}
[2012/06/21 19:30:18 | 000,133,632 | ---- | C] (hghgghggh) -- C:\ProgramData\iJVI7GGs.exe_
[2012/06/21 19:24:49 | 000,133,632 | ---- | C] (hghgghggh) -- C:\0.9845922271335947.exe
[2012/06/21 12:49:19 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/06/21 01:05:20 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{61588321-AFD3-48D6-9004-3F98A0640FF1}
[2012/06/21 01:05:03 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{62E1B06A-270E-465D-AA27-A6FB269DCDBD}
[2012/06/21 00:50:29 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{73D03F59-4F6F-4941-B134-0391EDF5DCE4}
[2012/06/21 00:50:16 | 000,000,000 | ---D | C] -- C:\Users\Brenda\AppData\Local\{FE2CC4B1-3D5C-420C-8AB9-9937F035D8B9}
[2012/06/23 01:01:48 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At26.job
[2012/06/23 01:00:08 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/06/23 00:56:11 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012/06/23 00:08:06 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/06/22 23:00:16 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At24.job
[2012/06/22 23:00:15 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At48.job
[2012/06/22 22:00:16 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012/06/22 22:00:16 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012/06/22 21:00:14 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At22.job
[2012/06/22 21:00:13 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012/06/22 20:00:13 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012/06/22 20:00:12 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/06/22 19:00:14 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At20.job
[2012/06/22 19:00:13 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012/06/22 18:00:15 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/06/22 18:00:15 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012/06/22 17:00:13 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At18.job
[2012/06/22 17:00:12 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012/06/22 16:00:20 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/06/22 16:00:20 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012/06/22 15:00:12 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At40.job
[2012/06/22 15:00:00 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At16.job
[2012/06/22 14:00:21 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012/06/22 14:00:21 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At38.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At36.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At34.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At32.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At30.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At28.job
[2012/06/21 21:36:43 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At8.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At6.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At4.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/06/21 21:36:43 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At14.job
[2012/06/21 21:36:42 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012/06/21 21:36:42 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At12.job
[2012/06/21 21:36:42 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012/06/21 21:36:42 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\At10.job
[2012/06/21 19:24:52 | 000,133,632 | ---- | M] (hghgghggh) -- C:\ProgramData\iJVI7GGs.exe_
[2012/06/21 19:24:52 | 000,133,632 | ---- | M] (hghgghggh) -- C:\0.9845922271335947.exe
[2012/06/21 19:24:52 | 000,133,632 | ---- | M] () -- C:\ProgramData\iJVI7GGs.exe

:files
C:\Windows\Assembly\GAC_32\Desktop.ini
C:\Windows\Assembly\GAC_64\Desktop.ini
C:\Windows\tasks\*.job
sc config arunep31 start= disabled /c
sc delete arunep31 /c
     
:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Now try Combofix again. Remember that AVG must not be active while Combofix is running. IF you can't get Combofix to work then go on to the other scans.

Ron
  • 0

#8
BakaBLC
Posted 23 June 2012 - 05:42 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
after running that custom fix the CustomFix scan seemed to go well.. but after rebooting, my computer blue screened again without fully completing the process.. I thought of looking at the task manager and noticed that my CPU Usage seems to spike at 100% a lot when it has just been turned on, maybe some other programs runs in the background? although I have already unchecked everything in the 'start up' tab in msconfig :/
anyways it must of been too much for it to handle leading to the blue screen...
so I gave up on the ComboFix..

Continued with the rest of the scans from where I had left off..

TDDSKiller went smoothly as far as i remember. although after it completed and rebooted, my wireless adapter driver seemed to stop working.. but after restarting the pc it was normal again.

and no further trouble with the rest of the scans :D

lol, it was a lot of steps so I hope I didn't leave anything out..

EDIT: after doing everything you've told me to do so far, I went and restarted the pc again and checked the CPU usage to see if anything changed there.. and it seems to have gotten better. even letting me play videos and not lagging or freezing as it used to. it seems to be hanging mostly around the 40-60% mark now...when i'm not doing too much where as it would peek even when i didnt do anything.. I'm actually playing a video right now as I type this, which I wouldn't have been able to do before.. xD

Attached Files


Edited by BakaBLC, 23 June 2012 - 06:10 PM.

  • 0

#9
RKinner
Posted 23 June 2012 - 06:19 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Run TDSSKiller again just to make sure that the stuff it found is really gone.

Run OTL, Quickscan and post the log.

See if you have a log at c:\combofix.txt or c:\Combofix\combofix.txt or C:\qoobox\combofixN.txt where N may be any number. Also look for c:\qoobox\ComboFix-quarantined-files.txt or similar. Attach any you find. Since it ran until the reboot it may be your antivirus coming back on that is killing it but there might be a log we can use.

Try aswMBR again. Delete your old one and download a new copy. It claims it wasn't able to get the Avast database the first time.

Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a minute for things to settle down.

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.
  • 0

#10
BakaBLC
Posted 23 June 2012 - 07:43 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
the aswMBR scan looks like it failed to download the Avast database again.. tried a couple of times.

um, I may be pasting this incorrectly..used the code box, hope that's ok >.>
but here..

Process Explorer Log:

Process	PID	CPU	Private Bytes	Working Set	Description	Company Name	Verified Signer
System Idle Process	0	79.40	0 K	24 K			
procexp.exe	1132	15.38	17,872 K	37,108 K	Sysinternals Process Explorer	Sysinternals - www.sysinternals.com	(Verified) Microsoft Corporation
svchost.exe	1680	1.31	8,676 K	9,560 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
dwm.exe	2760	1.11	45,132 K	39,076 K	Desktop Window Manager	Microsoft Corporation	(Verified) Microsoft Windows
avgrsx.exe	360	1.05	63,736 K	2,168 K	AVG Resident Shield Service	AVG Technologies CZ, s.r.o.	(Verified) AVG Technologies
Interrupts	n/a	0.66	0 K	0 K	Hardware Interrupts and DPCs		
System	4	0.41	292 K	1,048 K			
svchost.exe	1028	0.16	15,940 K	15,872 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
explorer.exe	2788	0.11	42,956 K	71,388 K	Windows Explorer	Microsoft Corporation	(Verified) Microsoft Windows
Adobe_Updater.exe	3788	0.09	4,724 K	11,832 K	Adobe Updater	Adobe Systems Incorporated	(Verified) Adobe Systems Incorporated
svchost.exe	3424	0.06	5,580 K	41,076 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	3832	0.03	8,724 K	11,020 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
wmpnetwk.exe	3320	0.03	10,408 K	8,672 K	Windows Media Player Network Sharing Service	Microsoft Corporation	(Verified) Microsoft Windows
csrss.exe	688	0.03	5,548 K	11,652 K	Client Server Runtime Process	Microsoft Corporation	(Verified) Microsoft Windows
lsass.exe	792	0.03	3,292 K	9,068 K	Local Security Authority Process	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	1332	0.02	6,268 K	11,484 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
avgwdsvc.exe	1828	0.02	6,664 K	5,264 K	AVG Watchdog Service	AVG Technologies CZ, s.r.o.	(Verified) AVG Technologies
svchost.exe	1528	0.02	12,688 K	12,604 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	1200	0.02	17,628 K	30,308 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
SearchIndexer.exe	3240	0.01	39,104 K	24,744 K	Microsoft Windows Search Indexer	Microsoft Corporation	(Verified) Microsoft Windows
avgfws.exe	1800	0.01	12,156 K	20,076 K	AVG Firewall Service	AVG Technologies CZ, s.r.o.	(Verified) AVG Technologies
taskhost.exe	2680	0.01	6,996 K	7,552 K	Host Process for Windows Tasks	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	1172	0.01	68,188 K	76,840 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
csrss.exe	604	0.01	1,296 K	3,336 K	Client Server Runtime Process	Microsoft Corporation	(Verified) Microsoft Windows
WLIDSVC.EXE	564	< 0.01	4,432 K	10,564 K	Microsoft® Windows Live ID Service	Microsoft Corp.	(Verified) Microsoft Corporation
wuauclt.exe	876		1,232 K	5,000 K	Windows Update	Microsoft Corporation	(Verified) Microsoft Windows
WmiPrvSE.exe	1228		1,656 K	4,444 K	WMI Provider Host	Microsoft Corporation	(Verified) Microsoft Windows
WLIDSVCM.EXE	1616		600 K	2,328 K	Microsoft® Windows Live ID Service Monitor	Microsoft Corp.	(Verified) Microsoft Corporation
winlogon.exe	728		1,544 K	4,848 K	Windows Logon Application	Microsoft Corporation	(Verified) Microsoft Windows
wininit.exe	680		872 K	3,472 K	Windows Start-Up Application	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	976		2,776 K	5,952 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	544		1,096 K	4,188 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	908		2,484 K	6,544 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
svchost.exe	1976		1,168 K	4,220 K	Host Process for Windows Services	Microsoft Corporation	(Verified) Microsoft Windows
spoolsv.exe	1640		4,512 K	9,068 K	Spooler SubSystem App	Microsoft Corporation	(Verified) Microsoft Windows
smss.exe	272		220 K	796 K	Windows Session Manager	Microsoft Corporation	(Verified) Microsoft Windows
services.exe	784		4,568 K	7,632 K	Services and Controller app	Microsoft Corporation	(Verified) Microsoft Windows
MSCamS32.exe	1876		1,136 K	4,728 K	MsCamSvc.exe	Microsoft Corporation	(Verified) Microsoft Corporation
lsm.exe	800		1,208 K	3,004 K	Local Session Manager Service	Microsoft Corporation	(Verified) Microsoft Windows
dllhost.exe	2468		1,368 K	4,620 K	COM Surrogate	Microsoft Corporation	(Verified) Microsoft Windows
avgcsrvx.exe	392		16,680 K	332 K	AVG Scanning Core Module - Server Part	AVG Technologies CZ, s.r.o.	(Verified) AVG Technologies
audiodg.exe	1464		17,328 K	15,484 K	Windows Audio Device Graph Isolation 	Microsoft Corporation	(Verified) Microsoft Windows

Attached Files


  • 0

Advertisements

#11
RKinner
Posted 23 June 2012 - 08:14 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Actually I think I will have everyone use the code box for the Process Explorer log from now on. It is much easier to read that way as it preserves more of the column structure.

We may still have something hiding. OTL sees a strange driver:

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ahhg3fw5)

but Process Explorer looks pretty good.

Copy the text in the code box by highlighting and Ctrl + c 


:Services
ahhg3fw5

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (ahhg3fw5)

:files
sc config ahhg3fw5 start= disabled /c
sc delete ahhg3fw5
     
:Commands
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Copy and paste the log into a reply.

If you have rebooted then run Quickscan again and replace the ahhg3fw5 in the above with the new value if it has changed. I get the feeling we get a new one each reboot.

Once done run another OTL, Quickscan.

I'm guessing the AVG firewall is blocking aswMBR from downloading the database and probably killing off Combofix too. If you haven't reboot since running the Quickscan let's see if we can get rid of the driver:Your AVG appears to be the paid for version. Do you have the license key so that we could uninstall it and reinstall it later? I would really like to get a Combofix and aswMBR scan to be sure we are clean.
  • 0

#12
BakaBLC
Posted 24 June 2012 - 08:50 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ok, attached the log created after the fix.. and the log from the scan.. you were right, it does show the file with a different name every time.. ran the fix again with the new file name and a quickscan showed a new file yet again..

I uninstalled AVG (its the free version so its not a big deal) to run the aswMBR scan .. I had to delete a folder containing Photoshop CS4 because it would freeze every time it tried scanning it..
but, finally completed the scan and ComboFix too :D

a bit slow on replying again today, sorry ..

Attached Files


  • 0

#13
RKinner
Posted 25 June 2012 - 12:09 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c 


:files
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services /s /c
    
:Commands
[EMPTYTEMP]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save and Attach the log file please.

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).

Let's install the free Avast in place of AVG for now. Download and save the free avast installer

http://www.avast.com...ivirus-download

(Click on the Download button in the free coluymn. Tell them No I want the free version when you get the popup then click on Download Now. Save the file.

Install Avast by right clicking on the installer program and Run As Admin. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)

Once it installs and updates:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take 6 hours so it's a good one to let run while you sleep.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find? It will tell you where it will hide the log file at the beginning of the scan. Usually it is at:
C:\ProgramData\Avast Software\Avast\report\aswboot.txt or C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt. If you can find the file please attach it.
  • 0

#14
BakaBLC
Posted 25 June 2012 - 08:00 PM

BakaBLC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
the OTL scan file size is too large for me to attach or paste into a reply..


ESET Threats found:
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GUXJYT5\main[2].htm	JS/Kryptik.PH trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\80000000.@	a variant of Win32/Sirefef.FA trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\800000cb.@	probably a variant of Win32/Agent.TEO trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_004652\C_Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_010944\C_Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_120932\C_\0.9845922271335947.exe	a variant of Win32/Injector.SZS trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_120932\C_ProgramData\iJVI7GGs.exe	a variant of Win32/Injector.SZS trojan	cleaned by deleting - quarantined
C:\_OTL\MovedFiles\06232012_120932\C_ProgramData\iJVI7GGs.exe_	a variant of Win32/Injector.SZS trojan	cleaned by deleting - quarantined

\EsetOnlineScanner\log.txt:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ac3fac7c3fc79b4aa9761edcacc39aa8
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-25 08:21:47
# local_time=2012-06-25 04:21:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode=5893 16776573 100 94 0 92152714 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=58079
# found=8
# cleaned=8
# scan_time=4585
C:\Program Files\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe	Win32/Toolbar.Zugo application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0001.dta	Win32/Olmarik.AYI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0002.dta	Win64/Olmarik.AK trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0003.dta	a variant of Win32/Rootkit.Kryptik.KS trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0004.dta	Win64/Olmarik.AK trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0008.dta	Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\TDSSKiller_Quarantine\23.06.2012_17.52.50\mbr0000\tdlfs0000\tsk0009.dta	Win64/Olmarik.AK trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Users\Brenda\Downloads\New WinRAR archive.rar	Win32/Toolbar.AskSBar application (deleted - quarantined)	00000000000000000000000000000000	C
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ac3fac7c3fc79b4aa9761edcacc39aa8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-25 04:38:08
# local_time=2012-06-25 12:38:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode=5893 16776573 100 94 0 92176437 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=237293
# found=9
# cleaned=9
# scan_time=10642
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GUXJYT5\main[2].htm	JS/Kryptik.PH trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\80000000.@	a variant of Win32/Sirefef.FA trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_004652\C_Windows\Installer\{237437bc-65a3-af1b-2595-d722b8b2092d}\U\800000cb.@	probably a variant of Win32/Agent.TEO trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_004652\C_Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_010944\C_Windows\System32\config\systemprofile\AppData\Local\{237437bc-65a3-af1b-2595-d722b8b2092d}\n	Win32/Sirefef.EV trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_120932\C_\0.9845922271335947.exe	a variant of Win32/Injector.SZS trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_120932\C_ProgramData\iJVI7GGs.exe	a variant of Win32/Injector.SZS trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTL\MovedFiles\06232012_120932\C_ProgramData\iJVI7GGs.exe_	a variant of Win32/Injector.SZS trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C


attached are the bitdefender log..and Avast log

Attached Files


  • 0

#15
RKinner
Posted 25 June 2012 - 09:41 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I sent you a PM about the OTL scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP