Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

virus PUP.my websearch [Solved]


  • This topic is locked This topic is locked

#1
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
this is my log from the last scan of Malwarebytes

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.21.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: USER-04C1162F33 [administrator]

9/26/2012 3:39:23 AM
mbam-log-2012-09-26 (03-39-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254771
Time elapsed: 32 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|VideoDownloadConverter_4zbar Uninstall (PUP.MyWebSearch) -> Data: rundll32 C:\PROGRA~1\4ZUNIN~1.DLL,O -3 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\VideoDownloadConverter_4z\bar\1.bin\4zbrstub.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\VideoDownloadConverter_4z\bar\1.bin\4zbrmon.exe (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\4zUninstall VideoDownloadConverter.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

(end)
  • 0

Similar Topics: virus PUP.my websearch [Solved]     x


#2
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
here a otl scan for my computer

OTL logfile created on: 9/26/2012 4:27:16 AM - Run 1
OTL by OldTimer - Version 3.2.68.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 63.31% Memory free
3.72 Gb Paging File | 3.01 Gb Available in Paging File | 80.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 46.81 Gb Free Space | 31.41% Space Free | Partition Type: NTFS

Computer Name: USER-04C1162F33 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/26 04:26:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2012/09/21 12:48:30 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/09/07 17:04:44 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/03/26 02:34:22 | 000,306,688 | ---- | M] (FileHippo.com) -- C:\Program Files\FileHippo.com\UpdateChecker.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/12 19:31:40 | 000,428,544 | ---- | M] () -- C:\Documents and Settings\user\Application Data\wilane.dll
MOD - [2012/06/13 05:25:32 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/06/13 05:25:15 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\359fd69eb60e9844ffd497e92345178c\Microsoft.VisualBasic.ni.dll
MOD - [2012/06/13 05:21:24 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll
MOD - [2012/06/13 05:21:15 | 001,592,320 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll
MOD - [2012/06/13 02:35:49 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2012/05/25 04:25:00 | 000,921,600 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2012/05/10 03:17:09 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/10 03:13:50 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/10 03:12:27 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/10 03:12:16 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/09/21 12:53:04 | 000,250,288 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/21 12:48:30 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/06/11 20:28:42 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/01/20 05:53:06 | 005,027,840 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2008/12/01 04:13:42 | 003,452,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/11/24 10:54:12 | 000,495,104 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2007/11/22 15:55:52 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/04/16 16:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2005/11/29 23:50:14 | 000,392,316 | R--- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbVM305.sys -- (ZSMC0305)
DRV - [2001/08/17 14:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/...q={searchTerms}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{0A703670-42DE-4991-B758-DE3F28A21372}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebs...r={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/...q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/...q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/...q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/...q={searchTerms}
IE - HKCU\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/...q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...=580:uc76903421
IE - HKCU\..\SearchScopes\{17DEAB56-F40E-4D20-A399-9F544894F710}: "URL" = http://search.yahoo....0120414,0,0,0,0
IE - HKCU\..\SearchScopes\{1A6AEEB9-18D1-4FFF-B1F0-F90373D312C1}: "URL" = http://en.wikipedia....h={searchTerms}
IE - HKCU\..\SearchScopes\{88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6}: "URL" = http://www.search-re...&ver=4.0.0.1550
IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = playbryte/search/redirect/?type=default&user_id=201c9ee4-f484-41df-a248-03c655fcd5ad&query={searchTerms}
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-re...q={searchTerms}
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-re...q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3208939
IE - HKCU\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox...id=80396&lng=en
IE - HKCU\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKCU\..\SearchScopes\{D76BDBD4-C86A-4995-890A-D0202D33E747}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://ca.yahoo.com/?fr=mkg031"
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://ca.search.yah...h?fr=mkg030&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..extensions.enabledAddons: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledAddons: m3ffxtbr@mywebsearch.com:1.2
FF - prefs.js..extensions.enabledAddons: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.0
FF - prefs.js..keyword.URL: "http://ca.search.yah...h?fr=mkg030&p="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@virtools.com/3DviaPlayer: C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Dassault Systmes)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\user\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\wcapturex@deskperience.com: C:\Program Files\WhiteSmokeTranslator\WCaptureMoz [2011/12/31 03:17:56 | 000,000,000 | ---D | M]

[2012/09/23 08:33:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2010/05/23 20:31:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/09/23 08:50:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5xuoevcz.default\extensions
[2012/06/17 21:09:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5xuoevcz.default\extensions\playbryte@playbryte.com
[2012/06/14 10:20:22 | 000,036,333 | ---- | M] () (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5xuoevcz.default\extensions\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi
[2011/09/13 12:24:32 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5xuoevcz.default\searchplugins\askcom.xml
[2011/09/29 16:22:31 | 000,002,230 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5xuoevcz.default\searchplugins\iBryte_playbryte.xml

========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - homepage: http://www.google.com/
CHR - Extension: YouTube = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: ChromeUpdateManager = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\1.0_0\
CHR - Extension: Google Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/06/25 14:37:00 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [wilane] C:\Documents and Settings\user\Application Data\wilane.dll ()
O4 - HKCU..\Run: [FileHippo.com] C:\Program Files\FileHippo.com\UpdateChecker.exe (FileHippo.com)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Search - http://tbedits.video...2012092223&cv=1 File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: yahoo.com ([ca] http in Trusted sites)
O15 - HKCU\..Trusted Domains: yahoo.com ([ca.news] http in Trusted sites)
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} http://www.bebo.com/...ader.5.8.05.cab (Bebo Uploader Control)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341208706500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.254 142.161.130.155
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1E4615BA-6CF1-4CA9-B8A5-6124CF358AB2}: DhcpNameServer = 192.168.100.254 142.161.130.155
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Value error. File not found
O18 - Protocol\Handler\vsharechrome - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:44:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/26 04:26:02 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/09/23 08:38:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\FreeFileViewer
[2012/09/23 08:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FreeFileViewer
[2012/09/23 08:34:38 | 000,000,000 | ---D | C] -- C:\Program Files\FreeFileViewer
[2012/09/23 08:34:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Wajam
[2012/09/23 08:34:13 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo
[2012/09/21 21:40:01 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/09/21 21:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Microsoft_Corporation
[2012/09/21 12:55:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\user\Recent
[2012/09/21 12:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/21 12:31:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/09/21 12:30:17 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/09/21 12:30:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/09/21 12:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/09/05 16:20:26 | 000,389,120 | ---- | C] (SafeApp Software, LLC) -- C:\WINDOWS\System32\RegistryHelperLM.ocx
[2012/08/30 12:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\dawson face lookes weird
[2012/08/28 16:04:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\World of Warcraft
[2012/08/28 14:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Battle.net
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/26 04:29:36 | 000,006,532 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\chromeupdate.crx
[2012/09/26 04:27:48 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/26 04:26:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/09/26 04:25:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/09/26 04:17:56 | 000,000,392 | ---- | M] () -- C:\WINDOWS\tasks\ProgramUpdateCheck.job
[2012/09/26 04:17:56 | 000,000,376 | ---- | M] () -- C:\WINDOWS\tasks\FreeFileViewerUpdateChecker.job
[2012/09/26 04:17:40 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/26 04:17:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/26 03:53:26 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B2BBBCDF-5101-4452-94CE-E6914C9DD56C}.job
[2012/09/26 03:05:00 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-682003330-1563985344-2147018087-1004UA.job
[2012/09/25 18:05:00 | 000,000,972 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-682003330-1563985344-2147018087-1004Core.job
[2012/09/23 08:34:52 | 000,000,772 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\FreeFileViewer.lnk
[2012/09/22 22:50:57 | 000,172,464 | ---- | M] () -- C:\Program Files\4zres.dll
[2012/09/21 21:40:45 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/09/21 12:53:47 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/09/21 12:42:33 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/21 12:31:32 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/09/21 12:16:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/09/21 04:17:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 18:56:00 | 000,000,000 | ---- | M] () -- C:\chromeupdate.crx
[2012/09/14 20:53:38 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\user\My Documents\spider.sav
[2012/09/12 19:31:40 | 000,428,544 | ---- | M] () -- C:\Documents and Settings\user\Application Data\wilane.dll
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/05 16:20:26 | 000,389,120 | ---- | M] (SafeApp Software, LLC) -- C:\WINDOWS\System32\RegistryHelperLM.ocx
[2012/08/28 16:09:14 | 000,000,913 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/23 08:48:39 | 000,172,464 | ---- | C] () -- C:\Program Files\4zres.dll
[2012/09/23 08:35:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\tasks\FreeFileViewerUpdateChecker.job
[2012/09/23 08:34:52 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\FreeFileViewer.lnk
[2012/09/21 21:50:23 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/21 21:40:24 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/09/21 12:31:32 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/09/16 18:56:00 | 000,000,000 | ---- | C] () -- C:\chromeupdate.crx
[2012/09/12 19:31:40 | 000,006,532 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\chromeupdate.crx
[2012/09/12 19:31:37 | 000,428,544 | ---- | C] () -- C:\Documents and Settings\user\Application Data\wilane.dll
[2012/08/28 16:04:29 | 000,000,913 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2012/06/23 00:27:44 | 000,000,340 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\SMRResults300.dat
[2012/06/18 00:10:05 | 000,767,928 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll0608.old
[2012/05/18 20:53:03 | 000,132,912 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/02/15 23:57:45 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/09 09:07:00 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/29 16:22:33 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/09/24 18:54:54 | 000,201,728 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-ds.db
[2011/09/05 20:46:17 | 000,016,548 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/05 14:54:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/16 16:18:05 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\su.bmp
[2010/04/01 11:56:38 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\dill.bmp
[2010/02/07 18:40:56 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\UYKKK.bmp
[2010/02/07 18:40:38 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\UYJ.bmp
[2010/02/07 18:40:05 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\GFG.bmp
[2010/01/28 18:40:57 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\hukyium.bmp
[2010/01/28 18:40:44 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\azd.bmp
[2010/01/28 18:40:35 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\olo.bmp
[2010/01/28 18:40:14 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\;p.bmp
[2010/01/28 18:39:57 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\ik.bmp
[2010/01/28 18:39:49 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\hy.bmp
[2010/01/28 18:39:34 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\gt.bmp
[2010/01/28 18:39:26 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\ed.bmp
[2010/01/28 18:39:11 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\q.bmp
[2010/01/28 18:38:58 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\x.bmp
[2010/01/28 18:38:45 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\y.bmp
[2010/01/28 18:38:23 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\a.bmp
[2010/01/28 18:38:08 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\d.bmp
[2010/01/28 18:37:54 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\s.bmp
[2009/12/31 14:10:18 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\charlie.bmp
[2009/12/28 02:14:07 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\bull hunt.bmp
[2009/12/28 02:11:25 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\bigbull.bmp
[2009/12/28 02:10:57 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\bull.bmp
[2009/12/27 16:57:21 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\2343 street.bmp
[2009/12/27 16:56:43 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\daws is buff.bmp
[2009/12/27 16:56:21 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\[bleep]en strong.bmp
[2009/12/27 16:55:35 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\bn.bmp
[2009/12/27 16:54:59 | 000,230,454 | ---- | C] () -- C:\Documents and Settings\user\daws.bmp
[2009/06/29 09:19:22 | 000,161,280 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2012/09/12 19:30:53 | 000,002,048 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\@
[2012/09/12 19:30:53 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\L
[2012/09/26 03:06:26 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\U
[2012/09/21 12:35:48 | 000,000,928 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\U\00000001.@
[2009/06/11 20:23:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/28 23:46:52 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/21 12:31:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2011/09/29 16:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1B150
[2012/06/25 13:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/04/04 17:04:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/04/05 09:11:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/08/28 14:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Battle.net
[2011/09/29 16:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/03/15 08:18:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/04/03 19:08:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverGenius
[2011/09/29 16:48:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2010/09/21 20:18:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2012/03/27 16:56:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapY
[2011/09/29 16:43:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Premium
[2012/06/22 22:40:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedyPC Software
[2010/12/09 03:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SYSTEMAX Software Development
[2012/09/23 08:50:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/09/29 13:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\W3i
[2011/04/05 15:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/06/30 12:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/09/29 15:10:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
[2012/01/18 16:46:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Babylon
[2012/01/22 08:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\com.w3i.FlipToast
[2012/06/22 22:30:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\DriverCure
[2012/09/23 08:47:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FreeFileViewer
[2009/06/29 23:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FUJIFILM
[2011/05/16 16:43:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\InterTrust
[2009/07/11 01:20:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\MSNInstaller
[2012/06/26 10:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Oracle
[2012/04/03 18:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\searchquband
[2012/06/22 22:30:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\SpeedyPC Software
[2010/12/09 03:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\SYSTEMAX Software Development
[2011/08/22 11:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2012/06/17 23:47:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TestApp
[2010/12/06 17:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TuxPaint
[2011/09/29 13:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Uniblue
[2010/10/23 23:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\vShare
[2011/12/31 03:18:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\WhiteSmokeTranslator
[2012/04/03 18:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\wincoreimband
[2009/06/11 21:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Windows Desktop Search
[2009/06/24 22:33:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Windows Search

========== Purity Check ==========



< End of report >
  • 0

#3
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
I will reply back in due course...
  • 0

#4
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi again,

I closed your other topic here...

--------------

I have bad news I'm afraid. :(

One or more of the identified infections is the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine(anything I try may not be successful) but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
  • 0

#5
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
WOW, Can we try ? to get to where I can get all my stuff off of it such as pictures and my personal stuff then get it reformatted

Edited by mnstrbuck, 26 September 2012 - 07:26 AM.

  • 0

#6
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi. :)

WOW, Can we try ? to get to where I can get all my stuff off of it such as pictures and my personal stuff then get it reformatted

Aye by all means we can try/do so...please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Create a System Restore Point:

  • Click on Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like GTG backup for example. Then click on the Create button and once it's created, click on Close
Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Double-click the aswMBR.exe to run it
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

  • Quit all running programs.
  • Double-click on RogueKiller.exe to start the application.
  • Let the pre-scan complete, then click on Accept option when the disclaimer window appears.
  • Now click on the Scan tab back in the RogueKiller main window.
  • The RKreport.txt shall be generated next to the executable along with a zip file named RK_Quarantine.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • aswMBR Log.
  • RogueKiller Log.

  • 0

#7
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
it won't let me scan or open up Roguekiller.exe

it says documentandsettings\user\desktop\Roguekiller.exe is not a valid Win32 application

here's the log for aswMBR

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-27 11:15:06
-----------------------------
11:15:06.488 OS Version: Windows 5.1.2600 Service Pack 3
11:15:06.488 Number of processors: 2 586 0x203
11:15:06.488 ComputerName: USER-04C1162F33 UserName: user
11:15:07.066 Initialize success
11:15:27.113 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-27 11:15:06
-----------------------------
11:15:06.488 OS Version: Windows 5.1.2600 Service Pack 3
11:15:06.488 Number of processors: 2 586 0x203
11:15:06.488 ComputerName: USER-04C1162F33 UserName: user
11:15:07.066 Initialize success
11:15:27.113 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"
11:15:31.535 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:15:31.535 Disk 0 Vendor: ST3160023AS 8.12 Size: 152586MB BusType: 3
11:15:31.550 Disk 0 MBR read successfully
11:15:31.550 Disk 0 MBR scan
11:15:31.550 Disk 0 Windows XP default MBR code
11:15:31.550 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 63
11:15:31.550 Disk 0 scanning sectors +312480315
11:15:31.613 Disk 0 scanning C:\WINDOWS\system32\drivers
11:15:37.753 Service scanning
11:15:43.363 Service MpKslb6dc327d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C343A6BD-9718-48E1-8CAA-4D14B0F5E9EE}\MpKslb6dc327d.sys **LOCKED** 32
11:15:48.972 Modules scanning
11:15:53.566 Disk 0 trace - called modules:
11:15:53.582 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:15:53.582 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a57fab8]
11:15:53.582 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000064[0x8a59f510]
11:15:53.582 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a52c940]
11:15:53.582 Scan finished successfully
11:15:57.582 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
11:15:57.582 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

3ÀŽÐ¼ |ûPPü¾|¿PW¹åó¤Ë½¾±8n | uƒÅâôÍ‹õƒÆIt8,tö µ´‹ð¬< tü» ´ÍëòˆNèF s*þF€~ t €~ t ¶uÒ€FƒFƒV
è! s ¶ë¼>þ}Uªt €~ tÈ ·ë©‹üW‹õË¿ ŠV ´Ír#ŠÁ$?˜ŠÞŠüC÷ã‹Ñ†Ö±ÒîB÷â9V
w#r9Fs¸» |‹N‹V ÍsQOtN2äŠV ÍëäŠV `»ªU´AÍr6ûUªu0öÁt+a`j j ÿv
ÿvj h |jj´B‹ôÍaasOt 2äŠV ÍëÖaùÃInvalid partition table Error loading operating system Missing operating system ,DcŒsôÐ € þÿÿ? ü  Uª

Edited by mnstrbuck, 27 September 2012 - 10:35 AM.

  • 0

#8
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi. :)

it won't let me scan or open up Roguekiller.exe

it says documentandsettings\user\desktop\Roguekiller.exe is not a valid Win32 application

This is probably due to the infections on-board your machine. Did you try the prior advice regarding this ?

If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

So try it again, if still a problem try renaming the Roguekiller executable. How to do so if unsure:-

Right-click on Roguekiller.exe >> Properties >> Rename >> type in winlogon.exe >> depress the Enter/Return key.

Note: If still problems merely run the below Custom OTL script instead....

Custom OTL Script:

  • Double-click on OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files
ipconfig /flushdns /c
C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1

:Commands
[ResetHosts]
[EmptyTemp]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.
  • 0

#9
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
here's the roguekiller log

RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 09/28/2012 08:28:39

Bad processes : 2
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH] RogueKiller.exe -- C:\Documents and Settings\user\Desktop\RogueKiller.exe -> KILLED [TermProc]

Registry Entries : 6
[RUN][BLACKLIST DLL] HKLM\[...]\Run : wilane ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\user\Application Data\wilane.dll",InPlaceSubtract) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\L --> FOUND

Driver : [LOADED]

Extern Hives:

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

1

MBR Check:

+++++ PhysicalDrive0: ST3160023AS +++++
--- User ---
[MBR] 1fa57deabba49747c5dc3f7289aea9d9
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#10
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
here the otl scan log

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\U folder moved successfully.
C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\L folder moved successfully.
Folder move failed. C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1 scheduled to be moved on reboot.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56478 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 321771093 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 32411 bytes

User: NetworkService
->Temp folder emptied: 547362 bytes
->Temporary Internet Files folder emptied: 278765722 bytes
->Flash cache emptied: 9068 bytes

User: user
->Temp folder emptied: 2729726 bytes
->Temporary Internet Files folder emptied: 55667736 bytes
->Java cache emptied: 109852 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 6219420 bytes
->Flash cache emptied: 75399 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83441647 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 26038 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 715.00 mb


OTL by OldTimer - Version 3.2.68.0 log created on 09282012_084219

Files\Folders moved on Reboot...
Folder move failed. C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1 scheduled to be moved on reboot.
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF4FAE.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF4FBB.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF5015.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF5021.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF9140.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF914C.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF91D1.tmp not found!
File\Folder C:\Documents and Settings\user\Local Settings\Temp\~DF91DD.tmp not found!
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FADIGMRV\322689-virus-pupmy-websearch[1].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#11
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi. :)

here the otl scan log

Actually there was no need to run the custom OTL script, you only had to do so if unable to get RogueKiller running. No harm done though and lets proceed as follows shall we...

Re-scan with RogueKiller:

Run the scan again as outlined prior and it will create a new log called RKreport[2].txt. I actually have no need to review this one...


After the scan is complete, deselect these two items only(if present):-

[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH] RogueKiller.exe -- C:\Documents and Settings\user\Desktop\RogueKiller.exe -> KILLED [TermProc]

Do leave the rest selected though and then click on the Delete button >> wait for the new scan to complete and then click on the ShortcutsFix button. Wait for it to complete etc.

Reboot your computer manually if you have not been prompted to do so...

Next:

Post the contents of both RKreport[3].txt and RKreport[4].txt in your next reply. Provide a quick update how your machine is performing now and we will go from there, thank you.
  • 0

#12
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
here's 4RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/28/2012 09:39:29

Bad processes : 1
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]

Driver : [LOADED]

Extern Hives:

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 11 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 226 / Fail 0
My documents: Success 458 / Fail 458
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 109 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\Harddisk1\DP(1)0-0+6 -- 0x2 --> Restored
[F:] \Device\Harddisk2\DP(1)0-0+7 -- 0x2 --> Restored
[G:] \Device\Harddisk3\DP(1)0-0+8 -- 0x2 --> Restored
[H:] \Device\Harddisk4\DP(1)0-0+9 -- 0x2 --> Restored

Infection : ZeroAccess

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Don't know were 3 went here's 5

RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 09/28/2012 09:41:56

Bad processes : 1
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]

Registry Entries : 6
[RUN][BLACKLIST DLL] HKLM\[...]\Run : wilane ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\user\Application Data\wilane.dll",InPlaceSubtract) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$21e59a7eb38a50edf576d64d50502bd1\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-682003330-1563985344-2147018087-1004\$21e59a7eb38a50edf576d64d50502bd1\L --> FOUND

Driver : [LOADED]

Extern Hives:

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

1

MBR Check:

+++++ PhysicalDrive0: ST3160023AS +++++
--- User ---
[MBR] 1fa57deabba49747c5dc3f7289aea9d9
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt
  • 0

#13
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi. :)

Looks like you did not use the delete function with RK...

Re-scan with RogueKiller:

Run the scan again, after the scan is complete, deselect this item only(if present):-

[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]

Do leave the rest selected though and then click on the Delete button >> wait for the new scan to complete, post the new log in your next reply.

Should be RKreport[7].txt etc.
  • 0

#14
mnstrbuck

mnstrbuck

    Member

  • Member
  • PipPip
  • 36 posts
RogueKiller V8.1.0 [09/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 09/28/2012 10:15:29

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160023AS +++++
--- User ---
[MBR] 1fa57deabba49747c5dc3f7289aea9d9
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[7].txt >>
RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt

It doesn't show anything about this selected item

[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]

Edited by mnstrbuck, 28 September 2012 - 09:14 AM.

  • 0

#15
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,369 posts
Hi. :)

Nothing showing removed this time and or present

Aye that is a tad strange but in the great scheme of things a positive outcome so lets proceed as follows...

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall and Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


Next:

I would also like to review a list of presently installed programs, so please do this:

Click on Start >> Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt
A text file should open. Post the contents of that file in your next reply.

Scan with FSS:

Please download Farbar Service Scanner and save to your Desktop.

  • Double-click on FSS.exe to start the program.
  • Select all available options.
  • Then click on the Scan tab.
  • When the scan is complete, it will produce a log named FSS.txt.
  • Post the contents in your next reply.
When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
  • The contents of Add-Remove Programs.txt.
  • Farbar Service Scanner Log.
Note: Post all requested logs separately if the need...
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured