Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hacked GMail, possible spyware


  • Please log in to reply

#1
Megan1994

Megan1994

    New Member

  • Member
  • Pip
  • 7 posts
Hi there guys,

I was helped very well and quickly by Essexboy on here a few weeks back with a strange re-directing problem online. But other problems have since come up.

My boyfriends gmail account got hacked and he assures me his password was ludicrously difficult to guess and that my computer was the only computer that he logged in on.

Could it possibly be spyware?

I ran the OTL and got this as a result;

OTL logfile created on: 12/27/2012 7:36:01 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Caroline Butterwick\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.01 Gb Available Physical Memory | 66.88% Memory free
6.00 Gb Paging File | 4.92 Gb Available in Paging File | 82.02% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 21.78 Gb Free Space | 43.55% Space Free | Partition Type: NTFS
Drive D: | 248.09 Gb Total Space | 232.74 Gb Free Space | 93.81% Space Free | Partition Type: NTFS

Computer Name: WIN-Z9EN9CK0WFA | User Name: Caroline Butterwick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/27 19:35:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Caroline Butterwick\Desktop\OTL.exe
PRC - [2012/12/18 20:35:19 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/10/10 21:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/10/02 19:29:14 | 000,864,616 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2012/10/02 19:28:55 | 001,820,520 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
PRC - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/11/27 14:16:09 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 12:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/05/11 10:26:50 | 000,274,432 | ---- | M] (Dolphin Oceanic Ltd.) -- C:\Windows\System32\dolsrvcbar2.exe
PRC - [2009/11/02 02:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/09/08 21:12:51 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2007/11/21 17:27:56 | 000,143,360 | ---- | M] (Impacct) -- C:\Program Files\Plustek\OpticBook 3600\Am32Plus.exe
PRC - [2007/05/23 18:29:36 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\Windows\System32\Crypserv.exe
PRC - [2006/10/30 16:59:34 | 000,024,576 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/18 20:35:18 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/10/28 13:43:00 | 008,522,400 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 14:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2009/09/09 15:33:14 | 000,307,200 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\ScanApi.dll
MOD - [2008/09/18 11:23:58 | 000,024,576 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\FineReader.dll
MOD - [2007/06/04 16:57:22 | 000,036,864 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\MaxReader.dll
MOD - [2007/05/30 15:48:06 | 000,167,936 | ---- | M] () -- C:\Program Files\Common Files\iMpacct\ControlFunc.dll
MOD - [2006/11/30 09:58:50 | 000,061,440 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\TWAINAPP.dll
MOD - [2006/10/30 16:59:34 | 000,024,576 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
MOD - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
MOD - [2006/05/15 14:24:18 | 000,122,938 | ---- | M] () -- C:\Program Files\Common Files\iMpacct\CommonFunc.dll
MOD - [2005/11/21 16:10:30 | 000,483,328 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\bmp2tiff.dll
MOD - [2005/09/21 13:38:54 | 000,081,920 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Web Utility.dll
MOD - [2005/09/21 13:38:46 | 000,090,112 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Wallpaper.dll
MOD - [2005/09/21 13:38:32 | 000,077,824 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Scan Utility.dll
MOD - [2005/09/21 13:38:28 | 000,045,056 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Power Save.dll
MOD - [2005/09/21 13:38:24 | 000,069,632 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Positive Utility.dll
MOD - [2005/09/21 13:38:16 | 000,065,536 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\OCR Utility.dll
MOD - [2005/09/21 13:38:12 | 000,069,632 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Negative Utility.dll
MOD - [2005/09/21 13:37:52 | 000,077,824 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\File Utility.dll
MOD - [2005/09/21 13:37:48 | 000,069,632 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Fax Utility.dll
MOD - [2005/09/21 13:37:44 | 000,081,920 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Email Utility.dll
MOD - [2005/09/21 13:37:36 | 000,073,728 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Copy Utility.dll
MOD - [2005/09/21 13:37:24 | 000,045,056 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Button Config.dll
MOD - [2005/09/21 13:37:00 | 000,065,536 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\BCR Utility.dll
MOD - [2005/09/21 13:36:54 | 000,061,440 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\Prndriver.dll
MOD - [2004/01/07 12:47:34 | 000,045,056 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\FzOCR.dll
MOD - [2004/01/07 12:47:24 | 000,045,056 | ---- | M] () -- C:\Program Files\Plustek\OpticBook 3600\PenPower.dll


========== Services (SafeList) ==========

SRV - [2012/12/18 20:35:18 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/10/10 21:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/09/20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2010/10/18 15:26:59 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/05/11 10:26:50 | 000,274,432 | ---- | M] (Dolphin Oceanic Ltd.) [Auto | Running] -- C:\Windows\System32\dolsrvcbar2.exe -- (DolphinCBarSrv2)
SRV - [2009/09/08 21:12:51 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/23 18:29:36 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\Windows\System32\Crypserv.exe -- (Crypkey License)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D2B85FDB-BE35-488B-9633-8569B4055A41}\MpKsl8801e2ec.sys -- (MpKsl8801e2ec)
DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{56331053-A773-44EA-8564-A8A1ACB6C080}\MpKsl0937d042.sys -- (MpKsl0937d042)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\CAROLI~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Ai2Mmpd.sys -- (Ai2Mmpd)
DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\Ai2Chroniker.sys -- (Ai2Chroniker)
DRV - [2012/10/10 21:14:28 | 010,837,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 09:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 23:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 22:02:47 | 000,047,104 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1E62x86.sys -- (L1E)
DRV - [2009/07/13 22:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/05/13 18:11:34 | 000,006,504 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2007/05/01 21:15:54 | 000,016,896 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\Ckldrv.sys -- (NetworkX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7RNQN_enGB459
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: zotero%40chnm.gmu.edu:3.0.11
FF - prefs.js..extensions.enabledAddons: zoteroWinWordIntegration%40zotero.org:3.1.9
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Caroline Butterwick\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Users\Caroline Butterwick\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/11/27 14:16:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/18 20:35:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/18 20:35:19 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/10/28 13:41:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Caroline Butterwick\AppData\Roaming\Mozilla\Extensions
[2012/11/29 15:08:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Caroline Butterwick\AppData\Roaming\Mozilla\Firefox\Profiles\taeh6aao.default\extensions
[2012/11/29 15:08:32 | 000,000,000 | ---D | M] (Zotero) -- C:\Users\Caroline Butterwick\AppData\Roaming\Mozilla\Firefox\Profiles\taeh6aao.default\extensions\[email protected]
[2012/11/29 15:08:33 | 000,000,000 | ---D | M] (Zotero Word for Windows Integration) -- C:\Users\Caroline Butterwick\AppData\Roaming\Mozilla\Firefox\Profiles\taeh6aao.default\extensions\[email protected]
[2011/10/28 13:41:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/18 20:35:19 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/12/18 20:35:17 | 000,001,738 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/12/18 20:35:17 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/12/18 20:35:17 | 000,001,148 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/12/18 20:35:17 | 000,001,379 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/12/18 20:35:17 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/12/18 20:35:17 | 000,001,334 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/11/29 16:12:36 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - Startup: C:\Users\Caroline Butterwick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Colour Explorer 9,0.lnk = C:\Program Files\MicrolinkPC\CXLOADER.exe (MicrolinkPC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B072F3AC-1B61-47AC-90DF-486936A7BF73}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E23D5084-BDEA-4BEB-865D-CB8472124A84}: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/27 19:35:09 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Caroline Butterwick\Desktop\OTL.exe
[2012/12/27 10:51:38 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2012/12/27 10:51:38 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2012/12/13 21:29:37 | 000,000,000 | ---D | C] -- D:\Users\Caroline Butterwick\Documents\New folder
[2012/12/12 14:21:51 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/12/12 14:21:50 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012/12/12 14:21:50 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/12/12 14:21:50 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/12/12 14:21:50 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/12/12 14:21:49 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/12/12 14:21:49 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/12/12 14:21:48 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/12/12 13:01:22 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/12/12 13:01:19 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
[2012/12/12 13:01:19 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2012/12/12 13:01:18 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
[2012/12/12 13:01:18 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2012/12/12 13:01:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
[2012/12/12 13:01:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
[2012/12/12 13:01:14 | 000,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dpnet.dll
[2012/12/12 13:01:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2012/12/09 18:44:52 | 000,000,000 | ---D | C] -- D:\Users\Caroline Butterwick\Documents\Festival of Liberation
[2012/12/01 00:16:40 | 000,000,000 | ---D | C] -- D:\Users\Caroline Butterwick\Documents\Songs
[2012/11/29 16:12:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/11/29 15:19:24 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Caroline Butterwick\Desktop\tdsskiller.exe
[2012/11/29 15:12:49 | 000,000,000 | ---D | C] -- C:\Users\Caroline Butterwick\Desktop\RK_Quarantine
[2012/11/29 15:08:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
[2012/11/27 21:34:10 | 000,047,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\WdfLdr.sys
[2012/11/27 21:34:10 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Wdfres.dll
[2012/11/27 21:33:51 | 000,613,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WUDFx.dll
[2012/11/27 21:33:51 | 000,172,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WUDFPlatform.dll
[2012/11/27 21:33:51 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WUDFCoinstaller.dll

========== Files - Modified Within 30 Days ==========

[2012/12/27 19:35:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Caroline Butterwick\Desktop\OTL.exe
[2012/12/27 19:22:13 | 000,009,920 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/12/27 19:22:13 | 000,009,920 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/12/27 19:19:19 | 000,643,910 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/12/27 19:19:19 | 000,118,242 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/12/27 19:19:09 | 000,000,426 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Caroline Butterwick.job
[2012/12/27 19:15:24 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateXML_Caroline Butterwick.job
[2012/12/27 19:15:20 | 000,000,432 | ---- | M] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Caroline Butterwick.job
[2012/12/27 19:15:10 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/27 19:14:59 | 000,409,096 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/12/27 19:14:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/12/27 19:14:39 | 2415,222,784 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/27 10:41:05 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/16 14:13:28 | 000,295,424 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2012/12/16 14:13:20 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2012/11/30 16:07:19 | 000,036,409 | ---- | M] () -- C:\Users\Caroline Butterwick\Desktop\testing.wma
[2012/11/29 16:12:36 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/11/29 15:20:21 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Caroline Butterwick\Desktop\tdsskiller.exe
[2012/11/29 15:11:04 | 000,752,128 | ---- | M] () -- C:\Users\Caroline Butterwick\Desktop\RogueKiller.exe

========== Files Created - No Company Name ==========

[2012/12/27 19:15:19 | 000,000,432 | ---- | C] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Caroline Butterwick.job
[2012/12/27 19:15:16 | 000,000,426 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Caroline Butterwick.job
[2012/12/27 19:15:13 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateXML_Caroline Butterwick.job
[2012/11/30 16:07:19 | 000,036,409 | ---- | C] () -- C:\Users\Caroline Butterwick\Desktop\testing.wma
[2012/11/29 15:10:55 | 000,752,128 | ---- | C] () -- C:\Users\Caroline Butterwick\Desktop\RogueKiller.exe
[2012/11/27 21:34:11 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2012/11/27 21:33:51 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2012/01/28 01:14:49 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/28 01:14:49 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/28 01:14:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/28 01:14:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/28 01:14:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/27 23:49:04 | 000,000,258 | R-S- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 10:51:24 | 000,001,809 | ---- | C] () -- C:\Windows\if42le.ini
[2011/02/09 10:51:24 | 000,000,299 | ---- | C] () -- C:\Windows\Pexplore.ini
[2010/09/21 10:47:37 | 000,000,033 | ---- | C] () -- C:\ProgramData\IyfSpCIt.dat
[2010/09/21 10:47:37 | 000,000,031 | ---- | C] () -- C:\ProgramData\msdesksw_default.theme
[1648/10/07 19:02:34 | 000,000,000 | ---- | C] () -- C:\ProgramData\hnEIlj.theme

========== ZeroAccess Check ==========

[2009/07/14 04:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 04:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 12:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 01:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 37 bytes -> C:\Windows\System32\desktop.ini:WIN64
@Alternate Data Stream - 33 bytes -> C:\Windows\win.ini:WINDOWS
@Alternate Data Stream - 28 bytes -> C:\ProgramData\hnEIlj.theme:NTOSCHK

< End of report >


I hope that someone can help me with this,

Thanks a lot,

Megan
XxXxXxX
  • 0

Advertisements


#2
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Posted Image Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2
prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

  • 0

#3
Megan1994

Megan1994

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey,

thanks for the speediness of your reply :-)

it found and removed something. Here is the report it gave
----

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.30.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Caroline Butterwick :: WIN-Z9EN9CK0WFA [administrator]

30/12/2012 22:07:48
mbam-log-2012-12-30 (22-07-48).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 333628
Time elapsed: 30 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\_OTL\MovedFiles\11292012_161236\C_Users\Caroline Butterwick\AppData\Local\Temp\getmfmon.dll (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
  • 0

#4
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

it found and removed something.

This file is not a problem. He was removed previously by EssexBoy when he helped you.

  • I was helped very well and quickly by Essexboy on here a few weeks back with a strange re-directing problem online.

Download aswMBR.exe ( 4.8mb ) to your desktop.

Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

NEXT:

Please download Farbar Service Scanner and run it on the computer.
Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

  • 0

#5
Megan1994

Megan1994

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi there,

This is the result of the first scan;

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-31 11:05:57
-----------------------------
11:05:57.527 OS Version: Windows 6.1.7601 Service Pack 1
11:05:57.527 Number of processors: 2 586 0x170A
11:05:57.527 ComputerName: WIN-Z9EN9CK0WFA UserName:
11:06:19.929 Initialize success
11:06:27.760 AVAST engine defs: 12123100
11:06:29.679 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
11:06:29.679 Disk 0 Vendor: WDC_WD3200AAJS-00L7A0 01.03E01 Size: 305245MB BusType: 3
11:06:29.679 Disk 0 MBR read successfully
11:06:29.679 Disk 0 MBR scan
11:06:29.694 Disk 0 Windows 7 default MBR code
11:06:29.694 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51200 MB offset 2048
11:06:29.710 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 254043 MB offset 104859648
11:06:29.726 Disk 0 scanning sectors +625139712
11:06:29.788 Disk 0 scanning C:\Windows\system32\drivers
11:06:37.323 Service scanning
11:06:56.979 Modules scanning
11:07:03.391 Disk 0 trace - called modules:
11:07:03.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
11:07:03.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8617d5e0]
11:07:03.406 3 CLASSPNP.SYS[8b39859e] -> nt!IofCallDriver -> [0x85ccf918]
11:07:03.422 5 ACPI.sys[8aeb93d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85cf2030]
11:07:03.812 AVAST engine scan C:\Windows
11:07:05.762 AVAST engine scan C:\Windows\system32
11:09:13.401 AVAST engine scan C:\Windows\system32\drivers
11:09:22.870 AVAST engine scan C:\Users\Caroline Butterwick
11:10:38.487 Disk 0 MBR has been saved successfully to "C:\Users\Caroline Butterwick\Desktop\MBR.dat"
11:10:38.487 The log file has been saved successfully to "C:\Users\Caroline Butterwick\Desktop\aswMBR.txt"


This is the result of the second scan.

Farbar Service Scanner Version: 23-12-2012
Ran by Caroline Butterwick (administrator) on 31-12-2012 at 11:12:41
Running from "C:\Users\Caroline Butterwick\Desktop"
Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-11-27 15:01] - [2012-10-03 16:58] - 1293680 ____A (Microsoft Corporation) E23A56F843E2AEBBB209D0ACCA73C640

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Thank you :-)
  • 0

#6
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Ok, nothing wrong with your logs.

Disable your antivirus software
  • Acess the Eset Online Scanner website using Internet Explorer navigator.
    http://www.eset.com/us/online-scanner/
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP