Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't Download and Open Files [Closed]


  • This topic is locked This topic is locked

#1
robkbriggs

robkbriggs

    Member

  • Member
  • PipPipPip
  • 122 posts
Hello,
I have someone that I'm helping that is having trouble downloading files. Basically, anything they try to download or open from the internet or their email is met with a dialog box saying that the file contained a virus and was deleted. It looks like a box from Microsoft Security Essentials, but from what I see, I don't see that the processes for MSE are running.

Here is the OTL log
OTL logfile created on: 6/14/2013 4:04:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\BCI\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 66.22% Memory free
6.33 Gb Paging File | 5.11 Gb Available in Paging File | 80.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 452.57 Gb Total Space | 418.51 Gb Free Space | 92.47% Space Free | Partition Type: NTFS
Drive E: | 963.73 Mb Total Space | 963.16 Mb Free Space | 99.94% Space Free | Partition Type: FAT

Computer Name: CUMMINGSLAW-2 | User Name: BCI | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/13 15:56:46 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\BCI\Desktop\OTL.exe
PRC - [2013/05/10 01:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/22 20:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/10/20 21:51:54 | 001,422,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
PRC - [2012/04/11 21:01:11 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/23 23:10:24 | 000,212,944 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Services\IPT\jhi_service.exe
PRC - [2010/12/03 17:19:26 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/12/03 17:19:20 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/10 12:36:34 | 000,094,208 | ---- | M] () -- C:\Windows\System32\IccLibDll.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF


========== Services (SafeList) ==========

SRV - [2013/06/12 10:17:35 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/10 01:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/01/27 12:11:46 | 000,295,232 | ---- | M] () [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] () [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/04/16 14:48:03 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/02/23 23:10:24 | 000,212,944 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Services\IPT\jhi_service.exe -- (jhi_service)
SRV - [2010/12/03 17:19:26 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2010/12/03 17:19:20 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2010/11/25 04:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 04:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2009/07/13 19:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\jeyvfpbk.sys -- (jeyvfpbk)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\hprrjcuc.sys -- (hprrjcuc)
DRV - [2013/01/20 16:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2012/08/23 08:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012/08/23 08:41:34 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2012/08/23 08:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2011/03/10 17:28:24 | 001,281,664 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2010/11/20 15:29:03 | 000,126,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netvsc60.sys -- (netvsc)
DRV - [2010/11/20 15:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 15:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 15:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 15:29:03 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusVideoM.sys -- (SynthVid)
DRV - [2010/11/20 15:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 15:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/10/19 18:33:40 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (MEI)
DRV - [2010/10/15 03:27:18 | 000,269,824 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud)
DRV - [2009/07/13 18:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1
IE - HKLM\..\SearchScopes,DefaultScope = {F582FAD8-B712-4E97-9F60-4D71AF9E1182}
IE - HKLM\..\SearchScopes\{F582FAD8-B712-4E97-9F60-4D71AF9E1182}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\SearchScopes,DefaultScope = {F582FAD8-B712-4E97-9F60-4D71AF9E1182}
IE - HKCU\..\SearchScopes\{EA7AFB2B-66E2-457E-9399-97517DC622C9}: "URL" = http://search.condui...486100854607560
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@ei.Astrology_4a.com/Plugin: C:\Program Files\Astrology_4aEI\Installr\1.bin\NP4aEISB.dll (Astrology.com)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3505.0912: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension


O1 HOSTS File: ([2009/06/10 15:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://173.184.114....svrloader32.cab (Cisco SSL VPN Relay Loader)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{169531DF-6950-404D-BB8B-A2F99F5CA5FB}: DhcpNameServer = 192.168.254.254
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{67a221ee-e783-11e1-ac29-d4bed9c99b45}\Shell - "" = AutoRun
O33 - MountPoints2\{67a221ee-e783-11e1-ac29-d4bed9c99b45}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
O33 - MountPoints2\{7b7dbfa7-cb39-11e1-afd2-d4bed9c99b45}\Shell - "" = AutoRun
O33 - MountPoints2\{7b7dbfa7-cb39-11e1-afd2-d4bed9c99b45}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
O33 - MountPoints2\{7b7dc271-cb39-11e1-afd2-d4bed9c99b45}\Shell - "" = AutoRun
O33 - MountPoints2\{7b7dc271-cb39-11e1-afd2-d4bed9c99b45}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
O33 - MountPoints2\{a9f34cea-fcba-11e1-ac22-d4bed9c99b45}\Shell - "" = AutoRun
O33 - MountPoints2\{a9f34cea-fcba-11e1-ac22-d4bed9c99b45}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/14 16:04:10 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\BCI\Desktop\OTL.exe
[2013/06/13 15:40:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/06/13 15:39:53 | 000,866,720 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2013/06/13 15:39:53 | 000,263,584 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/06/13 15:39:50 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/06/13 15:39:50 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/06/13 15:39:50 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/06/13 15:39:46 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2013/06/13 03:00:39 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/06/13 03:00:38 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/06/13 03:00:38 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/06/13 03:00:37 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/06/13 03:00:37 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/06/13 03:00:36 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/06/13 03:00:36 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/06/13 03:00:35 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/06/12 03:55:35 | 001,505,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll
[2013/06/12 03:55:32 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cryptdlg.dll
[2013/06/12 03:55:28 | 000,903,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certutil.exe
[2013/06/12 03:55:28 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certenc.dll
[2013/06/12 03:55:26 | 003,968,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/06/12 03:55:26 | 003,913,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/14 15:59:14 | 000,674,004 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/14 15:59:14 | 000,125,360 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/14 15:16:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/13 15:56:54 | 000,021,312 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 15:56:54 | 000,021,312 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 15:56:46 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\BCI\Desktop\OTL.exe
[2013/06/13 15:49:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/13 15:49:42 | 2548,776,960 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/13 15:39:47 | 000,866,720 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2013/06/13 15:39:47 | 000,788,896 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/06/13 15:39:47 | 000,263,584 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/06/13 15:39:47 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/06/13 15:39:47 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/06/13 15:39:47 | 000,094,112 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/06/12 10:17:31 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/06/12 10:17:31 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/06/05 15:54:11 | 001,475,144 | ---- | M] () -- C:\Users\BCI\Desktop\toribio molinar.pdf
[2013/06/05 15:49:04 | 006,025,223 | ---- | M] () -- C:\Users\BCI\Desktop\kara kittrell.pdf
[2013/06/05 15:48:21 | 015,616,832 | ---- | M] () -- C:\Users\BCI\Desktop\stephanie simmons.pdf
[2013/06/05 15:44:54 | 002,000,707 | ---- | M] () -- C:\Users\BCI\Desktop\star detasseling.pdf
[2013/06/05 15:40:44 | 006,568,151 | ---- | M] () -- C:\Users\BCI\Desktop\jennifer granger.pdf
[2013/06/05 15:40:22 | 011,842,758 | ---- | M] () -- C:\Users\BCI\Desktop\marylin mcmanus.pdf
[2013/05/16 16:39:39 | 001,800,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/05/16 16:27:30 | 001,427,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/05/16 16:26:07 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/05/16 16:23:35 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/05/16 16:21:37 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/05/16 16:19:25 | 000,607,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/05/16 16:16:57 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/05/16 16:12:55 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/05 15:54:11 | 001,475,144 | ---- | C] () -- C:\Users\BCI\Desktop\toribio molinar.pdf
[2013/06/05 15:49:04 | 006,025,223 | ---- | C] () -- C:\Users\BCI\Desktop\kara kittrell.pdf
[2013/06/05 15:48:20 | 015,616,832 | ---- | C] () -- C:\Users\BCI\Desktop\stephanie simmons.pdf
[2013/06/05 15:44:54 | 002,000,707 | ---- | C] () -- C:\Users\BCI\Desktop\star detasseling.pdf
[2013/06/05 15:40:44 | 006,568,151 | ---- | C] () -- C:\Users\BCI\Desktop\jennifer granger.pdf
[2013/06/05 15:40:21 | 011,842,758 | ---- | C] () -- C:\Users\BCI\Desktop\marylin mcmanus.pdf
[2012/08/10 07:55:28 | 000,060,304 | ---- | C] () -- C:\Users\BCI\g2mdlhlpx.exe
[2012/04/11 20:50:03 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2012/04/11 20:49:31 | 000,963,116 | ---- | C] () -- C:\Windows\System32\igkrng600.bin
[2012/04/11 20:49:30 | 000,218,304 | ---- | C] () -- C:\Windows\System32\igfcg600m.bin
[2012/04/11 20:49:30 | 000,056,832 | ---- | C] () -- C:\Windows\System32\igdde32.dll
[2012/04/11 20:49:30 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2012/04/11 20:49:29 | 013,906,944 | ---- | C] () -- C:\Windows\System32\ig4icd32.dll
[2012/04/11 20:49:29 | 000,145,804 | ---- | C] () -- C:\Windows\System32\igcompkrng600.bin
[2012/04/11 20:49:29 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll
[2012/04/11 20:49:29 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2012/04/11 20:49:20 | 000,030,895 | ---- | C] () -- C:\Windows\System32\drivers\Mixer.ini
[2012/04/11 19:21:17 | 000,008,192 | ---- | C] () -- C:\Windows\System32\drivers\IntelMEFWVer.dll

========== ZeroAccess Check ==========

[2013/06/12 10:05:32 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$bf18fe453e0bb343a437734f3b026a78\L
[2013/06/12 10:05:32 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$bf18fe453e0bb343a437734f3b026a78\U
[2009/07/13 22:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/26 22:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 19:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >
  • 0

Advertisements


#2
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello robkbriggs, :wave: Welcome to the forums!
:welcome:. My name is godawgs and I will be assisting you with your Virus / Malware issues.

Unfortunately I have some bad news. Your friend's pc is infected with the Zero Access rootkit.


:alarm:
Warning: One or more of the identified infections on your computer is known to use a backdoor!
These are information stealing trojans installed on your computer.
Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

I would advise you to immediately disconnect this computer from the internet except when reading my posts, downloading the required tools and replying to this topic on this forum only.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following:
  • All passwords should be changed to include those used for banking, email, eBay, Facebook ect; and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
  • Banking and credit card institutions should be notified of the possible security breach.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.
Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know whether you want to try to clean the infection or reinstall Windows. Sorry :(
  • 0

#3
robkbriggs

robkbriggs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
godawgs,

Thanks for your input. I have advised my friend what you said, but I have not heard back. It's been a couple of days, but I just wanted to give a short update. Do you think we should leave this topic open?
  • 0

#4
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Thanks for the update.
The topic will be left open as long as it is replied to within 4 days of the last post. If you haven't heard from your friend within the next 4 days just come back and post that and the topic will be left open for another 4 days. If you haven't heard by then I don't think you will and you can just let the 4 days expire and the topic will be closed :thumbsup:
  • 0

#5
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP