Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspicious Activity, Windows Opened [Solved]


  • This topic is locked This topic is locked

#16
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts

Step 1:
OTL fix:
Please copy following script:

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Soluto\solutoinstaller.exe"=-
"C:\Documents and Settings\Administrator\desktop\solutoinstaller-_we5LFw2c3A4.exe"=-
"C:\Documents and Settings\Administrator\My Documents\Downloads\solutoinstaller.exe"=-

:commands
[reboot]

 

Run OTL, under Custom Scan/Fixes paste it. Close all windows Close all windows except OTL and hit Run Fix button. Please agreed for restart. After computer starts, OTL will display removing log, please post it.

Step 2:
OTLI.gifOTL Quick Scan

  • Run OTL again:
    otlico.png
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\*.*
  • and hit Quick Scan button:
    otlquick.png

This scan won't take long. Please post log in next replay.


  • 0

Advertisements


#17
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts

Thanks for your comprehensive help!

 

Is this the first log?  OTL did not post.  Found it by searching for *.log

 

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Soluto\solutoinstaller.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Administrator\desktop\solutoinstaller-_we5LFw2c3A4.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Administrator\My Documents\Downloads\solutoinstaller.exe deleted successfully.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.2.69.0 log created on 04042014_190324
 

2nd OTL log: 

 

OTL logfile created on: 4/4/2014 7:14:48 PM - Run 5
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.62% Memory free
3.86 Gb Paging File | 3.31 Gb Available in Paging File | 85.56% Paging File free
Paging file location(s): C:\pagefile.sys 2060 4096 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.43 Gb Free Space | 27.98% Space Free | Partition Type: NTFS
 
Computer Name: S0034324532 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/03/23 15:15:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\desktop\OTL.exe
PRC - [2014/03/18 09:49:28 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2013/10/23 16:01:10 | 000,300,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/10/23 15:55:28 | 000,948,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/06/28 18:48:04 | 000,014,624 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/03/18 09:48:40 | 003,642,480 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2014/02/12 21:01:43 | 000,221,696 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\2e3fdae8546832614633495638bef8d0\System.ServiceProcess.ni.dll
MOD - [2014/02/12 20:56:29 | 000,762,880 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\8556fa9ad747e43a85e107dbeb42659e\System.Runtime.Remoting.ni.dll
MOD - [2014/02/12 20:56:26 | 000,787,456 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\6a5f031a28c774f1163af0715c3a6097\System.EnterpriseServices.ni.dll
MOD - [2014/02/12 20:56:25 | 000,649,728 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Transactions\fc7255cccb69c45a808b3d7e6abf55c5\System.Transactions.ni.dll
MOD - [2014/02/12 20:52:14 | 006,817,280 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Data\2c4f9ef6baacb578ab136a5b30ada098\System.Data.ni.dll
MOD - [2014/02/12 20:51:48 | 001,014,272 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Configuration\991c4e11f571a4074b9c4a5841222338\System.Configuration.ni.dll
MOD - [2014/02/12 20:51:36 | 005,628,928 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Xml\850fa7110c7423c324762c1ad3130219\System.Xml.ni.dll
MOD - [2014/02/12 20:51:24 | 013,199,360 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\2781e84862746a34f026d0ee179eed2b\System.Windows.Forms.ni.dll
MOD - [2014/02/12 20:51:16 | 007,070,720 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Core\354a5906fd46f4374f86916debf3ebcb\System.Core.ni.dll
MOD - [2014/02/12 20:50:59 | 001,667,584 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System.Drawing\243ff1822abc8282cb8fee37538170b4\System.Drawing.ni.dll
MOD - [2014/02/12 20:50:52 | 009,099,776 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\System\4c906eb82e6f56aea01b2a7291fab7ea\System.ni.dll
MOD - [2014/02/12 20:50:35 | 014,416,896 | ---- | M] () -- C:\WINNT\assembly\NativeImages_v4.0.30319_32\mscorlib\4e62d1d9b7dd2c2d14915abb73c22d50\mscorlib.ni.dll
MOD - [2006/06/26 19:02:49 | 000,049,852 | ---- | M] () -- C:\WINNT\system32\pdf995mon.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/03/18 09:49:27 | 000,119,408 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/03/12 17:56:53 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINNT\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/06/28 18:48:04 | 000,014,624 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2003/10/15 18:13:06 | 000,077,824 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe -- (PassThru)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Program Files\Internet Explorer\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\Drivers\PROCEXP151.SYS -- (PROCEXP151)
DRV - [2013/09/10 19:25:16 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/09/28 14:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 14:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2007/06/05 11:56:40 | 000,044,928 | ---- | M] (Panda Software) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\SDTHOOK.SYS -- (SDTHOOK)
DRV - [2006/04/26 21:44:22 | 000,028,672 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - [2005/08/09 20:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/31 15:21:32 | 000,200,704 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\udfreadr.sys -- (UdfReadr)
DRV - [2003/10/14 17:05:28 | 000,252,144 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2003/07/17 18:40:06 | 000,265,728 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2003/06/27 09:53:44 | 001,196,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/03/17 18:39:12 | 000,020,352 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\iqvw32.sys -- (NAL)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Overture
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.overture....s={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://classic.netaddress.com/tpl [Binary data over 200 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...urce=gama&hl=en
IE - HKCU\..\SearchScopes,DefaultScope = {91E988AB-50B7-46B0-B45D-5CF6103F052F}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{79141AC0-4211-45BD-8AD5-0CAC7ACCA01B}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{91E988AB-50B7-46B0-B45D-5CF6103F052F}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.netvibes....le.com/finance"
FF - prefs.js..extensions.enabledAddons: %7B1BC9BA34-1EED-42ca-A505-6D2F1A935BBB%7D:5.12.12.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:28.0
FF - prefs.js..keyword.URL: "http://www.google.co...ient&gfns=1&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINNT\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\WINNT\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8:  File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1:  File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2011/10/01 11:21:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2014/03/20 16:54:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\miobjuei.default-1349313115875\extensions
[2013/12/16 10:20:14 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\miobjuei.default-1349313115875\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2014/03/18 09:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/03/18 09:49:29 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2012/10/25 19:13:12 | 000,000,098 | ---- | M]) - C:\WINNT\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk = C:\QUICKENW\billmind.exe (Intuit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O15 - HKCU\..Trusted Domains: geekstogo.com ([www] http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gofsg.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{050C88C6-9DB9-4307-B7C2-8D384252F0A1}: DhcpNameServer = 192.168.100.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{62DA5302-5FB3-4816-A3DE-94EFDB50EBF7}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/15 23:31:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell\AutoRun\command - "" = E:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/04/03 00:19:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2014/04/02 23:47:42 | 000,107,736 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\MBAMSwissArmy.sys
[2014/04/02 23:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
[2014/04/02 23:46:33 | 000,050,648 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamchameleon.sys
[2014/04/02 23:46:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes Anti-Malware
[2014/03/30 14:39:06 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/03/29 18:44:25 | 004,787,368 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup412.exe
[2014/03/29 17:39:04 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/29 14:53:46 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2014/03/23 15:15:04 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2014/03/18 09:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2006/10/10 20:40:37 | 000,389,120 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Administrator\remote.exe
 
========== Files - Modified Within 30 Days ==========
 
[2014/04/04 19:14:57 | 000,000,384 | -H-- | M] () -- C:\WINNT\tasks\Microsoft Antimalware Scheduled Scan.job
[2014/04/04 19:05:14 | 000,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2014/04/04 19:04:42 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2014/04/04 18:01:13 | 000,004,616 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2014/04/04 17:46:00 | 000,000,826 | ---- | M] () -- C:\WINNT\tasks\Adobe Flash Player Updater.job
[2014/04/03 18:27:54 | 000,002,256 | ---- | M] () -- C:\WINNT\QUICKEN.INI
[2014/04/02 23:49:29 | 000,107,736 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\MBAMSwissArmy.sys
[2014/03/31 19:58:23 | 000,001,404 | ---- | M] () -- C:\quotes.csv
[2014/03/31 19:55:10 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Calculator Plus.lnk
[2014/03/29 19:31:39 | 000,171,084 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\211172-GA-1.pdf
[2014/03/29 19:12:16 | 000,190,131 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\http   www.ebay.pdf
[2014/03/29 18:45:27 | 004,787,368 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup412.exe
[2014/03/29 18:42:35 | 004,257,724 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Commercial Catalog.pdf
[2014/03/29 18:02:47 | 000,025,579 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\eBay.pdf
[2014/03/29 17:38:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2014/03/29 14:54:48 | 001,950,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
[2014/03/29 14:54:39 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2014/03/29 14:40:10 | 000,094,785 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Infiniti USA eStore.htm
[2014/03/28 09:49:31 | 000,312,607 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\McGuffie 09Apr14 Web v3.pdf
[2014/03/23 15:17:53 | 000,000,155 | ---- | M] () -- C:\WINNT\INTUIT.INI
[2014/03/23 15:15:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2014/03/23 13:30:52 | 000,388,792 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2014/03/22 10:29:22 | 000,163,059 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Documents_for_your_DocuSign_Signature_-_Updat.pdf
[2014/03/21 10:22:11 | 000,312,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\McGuffie 09Apr14 Web v2.pdf
[2014/03/19 21:32:56 | 000,018,637 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\022014StatementDisplay.pdf
[2014/03/18 19:56:21 | 000,043,880 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\889956908_build.pdf
[2014/03/17 18:54:43 | 000,002,455 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2013.lnk
[2014/03/16 18:38:35 | 000,521,577 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\f4868.pdf
[2014/03/15 19:42:06 | 000,198,529 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VBMTPMenuFeb14.pdf
[2014/03/15 19:12:25 | 000,081,277 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\https   citieasydeals.universalcard.pdf
[2014/03/15 10:26:01 | 000,015,812 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Intuit.pdf
[2014/03/14 21:55:23 | 000,488,206 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\qph75 v1-1-0.zip
[2014/03/14 18:01:01 | 001,111,963 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\scan0001.pdf
[2014/03/13 22:43:08 | 000,411,907 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\FE_Social_Security_Methodology_0214.pdf
[2014/03/12 10:02:27 | 000,505,162 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2014/03/12 10:02:26 | 000,087,298 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2014/03/09 17:13:26 | 000,832,761 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\financialplanning201310-13799126730002dad1a4d13-pp.pdf
 
========== Files Created - No Company Name ==========
 
[2014/03/31 19:59:47 | 000,001,404 | ---- | C] () -- C:\quotes.csv
[2014/03/29 19:31:40 | 000,171,084 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\211172-GA-1.pdf
[2014/03/29 19:12:15 | 000,190,131 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\http   www.ebay.pdf
[2014/03/29 18:41:48 | 004,257,724 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Commercial Catalog.pdf
[2014/03/29 18:02:44 | 000,025,579 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\eBay.pdf
[2014/03/29 17:38:00 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2014/03/29 14:54:05 | 001,950,720 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
[2014/03/29 14:40:09 | 000,094,785 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Infiniti USA eStore.htm
[2014/03/28 09:49:31 | 000,312,607 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\McGuffie 09Apr14 Web v3.pdf
[2014/03/23 13:30:52 | 000,388,792 | ---- | C] () -- C:\WINNT\System32\FNTCACHE.DAT
[2014/03/22 10:29:24 | 000,163,059 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Documents_for_your_DocuSign_Signature_-_Updat.pdf
[2014/03/21 10:22:10 | 000,312,501 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\McGuffie 09Apr14 Web v2.pdf
[2014/03/19 21:32:55 | 000,018,637 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\022014StatementDisplay.pdf
[2014/03/18 19:56:24 | 000,043,880 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\889956908_build.pdf
[2014/03/16 18:38:33 | 000,521,577 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\f4868.pdf
[2014/03/15 19:12:23 | 000,081,277 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\https   citieasydeals.universalcard.pdf
[2014/03/15 10:25:10 | 000,015,812 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Intuit.pdf
[2014/03/14 21:55:24 | 000,488,206 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\qph75 v1-1-0.zip
[2014/03/14 18:00:46 | 001,111,963 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\scan0001.pdf
[2014/03/13 22:43:05 | 000,411,907 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\FE_Social_Security_Methodology_0214.pdf
[2014/03/09 17:13:22 | 000,832,761 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\financialplanning201310-13799126730002dad1a4d13-pp.pdf
[2013/10/08 21:41:44 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\.backup.dm
[2012/01/12 20:15:28 | 004,379,496 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-515416071-1635729839-3118798863-500-0.dat
[2012/01/12 20:15:25 | 000,372,830 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/01/12 19:55:59 | 000,001,177 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2011/11/20 12:49:01 | 003,153,920 | ---- | C] () -- C:\Documents and Settings\Administrator\secsetup.sdb
[2011/07/11 23:50:36 | 000,000,193 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2008/02/13 16:43:33 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2006/06/08 23:07:13 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\Administrator\backup.sus
[2005/11/16 19:37:50 | 000,052,337 | ---- | C] () -- C:\Documents and Settings\Administrator\WinPatrolLog.html
[2005/11/10 21:48:57 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/11/02 17:50:38 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2005/10/18 21:18:38 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2003/10/07 08:59:36 | 000,000,227 | RHS- | M] () -- C:\WINNT\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\System32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINNT\System32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINNT\System32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2007/06/02 19:56:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\aignes
[2010/01/31 13:07:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AltrixSoft
[2012/10/20 09:59:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Auslogics
[2010/01/03 16:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2014/03/01 02:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon Easy-WebPrint EX
[2010/02/14 11:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\cronometer
[2012/04/19 09:17:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ElevatedDiagnostics
[2012/09/08 10:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GARMIN
[2007/09/20 19:26:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2005/11/01 22:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Learn2.com
[2009/07/13 20:57:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Neverball
[2004/10/25 23:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\pdf995
[2007/05/08 13:41:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SmartDraw
[2008/12/24 00:12:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Software Informer
[2008/12/13 01:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2013/11/09 17:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinPatrol
[2009/01/08 00:22:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ActiveSMART
[2013/08/08 19:41:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Auslogics
[2010/01/02 19:17:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/01/12 10:45:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/01/03 16:25:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2012/11/28 23:42:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/10/14 20:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ClubSanDisk
[2011/03/15 09:03:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/02/14 02:59:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2014/03/25 08:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2010/07/28 23:25:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2012/10/23 21:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/01/05 19:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
[2012/10/28 20:36:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{C3B35EBF-B1F6-4DE1-9682-ED71913E187B}
[2012/03/03 19:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\*.* >
[2005/09/12 14:09:44 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Blurry Screen.doc
[2005/09/25 19:25:14 | 000,026,669 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Dead Pixel Buddy.zip
[2005/08/05 19:14:28 | 000,097,273 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\http   shopper.cnet.com 4002-7409_9-6266032.pdf
[2005/10/19 11:37:22 | 004,430,336 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\KOMANDO KIM NATIONAL TALKRADIO SHOW E.doc
[1980/01/01 01:00:00 | 000,000,065 | RH-- | C] () -- C:\WINNT\Tasks\desktop.ini
[2003/10/06 17:41:17 | 000,000,006 | -H-- | C] () -- C:\WINNT\Tasks\SA.DAT
[2011/11/14 21:04:38 | 000,000,604 | ---- | C] () -- C:\WINNT\Tasks\SCHEDLGU.TXT
[2013/09/17 21:26:12 | 000,000,826 | ---- | C] () -- C:\WINNT\Tasks\Adobe Flash Player Updater.job
[2013/11/14 10:39:17 | 000,000,384 | -H-- | C] () -- C:\WINNT\Tasks\Microsoft Antimalware Scheduled Scan.job

< End of report >
 


Edited by joseph456, 04 April 2014 - 06:08 PM.

  • 0

#18
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts
 

Is this the first log?

Yep, it is. Thanks.

Please do one more time OTL fix:
Please copy following script:

:processes
killallprocesses

:otl
[2003/10/06 17:41:17 | 000,000,006 | -H-- | C] () -- C:\WINNT\Tasks\SA.DAT


Run OTL, under Custom Scan/Fixes paste it. Close all windows except OTL and hit Run Fix button. Please allow OTL to restart the computer. After the computer restarts, OTL will display the fix log, please post that.


  • 0

#19
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts

OTL Log that came up this time on reboot:

 

========== PROCESSES ==========
All processes killed
========== OTL ==========
C:\WINNT\Tasks\SA.DAT moved successfully.
 
OTL by OldTimer - Version 3.2.69.0 log created on 04052014_095614

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 


  • 0

#20
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts
Good news: your system is clean now!

A good workman always cleans up after himself. Please let me remove my tools:

Step 1:
Uninstall OTL:
Run OTL again and hit CleanUp! button.

Step 2:
Keep system updated:
Enable Windows Update is the most basic step to prevent from infections. The fastest way is open this site in Internet Explorer: http://windowsupdate.microsoft.com

Step 3:
Keep your Internet Security software turned on and updated! Make sure that realtime antivirus protection and firewall module is working.

Step 4:
Keep software updated:
You should install software updates to Java, Flash Player, Silverlight, Adobe Reader etc... It's a lot of job, so you can improve this process by one of following programs:
FileHippo's Update Checker (UDC)
Software Update Monitor Lite (SUMo)

Step 5:
Backup your registry:

This article would be helpfull - http://www.geekstogo...ry-using-erunt/

Step 6:
Clean temp files in future:

Use TFC. Be sure to save any unsaved work before running TFC. Hit the Start button. Agreed for the restart.

Step 7:
Clear infected system resotere points and create clear one:

http://www.geekstogo...restore-points/

Step 8:
Here is some advices for future:
  • Run MBAM one per month
  • Turn off autorun removeavaible media - it's easy by Panda USB Vaccine
  • Monitor running processes.
  • Don't install p2p programs.
  • Install AdBlock Plus and WOT (Web of Trust) Add-ones
  • Install only software that you really want. Often during install free software other adware programs are included default. It's good to choose advanced install method and check where and what you actually install.
  • Do not install "Go faster", "Optimize" or "Tweaking" - programs

  • 0

#21
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts

Thanks so much for your help.  You have done a very thorough job.

 

Question: Do you think from what you have seen that anyone was able to access my computer online while it was left unattended?

 

A couple of observations: 

 

Now I am able to execute chkdsk from the run menu where I was not able to before. 

 

When I used to run chkdsk it would hang up at stage 2 at 6%.  It still hangs up however now it gets up to 8%

 

I was trying to download SUMo to see how it compared to File Hippos update checker but it seemed like it was trying to install a lot of other programs. I stopped setup. 

 

Can I just remove the downloaded program that I saved from my computer?

 

It also placed a file (icon is a gear) on my desktop called "TempWmicBatchFile" Size: O bytes.  I deleted it but wanted to let you know about it.

 

Also here is the MBAM log I ran after stopping the setup

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/5/2014
Scan Time: 7:15:15 PM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.05.05
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 251410
Time Elapsed: 29 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.RelevantKnowledge, C:\Documents and Settings\Administrator\Local Settings\Temp\CSM5.tmp, , [7b3e82a453284fe7761de03ad62ec63a],

Physical Sectors: 0
(No malicious items detected)


(end)

 

Can I just delete the temp file under local settings?

 

Should I ever use OTL on my own?

 

How about some of the other programs we used?  Should I ever use them?


Edited by joseph456, 05 April 2014 - 05:20 PM.

  • 0

#22
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts

 Do you think from what you have seen that anyone was able to access my computer online while it was left unattended?

We didn't found any backdoors, rootkit or trojan horse. There is no suspicious activity.
 
Windows XP Professional Edition Service Pack 3 is very old system. To improve your security is strongly recommended to use third party firewall. I can propose you Comodo Firewall.
 

When I used to run chkdsk it would hang up at stage 2 at 6%.  It still hangs up however now it gets up to 8%

I didn't see any errors in Event Viewer. Maybe HDD check is good idea? I think you should start new topic in Hardware, Components and Peripherals with report from some king of diagnostic tool such as HD Tune.
 

I was trying to download SUMo to see how it compared to File Hippos update checker but it seemed like it was trying to install a lot of other programs. I stopped setup.

Warning.
Remember to install only software that you need. For example Adobe installers often install another software by default. Always check what you are installing. Unckeck optional software install:
 
flash.png



 

Can I just remove the downloaded program that I saved from my computer?

 
Yes, you can. But remember that OTL creates _OTL folder, AdwCleaner as well on C:\ drive. In AdwCleaner there is a Uninstall option, in OTL Clean up button is the best option (aswMBR should be gone after OTL cleanup routine).
 
I forgot about ESET, sorry:

  • Run ESET Online Scanner one more time
  • Click Start. After the virus signature database finishes updating, click Stop
  • Tick Uninstall application on close
  • Tick Delete quarantines files
  • Click Finish

It also placed a file (icon is a gear) on my desktop called "TempWmicBatchFile" Size: O bytes.  I deleted it but wanted to let you know about it.

I'm not sure, so please check it via VirusTotal:
Check file online:

  • Please go to Virus Total
  • Click on the button Choose File and navigate to TempWmicBatchFile
  • Press Scan it- this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the results in your next response.

PUP.Optional.RelevantKnowledge, C:\Documents and Settings\Administrator\Local Settings\Temp\CSM5.tmp, , [7b3e82a453284fe7761de03ad62ec63a],

It's related from one of installers. PUP means potentially unwanted program - such as optional toolbars or other software that install by default with free software. It's often adware.
 
To clean temp files I like Temp File Cleaner by OldTimer - TFC.
 

Thanks so much for your help.  You have done a very thorough job.

I'm glad we could help.


  • 0

#23
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
HA256: 1f81642142309f06861053f2e07e7457a09b5d433bf9fb8f5b5a892ec2fd2d38 File name: CSM5.tmp Detection ratio: 15 / 51 Analysis date: 2014-04-06 17:15:09 UTC ( 0 minutes ago )
 

Antivirus Result Update AVG RelevantKnowledge 20140406 Ad-Aware Adware.Relevant.CA 20140406 Antiy-AVL Trojan/Win32.SGeneric 20140406 Avast Win32:Relevant-AD [PUP] 20140406 BitDefender Adware.Relevant.CA 20140406 DrWeb Adware.Relevant.81 20140406 ESET-NOD32 Win32/Adware.Mongoose 20140405 Emsisoft Adware.Relevant.CA (B) 20140406 F-Secure Adware.Relevant.CA 20140406 Fortinet Riskware/Mongoose 20140406 GData Adware.Relevant.CA 20140406 Malwarebytes PUP.Optional.RelevantKnowledge 20140406 MicroWorld-eScan Adware.Relevant.CA 20140406 VIPRE Adware.Win32.RelevantKnowledge.a (v) 20140406 nProtect Adware.Relevant.CA 20140406 AegisLab   20140406 Agnitum   20140406 AhnLab-V3   20140406 AntiVir   20140406 Baidu-International   20140406 Bkav   20140405 ByteHero   20140406 CAT-QuickHeal   20140406 CMC   20140404 ClamAV   20140406 Commtouch   20140406 Comodo   20140406 F-Prot   20140406 Ikarus   20140406 Jiangmin   20140406 K7AntiVirus   20140404 K7GW   20140404 Kaspersky   20140406 Kingsoft   20140406 McAfee   20140406 McAfee-GW-Edition   20140406 Microsoft   20140406 NANO-Antivirus   20140406 Norman   20140406 Panda   20140406 Qihoo-360   20140406 Rising   20140406 SUPERAntiSpyware   20140406 Sophos   20140406 Symantec   20140406 TheHacker   20140404 TotalDefense   20140406 TrendMicro   20140406 TrendMicro-HouseCall   20140406 VBA32   20140404 ViRobot   20140406

Thanks


  • 0

#24
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts

 

File name: CSM5.tmp

 

:) Can you check TempWmicBatchFile from desktop?


  • 0

#25
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts

I erased it previously.  I think it came from SUMo?  I may not have unchecked all the items it wanted to install and stopped installation of the program.  I also reran Eset with the intention of uninstalling it and it found this:

 

C:\Documents and Settings\Administrator\Local Settings\Temp\CSM5.tmp    Win32/Adware.Mongoose application
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP826\A0053452.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
Operating memory    Win32/Adware.Mongoose application
 

Anything to be concerned about?  Have not idea where these came from.

 

Ran MSE (Quick) - came up clean

 

Ran MBAM and quarantined the one item it found:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/6/2014
Scan Time: 4:21:29 PM
Logfile: MBAM0406141621.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.06.09
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 251524
Time Elapsed: 37 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.RelevantKnowledge, C:\Documents and Settings\Administrator\Local Settings\Temp\CSM5.tmp, , [8e9363c40477fb3b0f843cdfa16351af],

Physical Sectors: 0
(No malicious items detected)


(end)


Edited by joseph456, 06 April 2014 - 02:26 PM.

  • 0

Advertisements


#26
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts

It was definitely from installator, maybe SUMo.

 

You can use TFC to clean temp. Also its good idea to clean restore point.


  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP