Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ESET can't clean MBR-infected HDs. win32/olmarik trojan

Started by Per Bjorkhem , Oct 06 2011 11:44 AM

  • Please log in to reply

#1
Per Bjorkhem
Posted 06 October 2011 - 11:44 AM

Per Bjorkhem

    New Member

  • Member
  • Pip
  • 4 posts
Hi!

I really need your help. A computer at work is infected with virus. The computer probably got infected by an USB. It started with USBs that got infected as soon as they were connected to the computer. A couple of files were created at the USB with names like [bleep].exe passwords.exe and some others. All were 156kB in size.

I downloaded ESET and it found the viruses and put them in quarintine. But ESET still can't clean the startupsectors of the harddisks (MBR).
So there's always a virus in the memory and ESET can't clean it out. I have tried safestart and then clean with ESET. No result. ESET says that
the virus is win32/download.agent.pxo but when I safestart windows and run ESET it says that the virus is win32/olmarik.

I have tried Malwarebytes and no result.

I have tried TDSS-killer and it seems like it managed to clear out one of the files.

But the computer is still infected. I can't disable ESET beccause then the virus runs and starts downloading and spreading...

I attach my OTL-file for you.

The computer is an old Pentium 4 2,8Ghz running winxp sp3.

I would be very grateful if you could help me fast, since it's a administrative-computer and we really need it fixed.

Thanks!

Per at skandskol Moçambique

OTL logfile created on: 06-10-2011 19:21:28 - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Downloads\Software
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1,98 Gb Total Physical Memory | 1,41 Gb Available Physical Memory | 71,14% Memory free
2,17 Gb Paging File | 1,75 Gb Available in Paging File | 80,71% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35,06 Gb Total Space | 9,45 Gb Free Space | 26,96% Space Free | Partition Type: FAT32
Drive D: | 35,55 Gb Total Space | 31,79 Gb Free Space | 89,43% Space Free | Partition Type: FAT32
Drive S: | 1373,11 Gb Total Space | 1355,37 Gb Free Space | 98,71% Space Free | Partition Type: NTFS

Computer Name: ADMINASTRATION | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-10-06 19:19:34 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Downloads\Software\OTL.exe
PRC - [2011-09-29 08:10:04 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011-09-06 18:16:42 | 000,974,944 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011-09-06 18:16:16 | 003,076,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2010-04-28 23:28:18 | 003,727,411 | ---- | M] (FreeDownloadManager.ORG) -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2009-10-19 04:12:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008-04-14 02:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007-06-29 17:56:06 | 000,278,528 | ---- | M] (Portrait Displays, Inc) -- C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
PRC - [2007-06-29 17:54:16 | 000,073,728 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
PRC - [2007-06-29 17:53:34 | 000,110,592 | ---- | M] (Portrait Displays Inc.) -- C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe


========== Modules (No Company Name) ==========

MOD - [2011-09-29 08:10:04 | 001,015,256 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2011-09-29 08:03:26 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2009-02-20 06:53:54 | 000,053,248 | ---- | M] () -- C:\Program Files\Free Download Manager\Firefox\extension\components\vmsfdmff.dll
MOD - [2008-12-30 02:03:26 | 000,098,304 | ---- | M] () -- C:\Program Files\Free Download Manager\iefdm2.dll
MOD - [2007-06-29 17:54:22 | 000,167,936 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\DThook.dll
MOD - [2007-06-29 17:54:16 | 000,077,824 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Plugins\CC\gui.dll
MOD - [2007-06-29 17:54:16 | 000,073,728 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
MOD - [2007-06-29 17:53:30 | 000,102,400 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\PresetsCOM.dll
MOD - [2007-06-12 11:27:00 | 000,188,416 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Drivers\di2c.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (ngcglckb)
SRV - [2011-09-06 18:16:42 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009-02-10 17:01:50 | 000,116,104 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2007-06-29 17:54:16 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)


========== Driver Services (SafeList) ==========

DRV - [2011-08-09 13:57:10 | 000,154,136 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2011-08-04 09:20:38 | 000,147,480 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2011-08-04 09:20:38 | 000,061,936 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2011-08-04 09:20:38 | 000,039,824 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2011-08-04 09:20:36 | 000,118,104 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2008-09-23 00:24:00 | 000,042,368 | ---- | M] (Todos Data System AB) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\shbecr.sys -- (Tdsshbecr)
DRV - [2008-07-17 16:40:32 | 000,109,952 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008-04-25 11:04:28 | 000,006,144 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sioctl.sys -- (SIoctl)
DRV - [2008-01-18 23:43:20 | 000,131,000 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2007-06-28 17:21:32 | 003,993,248 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTKVAC.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2007-06-12 11:27:00 | 000,011,776 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pdiddcci.sys -- (pdiddcci)
DRV - [2006-11-16 17:20:48 | 000,015,920 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2005-01-13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2004-08-03 22:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: *{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - No CLSID value found
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-GB.start3....en-GB:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {e0301295-ab3e-4af3-979f-3d453c5f9f48}:3.7.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.3.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-01-14 08:34:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-01-14 08:34:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2011-10-01 12:36:42 | 000,000,000 | ---D | M]

[2011-01-14 08:35:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011-01-14 08:35:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5m38zn0t.default\extensions
[2011-09-22 11:15:22 | 000,000,000 | ---D | M] (uTorrentBar_PT Community Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5m38zn0t.default\extensions\{e0301295-ab3e-4af3-979f-3d453c5f9f48}
[2011-01-14 08:34:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011-01-18 10:10:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2006-09-11 11:02:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-01-18 10:41:10 | 000,000,000 | ---D | M] (Free Download Manager plugin) -- C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\FIREFOX\EXTENSION
[2011-01-12 10:41:16 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011-02-02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010-10-27 07:24:34 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010-10-27 07:24:34 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010-10-27 07:24:34 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010-10-27 07:24:34 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui File not found
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe (Portrait Displays, Inc)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKCU..\Run: [ciunau] C:\Documents and Settings\User\ciunau.exe /l File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://172.30.1.4/ca...e/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1221655457359 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D8977B4-9A42-4AB0-9E28-4FA56282C230}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-11-09 00:21:44 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\Auto\command - "" = bittorrent.exe e
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
O33 - MountPoints2\{5babbb30-54c6-11de-a026-0015580f4ab0}\Shell\AutoRun\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{5babbb30-54c6-11de-a026-0015580f4ab0}\Shell\open\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell - "" = AutoRun
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\Auto\command - "" = F:\MicrosoftPowerPoint.exe
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
O33 - MountPoints2\{e99a2d9e-500c-11de-a023-0015580f4ab0}\Shell\AutoRun\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{e99a2d9e-500c-11de-a023-0015580f4ab0}\Shell\open\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-10-06 18:56:34 | 000,000,000 | ---D | C] -- C:\SYSTEM.SAV
[2011-10-04 19:54:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011-10-04 19:53:55 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011-10-04 19:42:20 | 000,090,240 | ---- | C] (ESET spol. s r.o.) -- C:\Documents and Settings\User\Desktop\EOlmarikTdl4Cleaner.exe
[2011-10-04 19:42:16 | 000,348,704 | ---- | C] (ESET spol. s r.o.) -- C:\Documents and Settings\User\Desktop\EOlmarikRemover.exe
[2011-10-03 21:07:41 | 001,548,080 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\tdsskiller.exe
[2011-10-03 21:03:02 | 001,548,080 | ---- | C] (Kaspersky Lab ZAO) -- C:\tdsskiller.exe
[2011-10-03 19:31:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Windows AIK
[2011-10-03 19:30:56 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Imaging
[2011-10-03 19:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows AIK
[2011-10-03 18:42:54 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2011-10-01 12:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\ESET
[2011-10-01 12:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\ESET
[2011-10-01 12:38:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2011-10-01 12:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET
[2011-10-01 12:36:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011-10-01 12:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011-10-01 10:16:40 | 000,000,000 | -HSD | C] -- C:\FOUND.018
[2011-09-28 08:17:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\spkpod
[2011-09-27 07:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\AresXZ
[2011-09-27 07:38:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\LimeRunner
[2011-09-22 16:07:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2011-09-22 16:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011-09-22 11:37:35 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[1998-08-24 09:31:44 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011-10-06 19:21:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{217EF599-8898-4996-88EA-9191F43EE66E}.job
[2011-10-06 19:08:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011-10-06 18:50:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-10-06 18:50:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011-10-06 18:49:14 | 2129,121,280 | -HS- | M] () -- C:\hiberfil.sys
[2011-10-06 18:49:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-10-06 16:32:12 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011-10-05 20:27:36 | 000,469,318 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-10-05 20:27:36 | 000,080,474 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-10-04 19:58:56 | 000,365,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011-10-04 19:40:48 | 000,090,240 | ---- | M] (ESET spol. s r.o.) -- C:\Documents and Settings\User\Desktop\EOlmarikTdl4Cleaner.exe
[2011-10-04 19:39:32 | 000,348,704 | ---- | M] (ESET spol. s r.o.) -- C:\Documents and Settings\User\Desktop\EOlmarikRemover.exe
[2011-10-03 20:59:22 | 001,548,080 | ---- | M] (Kaspersky Lab ZAO) -- C:\tdsskiller.exe
[2011-10-03 20:59:22 | 001,548,080 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\tdsskiller.exe
[2011-10-01 12:31:30 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\doast.exe
[2011-09-29 08:04:58 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\woast.exe
[2011-09-28 07:18:10 | 000,000,017 | ---- | M] () -- C:\WINDOWS\keys.ini
[2011-09-22 16:04:04 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\User\Desktop\My Computer.lnk
[2011-09-22 13:03:16 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011-09-22 09:19:26 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011-09-07 13:00:30 | 000,102,070 | ---- | M] () -- D:\MyDocs\2900795 - LGA EMANUELSSON (2).pdf
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011-10-05 07:10:01 | 2129,121,280 | -HS- | C] () -- C:\hiberfil.sys
[2011-09-30 13:24:38 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\User\doast.exe
[2011-09-29 08:04:57 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\User\woast.exe
[2011-09-28 07:18:08 | 000,000,017 | ---- | C] () -- C:\WINDOWS\keys.ini
[2011-09-22 16:04:02 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\User\Desktop\My Computer.lnk
[2011-09-22 10:48:13 | 000,000,436 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011-09-07 13:00:28 | 000,102,070 | ---- | C] () -- D:\MyDocs\2900795 - LGA EMANUELSSON (2).pdf
[2011-06-06 11:02:00 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-03-02 11:48:48 | 000,163,923 | ---- | C] () -- C:\WINDOWS\System32\SiSUninstall.exe
[2011-01-17 10:48:20 | 000,047,713 | R--- | C] () -- C:\WINDOWS\System32\drivers\HCDisk.sys
[2011-01-14 08:34:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011-01-13 13:15:51 | 000,006,144 | R--- | C] () -- C:\WINDOWS\System32\drivers\sioctl.sys
[2010-05-26 13:13:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2008-05-26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008-05-26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008-03-03 09:31:20 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007-09-27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007-09-27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007-09-27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007-02-15 14:50:53 | 000,024,401 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft Excel.ADR
[2007-02-13 20:17:37 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2006-10-20 08:25:17 | 000,000,355 | ---- | C] () -- C:\WINDOWS\kundkort.ini
[2006-10-20 08:19:10 | 000,000,343 | ---- | C] () -- C:\WINDOWS\start.ini
[2006-10-20 08:19:06 | 000,000,019 | ---- | C] () -- C:\WINDOWS\FTG.INI
[2006-10-20 08:17:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\spcspg.ini
[2006-10-20 08:17:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\spcsbg.ini
[2006-10-20 07:48:31 | 000,000,722 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006-09-11 11:44:45 | 000,053,248 | ---- | C] () -- C:\WINDOWS\exitwx.exe
[2006-03-29 08:43:38 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\ALZZip.BIN
[2006-03-29 08:43:36 | 000,062,464 | ---- | C] () -- C:\WINDOWS\System32\ALZALZ.BIN
[2005-11-09 08:45:36 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005-11-09 08:45:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005-11-09 08:20:56 | 000,365,712 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005-11-09 00:27:26 | 000,469,318 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005-11-09 00:27:26 | 000,080,474 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005-11-09 00:22:06 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005-11-09 00:21:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005-11-09 00:21:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005-11-09 00:21:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005-11-09 00:21:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005-11-09 00:06:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005-11-09 00:05:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005-11-08 17:08:22 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2005-07-15 09:48:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005-02-03 11:11:40 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004-12-17 17:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004-09-07 07:23:00 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2004-08-04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004-08-04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004-08-04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004-08-04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004-08-04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004-08-04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004-08-04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004-08-04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004-08-04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003-01-07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002-05-24 17:34:46 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMove.exe
[2001-12-26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001-09-03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001-08-26 17:04:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001-08-26 17:02:42 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001-07-30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001-07-23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999-03-11 21:07:22 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\CRUTL14.DLL

========== LOP Check ==========

[2006-10-20 12:15:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPCS
[2009-06-03 09:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010-09-29 13:57:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010-11-29 11:58:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010-11-29 12:06:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2010-11-29 12:06:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2010-11-29 12:08:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2010-11-29 12:14:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
[2010-11-29 12:28:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2011-01-17 10:48:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FarStone
[2011-01-18 09:58:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2011-01-18 11:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CrashPlan
[2011-02-16 10:21:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2011-10-01 12:36:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010-02-17 14:41:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\DisplayTune
[2010-11-29 12:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon Easy-WebPrint EX
[2010-11-29 12:06:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon
[2011-01-17 13:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LibreOffice
[2011-01-18 09:43:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\uTorrent
[2011-01-18 10:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Free Download Manager
[2011-01-18 11:43:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\CrashPlan
[2011-01-21 12:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\PriceGong
[2011-01-24 09:35:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Windows Desktop Search
[2011-01-28 13:04:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Windows Search
[2011-03-02 11:51:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\gtopala
[2011-03-18 11:54:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SumatraPDF
[2011-09-27 07:38:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LimeRunner
[2011-10-01 12:38:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ESET
[2011-10-06 19:21:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{217EF599-8898-4996-88EA-9191F43EE66E}.job
[2011-10-06 16:32:12 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job

========== Purity Check ==========



< End of report >


Attached File  OTL.Txt   63.06KB   133 downloads
  • 0

Advertisements

#2
RKinner
Posted 07 October 2011 - 10:29 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
You might also want to install AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC.


Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml


Copy the text in the code box by highlighting and Ctrl + c 


:processes
killallprocesses

:OTL
IE - HKCU\..\URLSearchHook: *{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - No CLSID value found
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {e0301295-ab3e-4af3-979f-3d453c5f9f48}:3.7.0.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
[2011-09-22 11:15:22 | 000,000,000 | ---D | M] (uTorrentBar_PT Community Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5m38zn0t.default\extensions\{e0301295-ab3e-4af3-979f-3d453c5f9f48}
[2011-01-18 10:10:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2006-09-11 11:02:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-01-12 10:41:16 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui File not found
O4 - HKCU..\Run: [ciunau] C:\Documents and Settings\User\ciunau.exe /l File not found
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\Auto\command - "" = bittorrent.exe e
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3aef01d6-68d6-11db-836a-0015580f4ab0}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
O33 - MountPoints2\{5babbb30-54c6-11de-a026-0015580f4ab0}\Shell\AutoRun\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{5babbb30-54c6-11de-a026-0015580f4ab0}\Shell\open\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell - "" = AutoRun
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\Auto\command - "" = F:\MicrosoftPowerPoint.exe
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c5fccdc4-2d85-11dd-9f58-0015580f4ab0}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
O33 - MountPoints2\{e99a2d9e-500c-11de-a023-0015580f4ab0}\Shell\AutoRun\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\{e99a2d9e-500c-11de-a023-0015580f4ab0}\Shell\open\command - "" = F:\RECYCLER32\dmgr.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
[2011-10-06 16:32:12 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011-10-01 12:31:30 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\doast.exe
[2011-09-29 08:04:58 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\woast.exe

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
sc config ngcglckb start= disabled /c
C:\WINDOWS\tasks\At*.job
    
:Commands
[RESETHOSTS]
[purity]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Download
http://ad13.geekstogo.com/MBRCheck.exe
Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply. (Close MBRcheck)

Ron
  • 0

#3
Per Bjorkhem
Posted 08 October 2011 - 01:09 AM

Per Bjorkhem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi and thanks.

Since i wrote the mail much has happened.

After I ran OTL,suddenly the virus didn't load into the computers memory anymore.
I then started TDSS-killer and it found 5 corrupted files and I choose to delete them.
After that I ran several big scans both with Malware and ESET smart security 5.
I made several reboots and I also made a safe-startup-windows and did a big scan with
ESET in safemode.

It seems that all viruses are gone from the computer and I'm very happy.

After I deleted the corrupted files the cd-player stopped working. Now I don't know
if a cable is loose inside the computer or perhaps some driver-file is gone.

So now, what do you want me to do? Do you want me to run OTL and check up the computer
and send you the log?

I hope I haven't wasted your time...

/Per
  • 0

#4
RKinner
Posted 08 October 2011 - 07:50 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Even if you think you are clean it would best to run the scans I gave you and post the logs. Also post the log from the TDSSKiller scan that you did.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP