BleepingComputer.com: Gala re-direct and other malicious files...

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Gala re-direct and other malicious files... need help ensuring complte removal

#16 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 15 February 2012 - 09:56 PM

Googled and found my answer - downloaded the .exe file for HJT and then it worked.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:55:02 PM, on 2/15/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Austen\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
R3 - URLSearchHook: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyCut_Utility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://etciec102.coca-cola.com/+CSCOL+/relayp.cab
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 10742 bytes

#17 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 February 2012 - 09:59 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
      O4 - HKLM\..\Run: [Skytel] Skytel.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
      O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic


Copy and paste that log as a reply to this topic

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#18 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 17 February 2012 - 11:02 AM

poo-ey...
oh wait.........
that's my backup drive... ha (do I clean them off though??)
but... the Gala browser did show up again last night... (instead of, or replacing Google... I was not the one browsing, so I do not have the particulars... I have had no issues today though)

G:\DECEMBER 2011\Documents and Settings\Cyndy Nahass\Application Data\Sun\Java\Deployment\cache\6.0\24\65a6f718-7a2d4f88 multiple threats
G:\DECEMBER 2011\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\7e479456-2c89941b multiple threats
G:\DECEMBER 2011\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\4\7c502e04-6d772e33 multiple threats
G:\NEWER 2011\Documents and Settings\Cyndy Nahass\Application Data\Sun\Java\Deployment\cache\6.0\24\65a6f718-7a2d4f88 multiple threats
G:\NEWER 2011\Documents and Settings\Cyndy Nahass\Application Data\Sun\Java\Deployment\cache\6.0\37\22c732a5-545ac3e4 Java/Agent.BH trojan
G:\NEWER 2011\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application
G:\NEWER 2011\Qoobox\Quarantine\C\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll.vir Win32/Adware.Toolbar.Dealio application
G:\NEWER 2011\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP481\A0122300.exe a variant of Win32/Toolbar.Widgi application
G:\NEWER 2011\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP536\A0141203.dll Win32/Adware.Toolbar.Dealio application
G:\OLDER\Misc Shortcuts\couponprinter.exe probably a variant of Win32/Adware.Softomate.AD application

#19 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 February 2012 - 12:56 AM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

  • Please post the contents of OTL.txt in your next reply.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#20 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 18 February 2012 - 08:07 AM

OTL logfile created on: 2/18/2012 8:02:18 AM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\Austen\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 28.98% Memory free
6.18 Gb Paging File | 3.20 Gb Available in Paging File | 51.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 188.94 Gb Total Space | 84.66 Gb Free Space | 44.80% Space Free | Partition Type: NTFS
Drive D: | 27.19 Gb Total Space | 26.38 Gb Free Space | 97.01% Space Free | Partition Type: NTFS
Drive G: | 372.60 Gb Total Space | 190.51 Gb Free Space | 51.13% Space Free | Partition Type: NTFS

Computer Name: AUSTEN-PC | User Name: Austen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Austen\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe (Adobe Systems, Inc.)
PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe (Apple Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
PRC - C:\Program Files\ATK Hotkey\HControl.exe (ATK0100)
PRC - C:\Program Files\ATK Hotkey\WDC.exe ()
PRC - C:\Program Files\ATK Hotkey\ATKOSD.exe ()
PRC - C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe (Lenovo (Beijing) Limited)
PRC - C:\Program Files\ATK Hotkey\MsgTranAgt.exe ()
PRC - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe ()
PRC - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe ()
PRC - C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe (CyberLink Corp.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\ATK Hotkey\AsLdrSrv.exe ()
PRC - C:\Program Files\Lenovo\EnergyCut\utilty.exe (Lenovo(beijing) Limited)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Lenovo\VeriFace\SimpleExt.dll ()
MOD - C:\Program Files\Lenovo\VeriFace\IcnOvrly.dll ()
MOD - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLTinyDB.dll ()
MOD - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSchMgr.dll ()
MOD - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvcps.dll ()
MOD - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapEngine.dll ()
MOD - C:\Program Files\Lenovo\EnergyCut\KbdHook.dll ()
MOD - C:\Program Files\Lenovo\EnergyCut\HookLib.dll ()


========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate Notice Ex) -- File not found
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (CLSched) CyberLink Task Scheduler (CTS) -- C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe ()
SRV - (CLCapSvc) CyberLink Background Capture Service (CBCS) -- C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe ()
SRV - (ASLDRService) -- C:\Program Files\ATK Hotkey\AsLdrSrv.exe ()
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (FsUsbExDisk) -- C:\Windows\System32\FsUsbExDisk.Sys ()
DRV - (ssadmdm) -- C:\Windows\System32\drivers\ssadmdm.sys (MCCI Corporation)
DRV - (ssadbus) SAMSUNG Android USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\ssadbus.sys (MCCI Corporation)
DRV - (ssadmdfl) SAMSUNG Android USB Modem (Filter) -- C:\Windows\System32\drivers\ssadmdfl.sys (MCCI Corporation)
DRV - (androidusb) -- C:\Windows\System32\drivers\ssadadb.sys (Google Inc)
DRV - (ACPIVPC) -- C:\Windows\System32\drivers\AcpiVpc.sys (Lenovo Corporation)
DRV - (winusb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (CapFilt) -- C:\Windows\System32\drivers\CapFilt.sys (ensurebit)
DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (Cam5607) -- C:\Windows\System32\drivers\BisonC07.sys (Bison Electronics. Inc. )
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Austen\Desktop
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - No CLSID value found
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.*.*;*.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/02/14 13:48:39 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\Toolbar\WebBrowser: (no name) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - No CLSID value found.
O3 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe (Lenovo (Beijing) Limited)
O4 - HKLM..\Run: [EnergyCut_Utility] C:\Program Files\Lenovo\EnergyCut\utilty.exe (Lenovo(beijing) Limited)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004..\Run: [ccleaner] C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe (Lenovo)
O9 - Extra 'Tools' menuitem : Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe (Lenovo)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} https://etciec102.coca-cola.com/+CSCOL+/relayp.cab (Cisco Systems WebVPN Relay Loader)
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} http://campwoof2.dyndns.org:7180/RtspVaPgDec.cab (RtspVaPgCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab (IASRunner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 205.152.37.23 205.152.150.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DCFAC32F-399F-48DB-9E9D-8569EBBA3A28}: DhcpNameServer = 205.152.37.23 205.152.150.23
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Austen\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Austen\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/18 08:00:29 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Austen\Desktop\OTL.exe
[2012/02/17 08:39:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/02/16 03:05:58 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/02/16 03:05:57 | 001,798,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/02/16 03:05:57 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/02/16 03:05:57 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/02/16 03:05:56 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/02/16 03:05:53 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/02/16 03:00:42 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/02/16 00:14:53 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/02/15 22:18:14 | 000,000,000 | ---D | C] -- C:\Users\Austen\Desktop\EVERYTHING ELSE
[2012/02/15 21:57:40 | 000,000,000 | ---D | C] -- C:\Users\Austen\Desktop\AUSTEN MUSIC FEB 2012
[2012/02/15 21:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/02/15 21:46:16 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/02/15 21:11:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/02/15 21:11:16 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/02/15 21:11:16 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/02/15 21:11:16 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/02/15 21:05:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2012/02/15 20:35:36 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
[2012/02/15 20:35:35 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/02/15 10:40:31 | 000,000,000 | ---D | C] -- C:\Users\Austen\Documents\New Folder
[2012/02/15 10:40:05 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell Inc
[2012/02/14 13:51:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/13 21:08:34 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/02/13 20:42:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/02/13 20:41:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/02/13 20:41:39 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/02/13 20:40:57 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2012/02/13 20:39:32 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/02/12 22:55:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/12 22:55:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/12 22:55:30 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/12 22:55:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/12 22:55:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/10 14:28:04 | 000,000,000 | ---D | C] -- C:\Users\Austen\Documents\ForceField Shared Files
[2012/02/10 14:28:03 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Roaming\CheckPoint
[2012/02/10 14:27:00 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2012/02/10 14:26:15 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2012/02/10 14:20:45 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2012/02/09 11:16:28 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/02/09 11:02:16 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Local\adaware
[2012/02/09 11:02:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2012/02/09 11:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2012/02/09 11:01:16 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2012/02/09 11:00:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2012/02/09 10:54:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/09 10:54:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/02/09 10:54:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/02/09 07:46:04 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/02/08 22:51:09 | 000,000,000 | -HSD | C] -- C:\ProgramData\AVWMADUVPRSE
[2012/02/08 22:51:09 | 000,000,000 | -HSD | C] -- C:\Users\Austen\AppData\Roaming\AV Security Essentials
[2012/02/08 22:50:37 | 000,000,000 | -HSD | C] -- C:\ProgramData\a38f00
[2012/01/29 23:01:47 | 000,000,000 | ---D | C] -- C:\Temp
[2012/01/29 23:01:47 | 000,000,000 | ---D | C] -- C:\Users\Austen\AppData\Roaming\Motorola
[2012/01/29 22:53:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motorola Shared
[2012/01/26 22:40:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Orneta
[2012/01/26 21:13:49 | 000,000,000 | ---D | C] -- C:\Program Files\QPST
[2012/01/22 09:56:52 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee

========== Files - Modified Within 30 Days ==========

[2012/02/18 08:00:29 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Austen\Desktop\OTL.exe
[2012/02/18 07:27:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/18 07:27:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/18 07:17:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/17 18:17:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/16 15:01:01 | 000,651,210 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/16 15:01:01 | 000,121,692 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/16 03:26:13 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
[2012/02/16 03:24:46 | 3212,107,776 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/16 03:23:44 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/02/15 22:05:30 | 000,008,192 | ---- | M] () -- C:\Users\Austen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/15 21:10:58 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/02/15 21:10:58 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/02/15 21:10:58 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/02/14 13:48:39 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/02/13 21:16:28 | 000,006,648 | ---- | M] () -- C:\Users\Austen\AppData\Local\d3d9caps.dat
[2012/02/12 11:04:08 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/02/12 11:04:08 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/02/10 09:46:00 | 000,001,803 | ---- | M] () -- C:\Users\Austen\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows DVD Maker.lnk
[2012/02/09 22:30:12 | 000,000,000 | ---- | M] () -- C:\Users\Austen\defogger_reenable
[2012/02/09 11:16:26 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/02/09 11:01:06 | 002,042,222 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2012/02/05 20:07:41 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ssadadb_01005.Wdf
[2012/01/27 00:21:24 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2012/01/22 10:16:31 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/01/20 11:05:11 | 000,000,938 | ---- | M] () -- C:\Users\Austen\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk

========== Files Created - No Company Name ==========

[2012/02/15 21:04:05 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/02/13 20:40:57 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/02/12 22:55:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/12 22:55:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/12 22:55:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/12 22:55:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/12 22:55:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/10 09:47:42 | 3212,107,776 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/10 09:46:00 | 000,001,803 | ---- | C] () -- C:\Users\Austen\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows DVD Maker.lnk
[2012/02/09 22:30:12 | 000,000,000 | ---- | C] () -- C:\Users\Austen\defogger_reenable
[2012/02/09 11:48:37 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012/02/09 11:48:37 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2012/02/09 07:46:25 | 002,042,222 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2012/02/05 20:07:41 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ssadadb_01005.Wdf
[2012/01/20 11:05:11 | 000,000,938 | ---- | C] () -- C:\Users\Austen\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/01/18 15:00:32 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2012/01/18 13:56:35 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2012/01/18 13:56:35 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2011/11/05 20:20:17 | 000,008,192 | ---- | C] () -- C:\Users\Austen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/28 14:05:22 | 000,006,648 | ---- | C] () -- C:\Users\Austen\AppData\Local\d3d9caps.dat
[2011/10/16 12:22:47 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/10/16 12:22:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/10/16 10:50:49 | 000,000,000 | -H-- | C] () -- C:\Users\Austen\AppData\Roaming\Austen.idx
[2011/10/16 10:49:31 | 000,000,000 | ---- | C] () -- C:\Windows\WinInit.ini
[2011/10/16 10:43:12 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/07/20 20:17:58 | 000,122,880 | ---- | C] () -- C:\Windows\System32\AitVirtualComInstall.exe
[2009/07/20 20:10:48 | 000,307,200 | ---- | C] () -- C:\Windows\System32\InstallVCOM.exe
[2008/09/04 06:29:44 | 001,560,576 | ---- | C] () -- C:\Windows\System32\MainOp.dll
[2008/09/04 06:29:44 | 001,327,104 | ---- | C] () -- C:\Windows\System32\ImageReog.dll
[2008/09/04 06:29:44 | 000,622,592 | ---- | C] () -- C:\Windows\System32\PicNotify.dll
[2008/09/04 06:29:44 | 000,491,520 | ---- | C] () -- C:\Windows\System32\picn.dll
[2008/09/04 06:29:44 | 000,208,896 | ---- | C] () -- C:\Windows\System32\Image.dll
[2008/09/04 06:29:44 | 000,126,976 | ---- | C] () -- C:\Windows\System32\VideoOp.dll
[2008/09/04 06:29:44 | 000,094,208 | ---- | C] () -- C:\Windows\System32\Momo.dll
[2008/09/04 06:29:44 | 000,094,208 | ---- | C] () -- C:\Windows\System32\ApBlend.dll
[2008/09/04 06:29:44 | 000,049,152 | ---- | C] () -- C:\Windows\System32\DevFilt.dll
[2008/09/04 06:06:17 | 000,057,344 | ---- | C] () -- C:\Windows\AsfHelper.dll
[2008/09/04 06:06:17 | 000,023,040 | ---- | C] () -- C:\Windows\ScrSav.dll
[2008/09/04 05:51:20 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/09/04 05:45:38 | 000,015,190 | ---- | C] () -- C:\Windows\M3000Twn.ini
[2008/05/04 17:39:34 | 000,002,560 | ---- | C] () -- C:\Windows\System32\ViaClassCoInstaller.dll_rename
[2008/04/27 20:28:44 | 000,962,560 | ---- | C] () -- C:\Windows\tesseract.exe
[2008/03/28 07:34:52 | 000,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/03/28 07:34:52 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1283.dll
[2008/03/28 07:34:46 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/11 18:34:48 | 002,215,364 | ---- | C] () -- C:\Windows\System32\igklg400.bin
[2008/02/11 18:34:48 | 001,971,732 | ---- | C] () -- C:\Windows\System32\igklg450.bin
[2008/02/11 18:34:48 | 000,029,932 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.bin
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2007/06/01 09:58:40 | 000,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006/11/02 07:57:28 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,651,210 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,121,692 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

#21 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 February 2012 - 08:35 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
O3 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\Toolbar\WebBrowser: (no name) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - No CLSID value found.
O3 - HKU\S-1-5-21-4168174073-2797568708-1459769660-1004\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2 
[2012/02/08 22:51:09 | 000,000,000 | -HSD | C] -- C:\ProgramData\AVWMADUVPRSE
[2012/02/08 22:51:09 | 000,000,000 | -HSD | C] -- C:\Users\Austen\AppData\Roaming\AV Security Essentials
[2012/02/08 22:50:37 | 000,000,000 | -HSD | C] -- C:\ProgramData\a38f00
:Files
ipconfig /flushdns /c
:Commands
[PURITY]
[EMPTYTEMP]
[emptyjava]
[EMPTYFLASH]
[RESETHOSTS]

  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Let me know How things are doing

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#22 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 21 February 2012 - 07:09 PM

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@checkpoint.com/FFApi\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91DA5E8A-3318-4F8C-B67E-5964DE3AB546} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}\ not found.
Registry value HKEY_USERS\S-1-5-21-4168174073-2797568708-1459769660-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware_XP deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware_XP not found.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
C:\ProgramData\AVWMADUVPRSE folder moved successfully.
C:\Users\Austen\AppData\Roaming\AV Security Essentials folder moved successfully.
C:\ProgramData\a38f00\Quarantine Items folder moved successfully.
C:\ProgramData\a38f00\BackUp folder moved successfully.
C:\ProgramData\a38f00\AVSESys folder moved successfully.
C:\ProgramData\a38f00 folder moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Austen\Desktop\cmd.bat deleted successfully.
C:\Users\Austen\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Austen
->Temp folder emptied: 64600 bytes
->Temporary Internet Files folder emptied: 19414866 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: Bobby
->Temp folder emptied: 36817 bytes
->Temporary Internet Files folder emptied: 48051261 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 488 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 64.00 mb


[EMPTYJAVA]

User: All Users

User: Austen
->Java cache emptied: 0 bytes

User: Bobby
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Austen
->Flash cache emptied: 0 bytes

User: Bobby
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.32.0 log created on 02212012_185527

Files\Folders moved on Reboot...
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z7UKPA0K\InboxLight[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z7UKPA0K\resourcespreload[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TV72XQB3\ads[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TS6IVWG1\default[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TS6IVWG1\EditMessageLight[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TS6IVWG1\owa[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TS6IVWG1\owa[2].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TS6IVWG1\RteFrame_16.2.3026.0119[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H3KBNS3J\adloader[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EBQI3HZV\si[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DNQM6YZN\ads[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DNQM6YZN\page__st__15[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A7B74QTD\AjaxHistoryFrame[1].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0K1K2058\si[2].htm moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Austen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

#23 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 February 2012 - 07:15 PM

how have things been?


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#24 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 21 February 2012 - 08:23 PM

I have been away since late Saturday night, and just back this evening - so hard to say...
no one has said anything to me though - I will ask my son when he gets home from work tonight...

This post has been edited by JustMyAlias: 21 February 2012 - 08:24 PM

#25 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 February 2012 - 08:28 PM

Hello


get settled in check it for the day and if something comes up let me know - if not I will check on you in a couple of days and we will move forward


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#26 User is offline   JustMyAlias 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 199
  • Joined: 01-September 10
  • Gender:Not Telling
  • Location:ATL

Posted 21 February 2012 - 11:23 PM

okay - thanks!

#27 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 February 2012 - 11:38 PM

:thumbup2:
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#28 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 25 February 2012 - 12:51 AM

Hello


It has been a couple of days so I am checking on how things are


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#29 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 28 February 2012 - 12:31 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#30 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 02 March 2012 - 12:03 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users