Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WindowsFixDisk Trojan infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 lgarripee

lgarripee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 10 May 2011 - 06:24 PM

Windows 7 - Disk optimization program appears upon boot up where several hard disk warnings appear...

The system has detected a problem with one or more installed IDE / SATA hard disks.

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Les at 18:52:36.69 on Tue 05/10/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4150 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\ProgramData\trwKcwHFGPMgtX.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Les\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360610g106p0305v165r4801s213
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360610g106p0305v165r4801s213
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360610g106p0305v165r4801s213
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360610g106p0305v165r4801s213
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=C:\Windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [VeohPlugin] "C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [trwKcwHFGPMgtX] C:\ProgramData\trwKcwHFGPMgtX.exe
uRun: [Hcewobabamisabam] rundll32.exe "C:\Users\Les\AppData\Local\dperwi.dll",Startup
uRun: [Rnezabezax] rundll32.exe "C:\Users\Les\AppData\Local\azifenif.dll",Startup
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Les\AppData\Roaming\Mozilla\Firefox\Profiles\agpe75nr.default\
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: XULRunner: {CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E} - C:\Users\Les\AppData\Local\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1008000.029\SymEFA64.sys [2010-6-2 402992]
R1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\System32\drivers\NISx64\1008000.029\BHDrvx64.sys [2010-6-2 334384]
R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NISx64\1008000.029\cchpx64.sys [2010-6-2 583296]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100726.001\IDSviA64.sys [2010-7-28 463408]
R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-6-2 117640]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-24 240160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-6-5 132656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 EraserSvc11010;Symantec Eraser Service;"C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe" /h ccCommon --> C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-1 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-1 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;C:\Windows\System32\drivers\hppdbulkio.sys [2011-5-1 22040]
S3 HPFXFAX;HPFXFAX;C:\Windows\System32\drivers\hppdfaxio.sys [2011-5-1 23576]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\drivers\NISx64\1008000.029\symndisv.sys [2010-6-2 56880]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-6 1255736]
.
=============== Created Last 30 ================
.
2011-05-10 22:52:28 625664 ----a-w- C:\Users\Les\dds.scr
2011-05-10 22:50:28 50477 ----a-w- C:\Users\Les\Defogger.exe
2011-05-10 22:30:10 -------- d--h--w- C:\Users\Les\AppData\Local\{10F10CDC-52E5-4C24-86E8-D446EEC8F53C}
2011-05-10 22:04:06 -------- d--h--w- C:\Users\Les\AppData\Local\{EEE47DCF-70BE-4789-9E54-9BF4925FFE23}
2011-05-10 21:24:21 -------- d--h--w- C:\Users\Les\AppData\Local\{110AB236-885B-47A0-A933-EED387EE302D}
2011-05-10 21:07:31 438784 ---ha-w- C:\PROGRA~3\44556024.exe
2011-05-10 21:00:10 0 ---ha-w- C:\Users\Les\AppData\Local\Nlusolasih.bin
2011-05-10 21:00:08 -------- d--h--w- C:\Users\Les\AppData\Local\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}
2011-05-10 20:58:15 510976 ---ha-w- C:\PROGRA~3\trwKcwHFGPMgtX.exe
2011-05-10 20:54:07 -------- d--h--w- C:\Users\Les\AppData\Local\{3D7E8363-EDC1-461D-9E80-1E6BC1997A75}
2011-05-06 20:27:18 8802128 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{E551EECB-8EDD-41CA-B59B-820CC5EC3BF0}\mpengine.dll
2011-05-02 02:10:50 323584 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpcpp101.dll
2011-05-02 02:10:20 193592 ----a-w- C:\Windows\System32\hppdcompio.dll
2011-05-02 02:10:20 167480 ----a-w- C:\Windows\SysWow64\hppccompio.dll
2011-05-02 02:10:19 491008 ----a-w- C:\Windows\SysWow64\hpcdmc32.dll
2011-05-02 02:10:19 305664 ----a-w- C:\Windows\SysWow64\hpcc3101.dll
2011-05-02 02:10:19 176128 ----a-w- C:\Windows\System32\hpcpn101.dll
2011-05-02 02:10:10 -------- d-----w- C:\Program Files (x86)\HP
2011-05-02 02:09:18 31768 ----a-w- C:\Windows\System32\drivers\hppdgenio.sys
2011-05-02 02:09:18 23576 ----a-w- C:\Windows\System32\drivers\hppdfaxio.sys
2011-05-02 02:09:18 22040 ----a-w- C:\Windows\System32\drivers\hppdbulkio.sys
2011-05-02 02:09:17 976440 ----a-w- C:\Windows\System32\hpxp1530_x64.dll
2011-05-02 02:09:17 751160 ----a-w- C:\Windows\SysWow64\hpptsp06.dll
2011-05-02 02:09:17 59928 ----a-w- C:\Windows\SysWow64\hppcfaxcompio.dll
2011-05-02 02:09:17 235520 ----a-w- C:\Windows\System32\hpmldmfax02.dll
2011-05-02 02:09:17 235008 ----a-w- C:\Windows\System32\hpmldm02.dll
2011-05-02 02:09:17 217656 ----a-w- C:\Windows\System32\hppscancoins64.dll
2011-05-02 02:09:17 1150520 ----a-w- C:\Windows\System32\hpptsp06_x64.dll
2011-05-02 02:09:16 311296 ----a-w- C:\Windows\System32\hpbcoins64.dll
2011-05-02 02:09:11 -------- d--h--w- C:\M1530_MFP_Series_Basic_Solution
2011-05-02 01:12:45 -------- d--h--w- C:\PROGRA~3\Cisco Systems
2011-04-30 12:17:24 -------- d-----w- C:\Program Files\iTunes
2011-04-30 12:17:24 -------- d-----w- C:\Program Files\iPod
2011-04-30 12:17:24 -------- d-----w- C:\Program Files (x86)\iTunes
2011-04-30 12:16:18 -------- d-----w- C:\Program Files\Bonjour
2011-04-30 12:16:18 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-04-27 22:39:46 -------- d--h--w- C:\Users\Les\AppData\Local\{3D3CD1CD-457D-4F6E-8C47-FF9D1FF0F0C2}
2011-04-16 11:05:31 -------- d--h--w- C:\Users\Les\AppData\Local\{0E5479EE-1683-4633-B8C0-658A65801F5E}
2011-04-15 07:30:33 -------- d-sh--w- C:\Windows\System32\%APPDATA%
.
==================== Find3M ====================
.
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 20:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-12 12:03:46 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-12 11:31:58 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-11 06:23:13 187264 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-03-11 06:23:06 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-03-11 06:23:06 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-03-11 06:23:06 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2011-03-11 06:23:00 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-03-11 06:22:41 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-03-11 06:22:40 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-11 06:18:20 2566144 ----a-w- C:\Windows\System32\esent.dll
2011-03-11 06:15:54 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- C:\Windows\SysWow64\esent.dll
2011-03-11 05:37:34 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-04 06:17:25 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2011-03-04 06:17:24 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys
2011-02-26 06:23:14 2870272 ----a-w- C:\Windows\explorer.exe
2011-02-26 05:33:07 2614784 ----a-w- C:\Windows\SysWow64\explorer.exe
2011-02-24 06:30:00 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-24 06:29:15 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-02-24 06:24:57 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-02-24 05:32:52 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-02-24 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec
2011-02-24 04:24:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-02-24 04:23:48 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-02-24 03:50:26 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-02-23 05:16:28 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-02-23 05:16:01 401920 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-02-23 05:15:50 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-02-23 05:15:27 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-02-23 05:15:14 286720 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-02-23 05:15:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-02-23 05:15:06 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll
2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-02-19 06:36:13 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-19 04:13:39 367104 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-19 03:37:02 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-02-18 20:36:58 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2011-02-18 20:36:58 4184352 ----a-w- C:\Windows\System32\usbaaplrc.dll
2011-02-18 06:37:05 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-02-18 06:33:50 31232 ----a-w- C:\Windows\System32\prevhost.exe
2011-02-18 05:36:26 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-02-18 05:33:29 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe
2011-02-12 06:14:41 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
.
============= FINISH: 18:52:53.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 11 May 2011 - 05:33 AM

Hello lgarripee ! Welcome to BleepingComputer Forums! :welcome:


My name is Georgi and and I will be helping you with your computer problems.


Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



:step1:



Try to download the already renamed RKill file by Grinler from the link below and save it to your desktop.
  • iExplore.exe

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on one the iExplore.exe on your desktop to run it.
  • If you cannot find the iExplore.exe icon that you downloaded, click on the Start button and then in the search field enter %userprofile%\desktop\iexplore.exe and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by WindowsFixDisk when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate WindowsFixDisk.
  • When finished it will create a log. * Please post the rkill.log in the next reply.
  • If nothing happens or if the tool does not run, please let me know in your next reply



:step2:



Please download Malwarebytes Anti-Malware 1.50.1 Final and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



:step3:



We need to run an OTL Custom Scan


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Under the Standard Registry box change it to All
    - Check the boxes beside LOP Check and Purity Check.
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Roaming\*.*
    %ProgramData%\*.*
    %CommonProgramFiles%\*.*
    %PROGRAMFILES%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    /md5start
    hlp.dat
    winlogon.exe
    wininit.exe
    userinit.exe
    explorer.exe
    volsnap.sys
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


:step4:



Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Please include the following logs in your next reply:

  • Rkill log
  • MBAM log
  • OTL.txt and Extra.txt
  • aswMBR.txt



Regards,
Georgi

cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 14 May 2011 - 09:00 AM

Hi lgarripee,



It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.



Regards,
Georgi

cXfZ4wS.png


#4 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 15 May 2011 - 08:43 PM

Hi lgarripee,



It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.



Regards,
Georgi


Yes I do. I apologize but I've been on vacation and returned today.

I've attached the logs as requested.

Thanks for your time and help!

Les

Attached Files



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 16 May 2011 - 07:54 AM

Hi again lgarripee,



I hope your vacation went well and that you had a great time. :)





We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    FF - prefs.js..extensions.enabledItems: {CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}:1.9.1
    [2011/05/10 17:00:08 | 000,000,000 | -H-D | M] (XULRunner) -- C:\USERS\LES\APPDATA\LOCAL\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
    O4 - HKU\S-1-5-21-3509703274-2131729478-676863228-1001..\Run: [Hcewobabamisabam] C:\Users\Les\AppData\Local\dperwi.dll (Progressive Networks)
    O4 - HKU\S-1-5-21-3509703274-2131729478-676863228-1001..\Run: [Rnezabezax] C:\Users\Les\AppData\Local\azifenif.dll (X10 Wireless Technology, Inc.)
    [2011/05/15 21:09:30 | 000,000,120 | -H-- | M] () -- C:\Users\Les\AppData\Local\Lrozedabex.dat
    [2011/05/15 21:09:30 | 000,000,000 | -H-- | M] () -- C:\Users\Les\AppData\Local\Nlusolasih.bin
    [2011/05/10 17:07:38 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~44556024r
    [2011/05/10 17:07:38 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~44556024
    [2011/05/10 17:07:33 | 000,000,336 | -H-- | M] () -- C:\ProgramData\44556024
    [2011/05/10 16:58:10 | 000,000,000 | -H-- | M] () -- C:\Users\Les\2gweorjqjutp92vjy9gake
    @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:16E15B52
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.


Next please download, and install free 7-zip

Navigate to C:\_OTL <= Important do not open the folder when you select it!!! :exclame:

Right click on it and select "7-zip", then "Add to archive.."

Posted Image

Go to "encryption" and type infected as a password. (don't forget to re-enter the password) :exclame:

Leave all other settings to default, and click OK.

New file with .zip extension will be created in very same folder.

Next upload the archive here

Finally delete the created archive !!! :exclame:





Next please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\Users\Les\AppData\Local\{10F10CDC-52E5-4C24-86E8-D446EEC8F53C} /s 
    C:\Users\Les\AppData\Local\{EEE47DCF-70BE-4789-9E54-9BF4925FFE23} /s
    C:\Users\Les\AppData\Local\{110AB236-885B-47A0-A933-EED387EE302D} /s
    C:\Users\Les\AppData\Local\{3D7E8363-EDC1-461D-9E80-1E6BC1997A75} /s
    C:\Users\Les\AppData\Local\{3D3CD1CD-457D-4F6E-8C47-FF9D1FF0F0C2} /s
    C:\Users\Les\AppData\Local\{0E5479EE-1683-4633-B8C0-658A65801F5E} /s
    C:\Users\Les\AppData\Local\{1BEAF3DB-5B0A-4F4B-83BE-2EE4D8EFC8AF} /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Regards,
Georgi

Edited by B-boy/StyLe/, 16 May 2011 - 03:00 PM.
fixed 7zip download link for x64 OS

cXfZ4wS.png


#6 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 16 May 2011 - 06:42 PM

Here's the OTL log...

========== OTL ==========
Prefs.js: {CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}:1.9.1 removed from extensions.enabledItems
C:\USERS\LES\APPDATA\LOCAL\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}\chrome\content folder moved successfully.
C:\USERS\LES\APPDATA\LOCAL\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E}\chrome folder moved successfully.
C:\USERS\LES\APPDATA\LOCAL\{CA84BAC4-847F-4A84-A6A2-6BEB77D3FD7E} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3509703274-2131729478-676863228-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Hcewobabamisabam not found.
File C:\Users\Les\AppData\Local\dperwi.dll not found.
Registry value HKEY_USERS\S-1-5-21-3509703274-2131729478-676863228-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Rnezabezax not found.
File C:\Users\Les\AppData\Local\azifenif.dll not found.
C:\Users\Les\AppData\Local\Lrozedabex.dat moved successfully.
C:\Users\Les\AppData\Local\Nlusolasih.bin moved successfully.
C:\ProgramData\~44556024r moved successfully.
C:\ProgramData\~44556024 moved successfully.
C:\ProgramData\44556024 moved successfully.
C:\Users\Les\2gweorjqjutp92vjy9gake moved successfully.
ADS C:\ProgramData\TEMP:16E15B52 deleted successfully.
========== COMMANDS ==========

And here's the SystemLook log...

SystemLook 04.09.10 by jpshortstuff
Log created at 19:36 on 16/05/2011 by Les
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\Users\Les\AppData\Local\{10F10CDC-52E5-4C24-86E8-D446EEC8F53C} - Parameters: "/s "

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{EEE47DCF-70BE-4789-9E54-9BF4925FFE23} - Parameters: "/s"

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{110AB236-885B-47A0-A933-EED387EE302D} - Parameters: "/s"

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{3D7E8363-EDC1-461D-9E80-1E6BC1997A75} - Parameters: "/s"

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{3D3CD1CD-457D-4F6E-8C47-FF9D1FF0F0C2} - Parameters: "/s"

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{0E5479EE-1683-4633-B8C0-658A65801F5E} - Parameters: "/s"

---Files---
None found.

No folders found.

C:\Users\Les\AppData\Local\{1BEAF3DB-5B0A-4F4B-83BE-2EE4D8EFC8AF} - Parameters: "/s"

---Files---
None found.

No folders found.

-= EOF =-

I also submitted the zip file

Thanks again


#7 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 16 May 2011 - 07:00 PM

One other item.

The malware appears to have removed or hid my program shortcuts

Posted Image

Posted Image

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 16 May 2011 - 07:20 PM

Hi again lgarripee,



The malware appears to have removed or hid my program shortcuts




Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


Here's the OTL log...



Thanks, could you please re-run OTL scan with the settings as before (see the post №2)
I want to be sure that nothing reappeared.



And here's the SystemLook log...



We need to repeat this step as I forgot that you use a 64 bit Windows.


Please download SystemLook from the link below and save it to your Desktop.
SystemLook
  • Double-click SystemLook_x64.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\Users\Les\AppData\Local\{10F10CDC-52E5-4C24-86E8-D446EEC8F53C}
    C:\Users\Les\AppData\Local\{EEE47DCF-70BE-4789-9E54-9BF4925FFE23}
    C:\Users\Les\AppData\Local\{110AB236-885B-47A0-A933-EED387EE302D}
    C:\Users\Les\AppData\Local\{3D7E8363-EDC1-461D-9E80-1E6BC1997A75}
    C:\Users\Les\AppData\Local\{3D3CD1CD-457D-4F6E-8C47-FF9D1FF0F0C2}
    C:\Users\Les\AppData\Local\{0E5479EE-1683-4633-B8C0-658A65801F5E}
    C:\Users\Les\AppData\Local\{1BEAF3DB-5B0A-4F4B-83BE-2EE4D8EFC8AF}
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Regards,
Georgi

cXfZ4wS.png


#9 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 16 May 2011 - 09:31 PM

I've attached OTL.Txt and SystemLook.txt

My shortcuts are still missing after running Unhide.exe. Should I manually recreate them?

Thanks.

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 17 May 2011 - 07:44 AM

This is what you have to do...



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu



NOTE. "Start Menu" folder is a system folder, so in order to see it, in Windows Explorer, go Tools>Folder Options>View tab and UN-check "Hide protected operating system files".
In order to access "Start Menu" folder, you may need take ownership of that folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\Les\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

NOTE. "Desktop" folder is also a system folder. See note above.



Let me know if that worked.



Regards,
Georgi

cXfZ4wS.png


#11 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 May 2011 - 05:50 PM

This is what you have to do...



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu



NOTE. "Start Menu" folder is a system folder, so in order to see it, in Windows Explorer, go Tools>Folder Options>View tab and UN-check "Hide protected operating system files".
In order to access "Start Menu" folder, you may need take ownership of that folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\Les\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar



Copy all content of this folder:
C:\Users\Les\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

NOTE. "Desktop" folder is also a system folder. See note above.



Let me know if that worked.



Regards,
Georgi


Looks good, thanks.

I think I'm cleared of the malware, do you agree?

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 17 May 2011 - 06:05 PM

Looks good, thanks.



Does this bring your icons back ? :)



I think I'm cleared of the malware, do you agree?




Before I set you free I'd like us to scan your machine with Kaspersky Virus Removal Tool



Please click here to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.



Regards,
Georgi

cXfZ4wS.png


#13 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 18 May 2011 - 06:05 AM


Looks good, thanks.



Does this bring your icons back ? :)



I think I'm cleared of the malware, do you agree?




Before I set you free I'd like us to scan your machine with Kaspersky Virus Removal Tool



Please click here to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.



Regards,
Georgi


Yes, my icons are back.

I've attached the scan log.

Attached Files



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:54 AM

Posted 18 May 2011 - 07:35 PM

Hi lgarripee,



We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :files
    C:\Documents and Settings\Les\AppData\Local\Temp\jar_cache5142844459895654797.tmp
    C:\Documents and Settings\Les\Local Settings\Temp\jar_cache5142844459895654797.tmp
    C:\Users\Les\AppData\Local\Temp\jar_cache5142844459895654797.tmp
    C:\Users\Les\Local Settings\Temp\jar_cache5142844459895654797.tmp
    C:\Documents and Settings\Les\AppData\Local\Temp\plugtmp-4\plugin-k_rf.pdf
    C:\Documents and Settings\Les\Local Settings\Temp\plugtmp-4\plugin-k_rf.pdf
    C:\Users\Les\AppData\Local\Temp\plugtmp-4\plugin-k_rf.pdf
    C:\Users\Les\Local Settings\Temp\plugtmp-4\plugin-k_rf.pdf
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7d6bff4d-35d908ce
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\58468a0a-6c589f91
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-1143e466
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\962ff12-3f427a89
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\27b84623-4973d001
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4375ca64-6e010364
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\642ac9e2-6a5f01f5
    C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\1092eff6-7dde5db3
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-1143e466	
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\58468a0a-6c589f91
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7d6bff4d-35d908ce		
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\962ff12-3f427a89
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\642ac9e2-6a5f01f5
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\27b84623-4973d001
    C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4375ca64-6e010364
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.



Regards,
Georgi

cXfZ4wS.png


#15 lgarripee

lgarripee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 19 May 2011 - 05:56 PM

Here's the OTL scan from the Run Fix session...

========== FILES ==========
C:\Documents and Settings\Les\AppData\Local\Temp\jar_cache5142844459895654797.tmp moved successfully.
File\Folder C:\Documents and Settings\Les\Local Settings\Temp\jar_cache5142844459895654797.tmp not found.
File\Folder C:\Users\Les\AppData\Local\Temp\jar_cache5142844459895654797.tmp not found.
File\Folder C:\Users\Les\Local Settings\Temp\jar_cache5142844459895654797.tmp not found.
C:\Documents and Settings\Les\AppData\Local\Temp\plugtmp-4\plugin-k_rf.pdf moved successfully.
File\Folder C:\Documents and Settings\Les\Local Settings\Temp\plugtmp-4\plugin-k_rf.pdf not found.
File\Folder C:\Users\Les\AppData\Local\Temp\plugtmp-4\plugin-k_rf.pdf not found.
File\Folder C:\Users\Les\Local Settings\Temp\plugtmp-4\plugin-k_rf.pdf not found.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7d6bff4d-35d908ce moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\58468a0a-6c589f91 moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-1143e466 moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\962ff12-3f427a89 moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\27b84623-4973d001 moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4375ca64-6e010364 moved successfully.
C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\642ac9e2-6a5f01f5 moved successfully.
File\Folder C:\Documents and Settings\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\1092eff6-7dde5db3 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-1143e466 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\58468a0a-6c589f91 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7d6bff4d-35d908ce not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\962ff12-3f427a89 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\642ac9e2-6a5f01f5 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\27b84623-4973d001 not found.
File\Folder C:\Users\Les\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4375ca64-6e010364 not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 05192011_185343




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users