Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal


  • This topic is locked This topic is locked
51 replies to this topic

#1 drshadrack

drshadrack

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 07 January 2012 - 07:42 AM

Hi I have a rootkit problem that originated when my PC was infected with System Check virus.

I have tried downloading various rootkit fix/detection software but they are being prevented from running by the rootkit even if I rename them. Updating my antivirus software seems to be prevented also.

I have an additional issue in that I cannot run safe mode - when I try to do this I get a black screen with a message saying that no video is supported in this mode.

I would therefore like some assistance on manually remedying the issue.

I am running XP home edition and have avira, malwarebytes, and adaware installed for protection.

I have taken the following boot log but I am not sure what to make of it.

Any assistance would be appreciated.

Thx

drdhadrack

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 12 January 2012 - 02:04 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 15 January 2012 - 02:55 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 18 January 2012 - 06:16 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 21 January 2012 - 05:52 PM

This topic has been re-opened at the request of the person who originally posted.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 22 January 2012 - 08:20 PM

Hi again.

Unfortunately DDS will not complete its scan the software just hangs about 3/4 of the way throught the process.

Should I try OTL?

Thx in advance

#7 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 22 January 2012 - 08:27 PM

I should also say that I had trouble getting my browser to run also but managed to fix this by adjusting ipconfig settings. Needless to say redirect is still apparent.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 22 January 2012 - 08:53 PM

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 23 January 2012 - 03:04 AM

Details of OTL log file below. Thx again.


OTL logfile created on: 23/01/2012 00:53:19 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

703.48 Mb Total Physical Memory | 248.05 Mb Available Physical Memory | 35.26% Memory free
1.35 Gb Paging File | 1.00 Gb Available in Paging File | 73.77% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 9.33 Gb Free Space | 12.54% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 0.28 Gb Free Space | 7.56% Space Free | Partition Type: FAT32

Computer Name: USER-DA7A218BF9 | User Name: Louise | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\jpeg\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SYSTEM32\VTTimer.exe (S3 Graphics, Inc.)
PRC - C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\WINDOWS\SYSTEM32\Wireless\WirelessGina.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Sftvol) -- C:\WINDOWS\SYSTEM32\DRIVERS\Sftvolxp.sys (Microsoft Corporation)
DRV - (Sftredir) -- C:\WINDOWS\SYSTEM32\DRIVERS\Sftredirxp.sys (Microsoft Corporation)
DRV - (Sftplay) -- C:\WINDOWS\SYSTEM32\DRIVERS\Sftplayxp.sys (Microsoft Corporation)
DRV - (Sftfs) -- C:\WINDOWS\SYSTEM32\DRIVERS\Sftfsxp.sys (Microsoft Corporation)
DRV - (FlashUSB) -- C:\WINDOWS\SYSTEM32\DRIVERS\FlashUSB.sys (Danish Wireless Design A/S)
DRV - (avgntflt) -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys (Avira GmbH)
DRV - (fssfltr) -- C:\WINDOWS\SYSTEM32\DRIVERS\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (VX1000) -- C:\WINDOWS\SYSTEM32\DRIVERS\VX1000.sys (Microsoft Corporation)
DRV - (ssmdrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys (Avira GmbH)
DRV - (FsUsbExDisk) -- C:\WINDOWS\SYSTEM32\FsUsbExDisk.Sys ()
DRV - (avipbb) -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (gameenum) -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (VIAudio) Vinyl AC'97 Audio Controller (WDM) -- C:\WINDOWS\SYSTEM32\DRIVERS\vinyl97.sys (VIA Technologies, Inc.)
DRV - (IntelS51) Intel® -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelS51.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 84 81 6F DB AE 1E CC 01 [binary data]
IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: 2020Player@2020Technologies.com:5.0.4.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: 2020Player_IKEA@2020Technologies.com:5.0.7.0
FF - prefs.js..extensions.enabledItems: ChoiceGuard@Microsoft:2.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local,localhost,127.0.0.1"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\Program Files\jpeg\components [2012/01/22 20:44:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\Program Files\jpeg\plugins [2012/01/22 20:44:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/06 01:03:54 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/06 01:03:54 | 000,000,000 | -H-D | M]

[2010/01/19 23:27:39 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Extensions
[2012/01/05 22:29:10 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\0x1ro3pe.default\extensions
[2011/05/29 16:19:27 | 000,000,000 | -H-D | M] (20-20 3D Viewer) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\0x1ro3pe.default\extensions\2020Player@2020Technologies.com
[2011/06/17 16:40:53 | 000,000,000 | -H-D | M] (20-20 3D Viewer - IKEA) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\0x1ro3pe.default\extensions\2020Player_IKEA@2020Technologies.com
[2010/03/21 17:36:54 | 000,000,000 | -H-D | M] (Microsoft Choice Guard) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\0x1ro3pe.default\extensions\ChoiceGuard@Microsoft
[2010/01/19 22:49:23 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\3u7uz4cq.default\extensions
[2010/01/19 22:49:22 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\3u7uz4cq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(2)
[2012/01/06 01:04:02 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/12 16:37:41 | 000,000,000 | -H-D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/01/17 12:47:23 | 000,000,000 | -H-D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/11/15 00:47:35 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2012/01/06 01:03:51 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/06 01:03:45 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/01/06 01:03:45 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/06 01:03:45 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/01/06 01:03:45 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/01/06 01:03:45 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/11/23 22:53:41 | 000,000,736 | -H-- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [B2C_AGENT] C:\Documents and Settings\All Users.WINDOWS\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe (LG Electronics)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Mozilla Firefox [2012/01/22 20:44:31 | 000,000,000 | ---D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\..Trusted Domains: uniqlo.co.uk ([www] https in Trusted sites)
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} http://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_Win32.cab (20-20 3D Viewer)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DCE3F6B6-67F4-49CE-A4C2-C616083E3114}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\WINDOWS\SYSTEM32\Wireless\WirelessGina.DLL) -C:\WINDOWS\SYSTEM32\Wireless\WirelessGina.DLL ()
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell - "" = AutoRun
O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun\command - "" = F:\iStudio.exe
O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell - "" = AutoRun
O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun\command - "" = E:\LGAutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/01/23 00:48:32 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\OTL.exe
[2012/01/22 20:44:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Mozilla Firefox
[2012/01/22 20:44:08 | 000,000,000 | ---D | C] -- C:\Program Files\jpeg
[2012/01/22 00:45:26 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\dds.scr
[2012/01/21 23:12:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Start Menu\Programs\Administrative Tools
[2012/01/05 20:12:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Sophos
[2012/01/05 20:12:09 | 000,000,000 | ---D | C] -- C:\Program Files\AR
[2012/01/05 19:53:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/01/04 22:00:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Recent
[2012/01/04 01:07:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Malwarebytes
[2012/01/04 01:06:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/04 01:06:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2012/01/04 01:05:56 | 000,020,464 | -H-- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/04 01:05:54 | 000,000,000 | -H-D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/06 00:29:15 | 010,250,327 | -H-- | C] (Apex Corporation ) -- C:\Program Files\apex-audio-converter.exe
[2008/11/02 10:16:48 | 000,812,344 | -H-- | C] (Trend Micro Inc.) -- C:\Program Files\HJTInstall.exe
[2008/08/01 22:02:47 | 002,662,366 | -H-- | C] (Macrovision Corporation) -- C:\Program Files\eMusicDownloadManager.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/23 00:48:33 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\OTL.exe
[2012/01/23 00:22:58 | 000,000,020 | -H-- | M] () -- C:\GINA.TEXT
[2012/01/23 00:22:57 | 000,013,646 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/23 00:21:48 | 000,000,041 | -H-- | M] () -- C:\WLANCUGINA.TEXT
[2012/01/23 00:21:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/23 00:08:19 | 000,000,229 | -HS- | M] () -- C:\boot.ini
[2012/01/22 20:44:31 | 000,001,517 | ---- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/01/22 20:44:31 | 000,001,499 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2012/01/21 23:11:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\defogger_reenable
[2012/01/21 13:06:16 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\dds.scr
[2012/01/21 13:05:12 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\Defogger.exe
[2012/01/05 22:08:57 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader X.lnk
[2012/01/04 00:15:23 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/01/04 00:13:00 | 000,000,064 | -H-- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/04 00:13:00 | 000,000,044 | -H-- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/04 00:11:03 | 000,000,897 | -H-- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/03 23:45:06 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\123.exe
[2012/01/03 23:45:05 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\234.exe
[2012/01/03 23:41:41 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\345.exe
[2012/01/03 23:39:57 | 000,355,206 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\456.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/22 20:44:31 | 000,001,517 | ---- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/01/22 20:44:31 | 000,001,499 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2012/01/22 00:45:40 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\Defogger.exe
[2012/01/21 23:11:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\defogger_reenable
[2012/01/05 22:08:57 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader X.lnk
[2012/01/05 22:08:56 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/04 00:11:02 | 000,000,897 | -H-- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/03 23:45:05 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\123.exe
[2012/01/03 23:45:05 | 000,000,200 | -H-- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\234.exe
[2012/01/03 23:40:11 | 000,000,432 | -H-- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\345.exe
[2012/01/03 23:39:57 | 000,355,206 | -H-- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\456.exe
[2011/05/17 19:52:56 | 000,001,025 | -H-- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2011/05/17 19:52:56 | 000,000,205 | -H-- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2011/05/15 21:42:44 | 000,000,064 | -H-- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/15 21:42:44 | 000,000,044 | -H-- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/07 06:30:27 | 000,000,017 | -H-- | C] () -- C:\WINDOWS\System32\shortcut_ex.dat
[2011/03/18 00:07:14 | 000,110,397 | -H-- | C] () -- C:\WINDOWS\hpoins11.dat.temp
[2011/03/18 00:07:14 | 000,006,947 | -H-- | C] () -- C:\WINDOWS\hpomdl11.dat.temp
[2011/03/18 00:06:45 | 000,006,947 | -H-- | C] () -- C:\WINDOWS\hpomdl11.dat
[2010/12/26 10:03:26 | 000,053,248 | -H-- | C] () -- C:\WINDOWS\System32\CommonDL.dll
[2010/12/26 10:03:26 | 000,002,413 | -H-- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2010/11/17 00:06:38 | 000,000,127 | -H-- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/10/27 22:46:00 | 000,000,006 | -H-- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\completescan
[2010/10/27 21:05:46 | 000,000,010 | -H-- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\install
[2010/10/27 21:05:03 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\complete.dat
[2010/10/27 21:04:51 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\dmlconf.dat
[2010/01/25 04:44:10 | 000,015,880 | -H-- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/10 09:53:39 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/04 16:22:51 | 000,002,528 | -H-- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\$_hpcst$.hpc
[2009/12/28 16:08:36 | 000,110,592 | -H-- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/12/28 16:08:35 | 000,036,608 | -H-- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/12/02 08:15:55 | 000,005,120 | -H-- | C] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/22 09:20:27 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/17 21:44:53 | 000,027,044 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/11/14 17:05:59 | 000,110,415 | -H-- | C] () -- C:\WINDOWS\hpoins11.dat
[2009/11/14 17:05:40 | 000,077,824 | -H-- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/11/09 12:08:29 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/11/09 12:01:06 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/11/09 11:13:41 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/11/09 11:12:23 | 000,149,992 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/14 21:34:22 | 015,860,098 | -H-- | C] () -- C:\Program Files\Hockey_-_Song_Away.zip
[2009/06/29 09:10:32 | 155,255,392 | -H-- | C] () -- C:\Program Files\OOo_3.1.0_Win32Intel_install_wJRE_en-US.exe
[2009/06/26 17:21:02 | 000,015,498 | -H-- | C] () -- C:\WINDOWS\VX1000.ini
[2008/04/14 12:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 12:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 12:00:00 | 000,437,136 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 12:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 12:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 12:00:00 | 000,069,598 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 12:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 12:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 12:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 12:00:00 | 000,004,461 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 12:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 12:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/10/25 17:26:10 | 000,005,632 | -H-- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2006/02/08 18:06:43 | 001,433,600 | -H-- | C] () -- C:\Program Files\incavi.001
[2006/02/08 18:06:43 | 000,609,486 | -H-- | C] () -- C:\Program Files\miniavi.avg
[2006/02/08 18:06:43 | 000,404,219 | -H-- | C] () -- C:\Program Files\incavi.002
[2006/02/08 18:06:43 | 000,167,683 | -H-- | C] () -- C:\Program Files\incavi.000
[2006/02/08 18:06:43 | 000,017,481 | -H-- | C] () -- C:\Program Files\microavi.avg
[2006/02/08 18:06:42 | 001,433,600 | -H-- | C] () -- C:\Program Files\avi7.002
[2006/02/08 18:06:42 | 001,433,600 | -H-- | C] () -- C:\Program Files\avi7.001
[2006/02/08 18:06:42 | 001,432,576 | -H-- | C] () -- C:\Program Files\avi7.000
[2006/02/08 18:06:42 | 000,638,950 | -H-- | C] () -- C:\Program Files\avi7.003
[2006/02/08 18:06:42 | 000,001,024 | -H-- | C] () -- C:\Program Files\index
[2006/02/08 18:06:42 | 000,000,070 | -H-- | C] () -- C:\Program Files\datadir
[2006/02/08 08:59:01 | 001,304,796 | -H-- | C] () -- C:\Program Files\ccsetup127b2.exe

< End of report >

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 24 January 2012 - 08:00 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html File not found
    O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
    O37 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found
     O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell - "" = AutoRun
    O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun\command - "" = F:\iStudio.exe
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell - "" = AutoRun
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun\command - "" = E:\LGAutoRun.exe
    FF - prefs.js..network.proxy.no_proxies_on: "*.local,localhost,127.0.0.1"
    [2012/01/06 01:03:45 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/01/06 01:03:45 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/01/06 01:03:45 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
    [2012/01/04 00:11:03 | 000,000,897 | -H-- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/01/03 23:45:06 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\123.exe
    [2012/01/03 23:45:05 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\234.exe
    [2012/01/03 23:41:41 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\345.exe
    [2012/01/03 23:39:57 | 000,355,206 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\456.exe
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 24 January 2012 - 04:32 PM

All processes killed
Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.> in the current context!
Error: Unable to interpret <O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html File not found> in the current context!
Error: Unable to interpret <O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found> in the current context!
Error: Unable to interpret <O37 - HKU\S-1-5-21-299502267-1563985344-1177238915-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found> in the current context!
Error: Unable to interpret < O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell - "" = AutoRun> in the current context!
Error: Unable to interpret <O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun - "" = Auto&Play> in the current context!
Error: Unable to interpret <O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun\command - "" = F:\iStudio.exe> in the current context!
Error: Unable to interpret <O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell - "" = AutoRun> in the current context!
Error: Unable to interpret <O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun - "" = Auto&Play> in the current context!
Error: Unable to interpret <O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun\command - "" = E:\LGAutoRun.exe> in the current context!
Error: Unable to interpret <FF - prefs.js..network.proxy.no_proxies_on: "*.local,localhost,127.0.0.1"> in the current context!
Error: Unable to interpret <[2012/01/06 01:03:45 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml> in the current context!
Error: Unable to interpret <[2012/01/06 01:03:45 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml> in the current context!
Error: Unable to interpret <[2012/01/06 01:03:45 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml> in the current context!
Error: Unable to interpret <[2012/01/04 00:11:03 | 000,000,897 | -H-- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk> in the current context!
Error: Unable to interpret <[2012/01/03 23:45:06 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\123.exe> in the current context!
Error: Unable to interpret <[2012/01/03 23:45:05 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\234.exe> in the current context!
Error: Unable to interpret <[2012/01/03 23:41:41 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\345.exe> in the current context!
Error: Unable to interpret <[2012/01/03 23:39:57 | 000,355,206 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\456.exe> in the current context!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Louise.USER-DA7A218BF9\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users.WINDOWS

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 6831912 bytes
->Flash cache emptied: 300 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Louise.USER-DA7A218BF9
->Temp folder emptied: 382914374 bytes
->Temporary Internet Files folder emptied: 132309094 bytes
->Java cache emptied: 7014136 bytes
->FireFox cache emptied: 6481802 bytes
->Apple Safari cache emptied: 281600 bytes
->Flash cache emptied: 552061 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 258342 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2014312 bytes

User: Nick
->Temp folder emptied: 599926849 bytes
->Temporary Internet Files folder emptied: 343791361 bytes
->Java cache emptied: 59429705 bytes
->FireFox cache emptied: 43335675 bytes
->Flash cache emptied: 334615 bytes

User: Owner

User: user

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 4748339 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 142609865 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 190954660 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 319766745 bytes

Total Files Cleaned = 2,142.00 mb


[EMPTYJAVA]

User: All Users.WINDOWS

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: Louise.USER-DA7A218BF9
->Java cache emptied: 0 bytes

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Nick
->Java cache emptied: 0 bytes

User: Owner

User: user

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users.WINDOWS

User: Default User.WINDOWS
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: LocalService.NT AUTHORITY

User: Louise.USER-DA7A218BF9
->Flash cache emptied: 0 bytes

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Nick
->Flash cache emptied: 0 bytes

Log below after following your instructions. Browser redirect still occurring.

User: Owner

User: user

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 01242012_211323

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 24 January 2012 - 07:36 PM

Hello


I need you to rerun the script again when you go to copy the script make sure you include :OTL also make sure to nclude the :
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 24 January 2012 - 08:44 PM

When I try that I get a pop up saying "cannot create file "C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\3u7uz4cq.default\prefs.js.

OTL then freezes

#14 drshadrack

drshadrack
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 24 January 2012 - 08:47 PM

Sorry correct path or adddres is

"C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Mozilla\Firefox\Profiles\3u7uz4cq.default\prefs.js.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:21 PM

Posted 25 January 2012 - 08:11 AM

Hello

I have changed a few things in the script see if it will run now

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell - "" = AutoRun
    O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{96f5dd28-2b91-11e0-97eb-000b6a803f95}\Shell\AutoRun\command - "" = F:\iStudio.exe
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell - "" = AutoRun
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{fbd1c3cc-100d-11e0-97c1-0018e749ec82}\Shell\AutoRun\command - "" = E:\LGAutoRun.exe
    [2012/01/06 01:03:45 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/01/06 01:03:45 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/01/06 01:03:45 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
    [2012/01/04 00:11:03 | 000,000,897 | -H-- | M] () -- C:\Documents and Settings\Louise.USER-DA7A218BF9\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/01/03 23:45:06 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\123.exe
    [2012/01/03 23:45:05 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\234.exe
    [2012/01/03 23:41:41 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\345.exe
    [2012/01/03 23:39:57 | 000,355,206 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\456.exe
    :Files
    ipconfig /flushdns /c
    
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users