TechSpot

Read instructions -- but cannot access antivirus sites for step 1

Inactive
By Phil Ancell
Sep 30, 2012
  1. Hi guys

    Have read you fab instructions and compliment you on the work that you do.

    My university student daughter came home with her PC, which I had previously installed the Windows Vista PC with MSE as the antivirus and malware protector. This was working fine when I last looked at it a few months ago, and I had downloaded all the lates important updates from microsoft.

    This weekend when she brought it home however, I noticed not only the MSE was not present, I couldn't access any of the mentioned antivirus sites nor Microsoft.com to remediate.

    I have read through the 5 steps you have provided, but I am not not ready to go to step 2 until I can actually get an antivirus program operating, as you have suggested in Step 1.

    I saved all her important data to a new USB stick, noting that I cannot put it into any other PC in case it has a virus.

    If you could please advise what I should do re bothe the data and remediating the PC.

    Regards,
    Phil
     
  2. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================

    Skip step 1 and complete as many steps as you can.
     
  3. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Thanks Broni.
    I got through Steps 2 and 3 ok, but when I got to Step 4 to download DDS, I got "404. That's an error. The requested URL /sUBs/DDS.scr was not found on this server." for both links.
    I noticed download.bleeping.computer.com/sUBs/dds.com as one of the attempted links for the DDS.com link, and when trying DDS.pif, it went to forospyware.com/sUBS/ then changed to infospyware.com/utiles/dds - the site was in Spanish and gave a 404 message when I tried to download. If those mean anything to you.

    Anyway, here are the results to date:

    Step 1 - ignored as instructed

    Step 2 - Ran Malwarebytes as instructed and here is the log:
    Malwarebytes Anti-Malware (Trial) 1.65.0.1400
    www.malwarebytes.org
    Database version: v2012.09.30.06
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    Alison :: ALISON-PC [administrator]
    Protection: Enabled
    1/10/2012 9:36:16 AM
    mbam-log-2012-10-01 (09-36-16).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201905
    Time elapsed: 7 minute(s), 22 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 1
    C:\ProgramData\Windows\msdr.dll (Trojan.Sinowal) -> Delete on reboot.
    Registry Keys Detected: 2
    HKCR\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} (Trojan.Sinowal) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
    Registry Values Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\n. -> Quarantined and deleted successfully.
    Registry Data Items Detected: 2
    HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
    HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-3856432456-3556964881-2861625783-1003\$2778530292ce583fe9a293c72cea99d8\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 7
    C:\ProgramData\Windows\msdr.dll (Trojan.Sinowal) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\n (Trojan.0Access) -> Delete on reboot.
    C:\$Recycle.Bin\S-1-5-21-3856432456-3556964881-2861625783-1003\$2778530292ce583fe9a293c72cea99d8\n (Trojan.0Access) -> Delete on reboot.
    C:\Users\Alison\AppData\Local\Temp\~!#7B1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Alison\AppData\Local\Temp\~!#89CC.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.
    C:\Users\Alison\AppData\Local\Temp\390A.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Users\Alison\Local Settings\Application Data\ekmljjdxfr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    (end)
    I then rebooted as instructed, and proceeded with Step 3.

    Step 3
    On running GMER.exe, I got a message: "GMER Load Driver ("C:\Users\Alison\Appdata\Local\Temp\fgliqpoc.sys") error 0xC000010E. An instance of the service is already running.

    I pressed ok, and it proceeded to run anyway quickly scanning, and I was able to save a GMER.log file. On opening the file, it was empty.

    I then proceeded to look to see if I could find my Anti virus, and re-enable the firewall in Control Panel, but got an error message "Due to an unidentified problem Windows cannot display Windows Firewall Settings.

    Would be grateful if you could continue with your assistance.
    Many thanks, Phil
     
  4. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  5. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni

    Apologies, but on clicking on the 32-Bit Farbar Recovery Scan Tool link, it went to bleepingcomputer.com, said it was downloading the Farbar Tool, but then produced the 404 message:
    404.
    That’s an error.
    The requested URL /dl/37a3e74b2d15a41cf9f592e75c10b140/5069082c/windows/security/security-utilities/f/farbar-recovery-scan-tool/32/FRST.exe was not found on this server.
    That’s all we know.

    Cheers, Phil
     
  6. Broni

    Broni Malware Annihilator Posts: 47,986   +271

  7. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni.
    Yes I was able to download the FRST.exe from that site onto a USB Stick.

    The next step you have prescribed, I'm getting a bit anxious - I should be able to get into the advanced boot options via F8, but I do not have a Windows Vista Installation Disc. Is this going to be a problem?
    It is a Toshiba Satellite L300, and I thought it was supposed to have a restore partition - but the boot options are F2 for CMOS and F12 for Boot menu, which simply lists the sources for boot ie HDD, Floppy Drive, USB Memory, CD/DVD.

    Should I just go ahead and do the F8 option you stated regardless or am I going to run into trouble.

    Sorry!

    Phil
     
  8. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Go ahead with F8 and let me know if you find described options.
    If not we'll use different way.
     
  9. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Ok, I went ahead with F8 and selected the Repair your computer option.

    It then went into a screen saying, "Windows is loading files" - but it just sat there, no disk activity or any movement along the white bar at the bottom. I waited about 5 mins - should I have waited longer?
     
  10. Broni

    Broni Malware Annihilator Posts: 47,986   +271

  11. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Ok, I followed the instructions there, downloaded the recdisk.exe, modified the permissions to Administrators full control on the old file in the System32 directory, successfully renamed it, copied the new file there, ran it from within that system32, and it prompted me to insert a disk - when I pressed ok, I got an Error Message:
    "The system cannot find the specified file. (0x80070002)"
     
     
  12. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Broni I do have original disks of Windows XP Professional for my home PC - I am assuming this cannot be used on a Vista PC to run the Frst.exe tool in a DOS window?
     
  13. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni
    I know you must be rolling your eyes by now, and I apologise whole heartedly for that. Thanks so much for your attention so far.

    I managed to download DDS.com onto another clean computer, and saved to DVD - do you want me to run Steps 2 - 4 again on the virus affected PC?

    I guess if this is looking like a lost cause, let me know, as my strategy is this:

    1. my prime concern is to get my daughter's data off the computer onto another so that she can continue her studies. I have copied all her valuable data to a USB stick, and labelled it "Virus", with enough to know that this USB will now most likely contain a trojan/rootkit virus. Can it be cleaned or made safe to put into another PC? Her data is mainly jpg's (she is a makeup artist), word docs, ppt's and .pub files. If not, can these files be uploaded to Skydrive for example, and transferred to another PC?

    2. obviously I would like to recover the affected PC as well, and if that means buying a new OS, then so be it - but I assume the PC needs to be made safe before doing that.

    If you could give me your thoughts, I'd greatly appreciate that. Once again apologies for this - I have tried to instill in my daughter the need to apply patches and keep the anti virus up to date - but I guess we often only learn after a disaster.

    Cheers,
    Phil
     
  14. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Well, we still have couple of tools we can use.

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  15. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni
    Thanks so much for your attention to this - I'm back at work now :-( so there will be some delays (I'm in Adelaide and won't be able to try till I get home tonight in about 9 hrs) between replies, so apologise for that.

    Just so that I have this right - to create the Bootable CD with OTLPEN.exe, does this need to be done on the infected Vista PC? or can this be created on my clean PC, (which is W7), to then use on the Vista PC?
    Also, when I do copy the OTL.txt file to a USB drive, can I copy this to the likely infected USB or do I need to insert a clean one?
    Just want to ensure I'm doing the right thing.

    Cheers,
    Phil
     
  16. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    You can create that CD on any computer.

    To protect your clean computer...
    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.
    Then you can use any USB drive.
     
  17. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Ok - just one more quick question before I get into trouble at work here - the likely infected USB that I have with my daughter's .docx, jpg's .pubs, .ppt's - will that be ok to transfer to the clean PC if I use the Panda USB Vaccine on the clean PC? or is that too risky?

    Cheers,
    Phil
     
  18. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    You have to scan all those files with updated AV program right after inserting that stick into clean computer.
    If nothing found you can transfer files.
     
  19. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni

    I managed to do the above and produce the OTL.txt report displayed below.

    Just for info, with the instructions, when I double-clicked on OTLE icon, it executed and displayed a dialog asking for drive to browse. I selected C: - it gave error messages saying System was not W2000 or later, but finally when I selected C:\windows, the scanner program loaded.
    When it prompted however, it did not ask if I wished to load the remote registry, only asked do you wish to load remote user profile(s) which I responded yes ensuring all remaining profiles option was checked.

    Anyhow, here is the report:
    OTL logfile created on: 10/2/2012 8:32:50 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Windows Vista (TM) Home Premium Service Pack 1 (Version = 6.0.6001) - Type = System
    Internet Explorer (Version = 8.0.6001.19088)
    Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 104.33 Gb Total Space | 46.82 Gb Free Space | 44.88% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/09/07 03:34:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/09/07 03:34:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2012/05/10 00:46:50 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/03/14 08:27:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2011/06/13 07:39:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
    SRV - [2008/04/06 18:47:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2008/01/21 02:24:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
    SRV - [2008/01/17 01:57:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
    SRV - [2007/12/25 17:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
    SRV - [2007/12/03 02:33:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
    SRV - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
    SRV - [2007/10/29 10:05:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
    SRV - [2006/10/05 00:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
    SRV - [2006/08/23 02:09:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
    DRV - File not found [Kernel | System] -- -- (mimyzlbo)
    DRV - File not found [Kernel | System] -- -- (khztokbd)
    DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
    DRV - File not found [Kernel | System] -- -- (ikvbbhiq)
    DRV - File not found [Kernel | System] -- -- (gglvftzk)
    DRV - [2012/09/07 03:34:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2010/06/22 18:51:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
    DRV - [2009/05/10 19:34:34 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
    DRV - [2009/04/27 18:14:56 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
    DRV - [2009/04/27 18:14:54 | 000,105,344 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
    DRV - [2009/04/27 18:14:42 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
    DRV - [2009/04/27 18:14:34 | 000,009,728 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
    DRV - [2008/07/28 14:35:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\athr.sys -- (athr)
    DRV - [2008/01/21 01:12:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
    DRV - [2007/11/08 23:30:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
    DRV - [2007/09/17 01:23:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
    DRV - [2007/08/31 03:13:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
    DRV - [2006/11/28 03:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2006/11/20 18:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
    DRV - [2006/10/18 15:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\URLSearchHook: {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Alison_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Alison_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\Alison_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Alison_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local




    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    FF - prefs.js..browser.search.defaultthis.engineName: "MakeMeBabies 2.0 Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3027459&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.search.selectedEngine: "MakeMeBabies 2.0 Customized Web Search"
    FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3027459&SearchSource=13"
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1410
    FF - prefs.js..keyword.URL: "http://search.avg.com/?d=4d609352&I=23&tp=ab&nt=1&q="


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/10 00:46:50 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/09 19:41:28 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}: C:\Users\Alison\AppData\Local\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}\ [2012/07/03 21:50:24 | 000,000,000 | ---D | M]

    [2009/07/17 21:29:57 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Alison\AppData\Roaming\Mozilla\Extensions
    [2012/09/28 08:38:52 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\extensions
    [2012/08/27 04:07:32 | 000,000,000 | ---D | M] (MakeMeBabies 2.0 Community Toolbar) -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\extensions\{d4330680-c0ae-4226-8a21-0afe2fd1ac24}
    [2012/04/05 00:05:34 | 000,000,935 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\searchplugins\conduit.xml
    [2011/11/13 06:31:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) --
    [2012/07/03 21:50:24 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\ALISON\APPDATA\LOCAL\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}
    () (No name found) -- C:\USERS\ALISON\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\A12R84FU.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
    [2012/05/10 00:46:48 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/05/10 00:46:41 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2012/03/24 04:49:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/05/10 00:46:41 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/05/10 00:46:41 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/05/10 00:46:50 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
    [2012/05/10 00:46:41 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
    O3 - HKLM\..\Toolbar: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
    O3 - HKU\Alison_ON_C\..\Toolbar\WebBrowser: (FLV Runner Toolbar) - {3BBD3C14-4C16-4989-8366-95BC9179779D} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [autodetect] C:\Windows\System32\SupportAppXL\AutoDect.exe ()
    O4 - HKLM..\Run: [NDSTray.exe] File not found
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
    O4 - HKU\Alison_ON_C..\Run: [Waafloete] C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe ()
    O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
    O4 - Startup: C:\Users\Alison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = File not found
    O4 - Startup: C:\Users\Alison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sidebar.lnk = File not found
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\Alison_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\Alison_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Alison_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
    O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13 - gopher Prefix: missing
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.12.160.35 203.12.160.36
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper:
    O24 - Desktop BackupWallPaper:
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell - "" = AutoRun
    O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\runMe.htm
    O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell - "" = AutoRun
    O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell\AutoRun\command - "" = D:\DPFMate.exe
    O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell - "" = AutoRun
    O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
    O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\AutoRun\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
    O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\open\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/10/01 03:48:39 | 000,905,740 | ---- | C] (Farbar) -- C:\Users\Alison\Desktop\FRST.exe
    [2012/10/01 03:48:39 | 000,607,260 | ---- | C] (Swearware) -- C:\Users\Alison\Desktop\dds.com
    [2012/10/01 03:48:31 | 010,524,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Alison\Desktop\mbam-setup-1.65.0.1400.exe
    [2012/10/01 03:48:04 | 000,000,000 | ---D | C] -- C:\Users\Alison\Desktop\Attempt1
    [2012/09/30 20:05:09 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Roaming\Malwarebytes
    [2012/09/30 20:04:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/09/30 20:04:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/09/30 20:04:43 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/09/30 20:04:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/09/28 05:31:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
    [2012/09/28 05:30:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
    [2012/09/28 05:30:18 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    [2012/09/28 05:23:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2012/09/28 02:57:11 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Photo Creations
    [2012/09/28 02:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\HP Photo Creations
    [2012/09/28 02:56:01 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Roaming\HpUpdate
    [2012/09/28 02:55:46 | 000,544,616 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\System32\HPDiscoPMA611.dll
    [2012/09/28 02:55:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
    [2012/09/28 02:53:23 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
    [2012/09/28 02:52:57 | 000,000,000 | ---D | C] -- C:\Program Files\HP
    [2012/09/28 02:52:06 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Local\HP
    [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/10/01 07:46:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/10/01 07:41:32 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{F286256D-BAC5-40C4-B58B-2459DA730926}.job
    [2012/10/01 07:32:33 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/10/01 07:32:33 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/10/01 07:31:01 | 000,000,258 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Messager.job
    [2012/10/01 03:34:51 | 000,905,740 | ---- | M] (Farbar) -- C:\Users\Alison\Desktop\FRST.exe
    [2012/10/01 03:32:37 | 000,607,260 | ---- | M] (Swearware) -- C:\Users\Alison\Desktop\dds.com
    [2012/10/01 03:31:40 | 000,302,592 | ---- | M] () -- C:\Users\Alison\Desktop\Gmerrbhhj6er.exe
    [2012/10/01 03:30:40 | 010,524,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Alison\Desktop\mbam-setup-1.65.0.1400.exe
    [2012/10/01 01:39:14 | 000,600,770 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/10/01 01:39:14 | 000,106,244 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/10/01 01:32:24 | 2136,969,216 | -HS- | M] () -- C:\hiberfil.sys
    [2012/10/01 00:26:40 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\recdisc.exe
    [2012/10/01 00:19:24 | 000,117,168 | ---- | M] () -- C:\Users\Alison\Desktop\recdisc_x86.zip
    [2012/09/30 21:47:31 | 000,002,311 | ---- | M] () -- C:\Users\Alison\Desktop\[Active] - Read Instructions - but cannot access antivirus sites for Step 1 - TechSpot Forums#post-1236488#post-1236488.url
    [2012/09/30 20:04:45 | 000,000,951 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/09/30 20:04:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/09/29 02:25:07 | 000,173,056 | ---- | M] () -- C:\Users\Alison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/09/28 22:22:53 | 000,002,305 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
    [2012/09/28 21:51:03 | 000,002,651 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
    [2012/09/28 05:31:47 | 000,001,709 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
    [2012/09/28 05:31:47 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
    [2012/09/28 05:24:33 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
    [2012/09/28 05:24:33 | 000,001,854 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safari.lnk
    [2012/09/28 02:57:19 | 000,001,833 | ---- | M] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
    [2012/09/28 02:57:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
    [2012/09/28 02:55:45 | 000,002,160 | ---- | M] () -- C:\Users\Public\Desktop\HP Photosmart 7510 series.lnk
    [2012/09/28 02:55:45 | 000,001,128 | ---- | M] () -- C:\Users\Public\Desktop\Shop for Supplies - HP Photosmart 7510 series.lnk
    [2012/09/28 02:55:44 | 000,001,795 | ---- | M] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Photosmart 7510 series.lnk
    [2012/09/28 02:52:47 | 000,000,057 | ---- | M] () -- C:\ProgramData\Ament.ini
    [2012/09/16 07:00:07 | 000,000,374 | ---- | M] () -- C:\Users\Alison\Desktop\Media Makeup Character Assignment.pdf - Shortcut.lnk
    [2012/09/10 21:38:36 | 001,063,607 | ---- | M] () -- C:\Users\Alison\Documents\Slim-Down-Meal-Plan.pdf
    [2012/09/07 03:34:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/10/01 03:48:28 | 000,302,592 | ---- | C] () -- C:\Users\Alison\Desktop\Gmerrbhhj6er.exe
    [2012/10/01 00:18:59 | 000,117,168 | ---- | C] () -- C:\Users\Alison\Desktop\recdisc_x86.zip
    [2012/09/30 21:47:31 | 000,002,311 | ---- | C] () -- C:\Users\Alison\Desktop\[Active] - Read Instructions - but cannot access antivirus sites for Step 1 - TechSpot Forums#post-1236488#post-1236488.url
    [2012/09/30 20:04:45 | 000,000,951 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/09/28 05:31:47 | 000,001,709 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
    [2012/09/28 02:57:19 | 000,001,833 | ---- | C] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
    [2012/09/28 02:57:16 | 000,000,258 | ---- | C] () -- C:\Windows\tasks\HP Photo Creations Messager.job
    [2012/09/28 02:55:45 | 000,002,160 | ---- | C] () -- C:\Users\Public\Desktop\HP Photosmart 7510 series.lnk
    [2012/09/28 02:55:45 | 000,001,128 | ---- | C] () -- C:\Users\Public\Desktop\Shop for Supplies - HP Photosmart 7510 series.lnk
    [2012/09/28 02:55:44 | 000,001,795 | ---- | C] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Photosmart 7510 series.lnk
    [2012/09/28 02:52:47 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
    [2012/09/16 07:00:07 | 000,000,374 | ---- | C] () -- C:\Users\Alison\Desktop\Media Makeup Character Assignment.pdf - Shortcut.lnk
    [2012/09/10 21:38:36 | 001,063,607 | ---- | C] () -- C:\Users\Alison\Documents\Slim-Down-Meal-Plan.pdf
    [2012/06/05 02:07:34 | 000,000,041 | ---- | C] () -- C:\Users\Alison\AppData\Roaming\FEE514.dat
    [2012/04/02 02:14:17 | 000,000,256 | -H-- | C] () -- C:\ProgramData\HUp5kSreidwXln
    [2011/11/12 22:19:42 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2011/11/12 22:19:42 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2010/06/28 07:45:51 | 000,000,014 | ---- | C] () -- C:\Windows\System32\systeminfo.dll
    [2009/12/27 05:24:53 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
    [2009/12/27 05:24:53 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
    [2009/12/02 18:57:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
    [2009/01/22 20:44:33 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FXStudioDLL.dll
    [2009/01/22 20:44:24 | 000,131,072 | ---- | C] () -- C:\Windows\System32\RapBoxDSP.dll
    [2009/01/22 20:44:23 | 000,126,976 | ---- | C] () -- C:\Windows\System32\NewWaveAnzeige.dll
    [2009/01/22 20:44:23 | 000,045,056 | ---- | C] () -- C:\Windows\System32\fader.dll
    [2009/01/22 20:44:20 | 000,235,532 | ---- | C] () -- C:\Windows\System32\loadimage.dll
    [2009/01/22 20:44:20 | 000,081,920 | ---- | C] () -- C:\Windows\System32\eJ_Tool.dll
    [2009/01/22 20:44:10 | 000,307,200 | ---- | C] () -- C:\Windows\System32\fxstudio.dll
    [2009/01/22 20:44:10 | 000,075,976 | ---- | C] () -- C:\Windows\System32\Bassdec.dll
    [2009/01/22 20:44:10 | 000,032,768 | ---- | C] () -- C:\Windows\System32\WndRgn.dll
    [2009/01/22 20:44:05 | 000,360,448 | ---- | C] () -- C:\Windows\System32\pxd32d5.dll
    [2009/01/22 20:44:05 | 000,029,696 | ---- | C] () -- C:\Windows\System32\pthread.dll
    [2009/01/22 20:44:00 | 000,147,456 | ---- | C] () -- C:\Windows\System32\lttls13n.dll
    [2009/01/22 20:43:59 | 000,796,672 | ---- | C] () -- C:\Windows\System32\LTRTN13n.DLL
    [2009/01/22 20:43:44 | 000,708,608 | ---- | C] () -- C:\Windows\System32\ltcry13n.dll
    [2009/01/22 20:43:40 | 000,031,744 | ---- | C] () -- C:\Windows\System32\lfvec13n.dll
    [2009/01/22 20:43:35 | 000,118,784 | ---- | C] () -- C:\Windows\System32\lfkodak.dll
    [2009/01/22 20:43:31 | 000,338,944 | ---- | C] () -- C:\Windows\System32\lffpx7.dll
    [2008/10/21 07:19:35 | 000,024,206 | -H-- | C] () -- C:\Users\Alison\AppData\Roaming\UserTile.png
    [2008/10/21 07:10:43 | 000,173,056 | ---- | C] () -- C:\Users\Alison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/10/18 00:26:42 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2008/10/17 06:08:05 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
    [2008/10/17 06:08:05 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
    [2008/10/17 06:08:05 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
    [2008/10/17 06:08:05 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
    [2008/10/17 06:08:05 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
    [2008/10/17 06:08:05 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
    [2008/10/17 05:50:09 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
    [2008/10/17 05:50:09 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
    [2008/10/17 05:50:09 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
    [2008/10/17 05:50:09 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
    [2008/10/17 05:47:43 | 000,000,680 | -H-- | C] () -- C:\Users\Alison\AppData\Local\d3d9caps.dat
    [2008/02/11 20:10:35 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
    [2008/02/11 19:16:12 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
    [2008/02/11 19:05:13 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
    [2008/02/11 19:05:13 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
    [2008/02/11 19:05:13 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
    [2008/02/11 19:05:13 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
    [2007/10/25 02:56:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
    [2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 08:47:37 | 001,740,464 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 06:33:01 | 000,600,770 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 06:33:01 | 000,106,244 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/11/09 18:33:35 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\AVG
    [2012/06/29 08:45:54 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Caguah
    [2012/10/01 01:34:26 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Dropbox
    [2012/06/27 07:56:41 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Gely
    [2012/04/02 02:28:55 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\GetRightToGo
    [2012/06/16 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Giyw
    [2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Heesyx
    [2012/07/03 21:49:13 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Idicw
    [2012/07/06 07:31:52 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Izefw
    [2010/12/26 00:45:21 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\LimeWire
    [2012/07/31 08:47:04 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Lite
    [2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ossa
    [2009/12/28 19:47:42 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\PC Suite
    [2012/07/08 00:01:00 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Qukun
    [2011/11/08 07:38:49 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\Samsung
    [2008/10/24 07:51:57 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\toshiba
    [2011/11/08 06:14:24 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\Ulead Systems
    [2012/06/28 20:57:18 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Vacy
    [2012/10/01 07:36:06 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Yblys
    [2012/06/14 22:37:48 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ysf
    [2012/09/28 05:31:39 | 000,000,000 | ---D | M] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    [2011/11/16 06:58:46 | 000,000,000 | -H-D | M] -- C:\ProgramData\Aiseesoft Studio
    [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
    [2011/11/12 00:26:04 | 000,000,000 | -H-D | M] -- C:\ProgramData\AVG10
    [2011/11/09 19:22:20 | 000,000,000 | -H-D | M] -- C:\ProgramData\BlazeVideo
    [2011/02/20 00:05:01 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files
    [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
    [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
    [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
    [2011/11/12 00:22:56 | 000,000,000 | -H-D | M] -- C:\ProgramData\MFAData
    [2009/12/28 19:47:44 | 000,000,000 | -H-D | M] -- C:\ProgramData\PC Suite
    [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
    [2011/11/09 23:40:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Temp
    [2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
    [2008/10/17 06:04:44 | 000,000,000 | -H-D | M] -- C:\ProgramData\Toshiba
    [2012/04/02 02:27:51 | 000,000,000 | ---D | M] -- C:\ProgramData\Ulead Systems
    [2012/09/30 20:14:56 | 000,000,000 | ---D | M] -- C:\ProgramData\Windows
    [2009/08/28 03:36:35 | 000,000,000 | -H-D | M] -- C:\ProgramData\WindowsSearch
    [2010/05/28 03:38:14 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2011/11/09 17:54:53 | 000,000,000 | -H-D | M] -- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
    [2012/10/01 01:13:52 | 000,032,540 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012/10/01 07:41:32 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{F286256D-BAC5-40C4-B58B-2459DA730926}.job

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:0B4227B4
    < End of report >
     
  20. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - File not found [Kernel | System] -- -- (mimyzlbo)
    DRV - File not found [Kernel | System] -- -- (khztokbd)
    DRV - File not found [Kernel | System] -- -- (ikvbbhiq)
    DRV - File not found [Kernel | System] -- -- (gglvftzk)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\Alison_ON_C..\Run: [Waafloete] C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe ()
    O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell - "" = AutoRun
    O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\runMe.htm
    O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell - "" = AutoRun
    O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell\AutoRun\command - "" = D:\DPFMate.exe
    O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell - "" = AutoRun
    O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
    O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\AutoRun\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
    O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\open\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
    [2012/04/02 02:14:17 | 000,000,256 | -H-- | C] () -- C:\ProgramData\HUp5kSreidwXln
    [2012/06/16 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Giyw
    [2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Heesyx
    [2012/07/03 21:49:13 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Idicw
    [2012/07/06 07:31:52 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Izefw
    [2012/06/28 20:57:18 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Vacy
    [2012/10/01 07:36:06 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Yblys
    [2012/06/14 22:37:48 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ysf
    @Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:0B4227B4
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.

    =====================================

    See if you can do the following...

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If restarting doesn't help use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  21. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni

    I was able to run OTLE with the fix.txt file and here is the log file putput:

    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mimyzlbo deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\khztokbd deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ikvbbhiq deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gglvftzk deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry key HKEY_USERS\Alison_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
    C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe moved successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\ not found.
    File C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\runMe.htm not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4537bbab-d24a-11dd-80e7-001e3354005b}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4537bbab-d24a-11dd-80e7-001e3354005b}\ not found.
    File D:\DPFMate.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\ not found.
    File "E:\WD SmartWare.exe" autoplay=true not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc6de24a-9e94-11dd-88df-a75e1266564d}\ not found.
    File D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc6de24a-9e94-11dd-88df-a75e1266564d}\ not found.
    File D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe not found.
    C:\ProgramData\HUp5kSreidwXln moved successfully.
    C:\Users\Alison\AppData\Roaming\Giyw folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Heesyx folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Idicw folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Izefw folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Vacy folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Yblys folder moved successfully.
    C:\Users\Alison\AppData\Roaming\Ysf folder moved successfully.
    ADS C:\Windows\System32\autochk.exe:BAK deleted successfully.
    ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 10042012_004805


    I was successfully able to create a restore point.

    When I ran Combo fix.exe, it took about an hour to run, Completing 50 Stages, before it started to list files for deletion.

    These were files I noticed in the C:\Prgramsdata directory, and then the directory itself, a C:\windows\system32\pt directory, and a coupld of files elsewhere, I have now forgotten.

    It then started preparing the log file, was completing that, until it blue screened, rebooted, and Combo fix ran again, until once more it blue-screened, wrote dumps and rebooted. On rebooting the 2nd time, the combofix did not run, with the PC booting normally.

    Consequently, this is the only output of the C:\combofix\combofix.txt file:

    ComboFix 12-10-03.02 - Alison 04/10/2012 2:39:08.1.1 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2037.1010 [GMT 9.5:30]
    Running from: C:\Users\Alison\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    On the bright side,

    On rebooting this time, I noticed the Windows Update operating for the first time.

    Windows Firewall is now operating again also.

    Should I now download and install something like MSE as I still have no antivirus operating other than the Malaware product?

    What do I need to do to get a more complete Combofix log?
     
  22. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    As an addendum I rebooted again after re-enabling Malabytes, and this time, I noticed that Windows Defender is now working, but out of date as well.

    Should I update? Awaiting your instructions in light of all the above.

    Cheers, Phil
     
  23. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Don't worry about WD, at least for now.
    It's totally useless tool anyway.

    ================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==============================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ==================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  24. Phil Ancell

    Phil Ancell TS Rookie Topic Starter Posts: 21

    Hi Broni

    I downloaded and unzipped the TDSSKiller program and executed, but the screen just flashed and nothing more happened, even after waiting 20 mins. I searched for TDSS* files on the C: drive but no txt file was to be found.

    I did then run Roguekiller as specified, and below is the report contained. I didn't go any further with the next step just in case, given the failure of TDSSKiller. Please advise, many thanks.

    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Alison [Admin rights]
    Mode : Remove -- Date : 10/05/2012 00:33:55

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : Waafloete (C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe) -> DELETED
    [TASK][BLPATH] HPCustParticipation HP Photosmart 7510 series : "C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1005 -> DELETED
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\@ --> REMOVED
    [Del.Parent][FILE] 00000001.@ : C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\U\00000001.@ --> REMOVED
    [Del.Parent][FILE] 80000000.@ : C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\U\80000000.@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\L --> REMOVED
    [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\@ --> REMOVED
    [Del.Parent][FILE] 80000000.@ : C:\$recycle.bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\U\80000000.@ --> REMOVED
    [Del.Parent][FILE] 800000cb.@ : C:\$recycle.bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\U\800000cb.@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\L --> REMOVED

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD1200BEVS-26UST0 +++++
    --- User ---
    [MBR] 81137687323a89604b05f0cbcdd936d4
    [BSP] 0508d4ad4490bc101f66d69920798d72 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 106831 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 221863936 | Size: 6133 Mo
    User != LL1 ... KO!
    --- LL1 ---
    [MBR] 3b08e0f2e9c7679c842336d62cc4b557
    [BSP] 0508d4ad4490bc101f66d69920798d72 : Windows Vista MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 106831 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 221863936 | Size: 6133 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 234424320 | Size: 8 Mo
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] 3b08e0f2e9c7679c842336d62cc4b557
    [BSP] 0508d4ad4490bc101f66d69920798d72 : Windows Vista MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 106831 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 221863936 | Size: 6133 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 234424320 | Size: 8 Mo

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
     
  25. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    See if TDSSKiller will run now.
    You can try safe mode as well.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.