also @ TechSpot: Yahoo redesigns Flickr, adds 1 terabyte of free storage and more

Win64/Patched.A infecting Widows\System32\services.exe

Discussion in 'Virus and Malware Removal' started by Holden75, Oct 27, 2012.

Page 2 of 3

  1. Holden75 Newcomer, in training Posts: 36

    ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
    ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /I:/UserInstall %SystemRoot%\system32\themeui.dll
    ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
    ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
    ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
    ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
    ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
    ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
    ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
    ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
    ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
    ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
    ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /I:U shell32.dll
    ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
    ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
    ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
    ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
    ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
    ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
    ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
    ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
    ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
    ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
    ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
    ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /I:/UserInstall %SystemRoot%\system32\themeui.dll
    ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
    ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
    ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
    ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
    ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
    ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
    ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
    ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
    ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
    ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
    ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
    ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /I:U shell32.dll
    ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
    ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
    ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
    ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
    ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
    ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
    ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
    ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
    ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
    ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
    ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
    ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.ac3acm - C:\Windows\SysWow64\ac3acm.acm (fccHandler)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3fhg - C:\Windows\SysWow64\mp3fhg.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.FFDS - C:\Windows\SysWow64\ff_vfw.dll ()
    Drivers32: vidc.VSPX - C:\Windows\SysWow64\vspxvfw.dll ()
    Drivers32: VIDC.XVID - C:\Windows\SysWow64\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\Windows\SysWow64\yv12vfw.dll (www.helixcommunity.org)


    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/11/01 19:05:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Sean\Desktop\OTL.exe
    [2012/11/01 07:41:37 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/11/01 07:27:45 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{32A6D155-5C59-4FDB-B90F-0658EBDC85E1}
    [2012/10/31 23:25:34 | 036,673,312 | ---- | C] (Microsoft Corporation) -- C:\Users\Sean\Documents\USMoneyBizSunset.exe
    [2012/10/30 23:20:29 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{C227883A-96A3-4C96-B57E-997938EFA40C}
    [2012/10/30 19:04:45 | 000,000,000 | ---D | C] -- C:\Users\Sean\Desktop\RK_Quarantine
    [2012/10/29 16:16:29 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Roaming\AVG
    [2012/10/29 16:15:10 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG
    [2012/10/29 16:14:59 | 000,000,000 | --SD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    [2012/10/29 15:24:47 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyExtension.dll
    [2012/10/29 15:24:47 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyControl.exe
    [2012/10/29 15:24:46 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RdpGroupPolicyExtension.dll
    [2012/10/29 15:24:45 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys
    [2012/10/29 15:24:45 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys
    [2012/10/29 15:24:41 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rdpendp_winip.dll
    [2012/10/29 15:24:41 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tsgqec.dll
    [2012/10/29 15:24:41 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbGDCoInstaller.dll
    [2012/10/29 15:24:41 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tsgqec.dll
    [2012/10/29 15:24:41 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprtPS.dll
    [2012/10/29 15:24:41 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wksprtPS.dll
    [2012/10/29 15:24:40 | 001,048,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
    [2012/10/29 15:24:40 | 000,384,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprt.exe
    [2012/10/29 15:24:40 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aaclient.dll
    [2012/10/29 15:24:40 | 000,269,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\aaclient.dll
    [2012/10/29 15:24:40 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpudd.dll
    [2012/10/29 15:24:40 | 000,228,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpendp_winip.dll
    [2012/10/29 15:24:40 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
    [2012/10/29 15:24:40 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsRdpWebAccess.dll
    [2012/10/29 15:24:40 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MsRdpWebAccess.dll
    [2012/10/29 15:24:39 | 005,773,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
    [2012/10/29 15:24:39 | 004,916,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
    [2012/10/29 15:24:39 | 003,174,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorets.dll
    [2012/10/29 15:24:39 | 001,123,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
    [2012/10/29 15:23:41 | 001,448,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
    [2012/10/29 15:23:41 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
    [2012/10/29 12:12:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/10/29 11:59:03 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/10/29 11:59:03 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/10/29 11:59:03 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/10/29 11:55:36 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/10/29 11:55:00 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/10/29 11:43:06 | 004,991,994 | R--- | C] (Swearware) -- C:\Users\Sean\Desktop\ComboFix.exe
    [2012/10/29 10:42:42 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{5F1B2A7B-AACF-4E01-B9B4-93C1058964E2}
    [2012/10/28 09:59:22 | 062,968,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
    [2012/10/28 09:31:52 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{8D76F073-848F-4E4D-B8CD-2745DEAF9737}
    [2012/10/27 21:07:47 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/10/27 18:34:22 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\ElevatedDiagnostics
    [2012/10/27 15:04:36 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Roaming\Malwarebytes
    [2012/10/27 15:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/10/27 15:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/10/27 15:04:08 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/10/27 15:04:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/10/27 14:10:23 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
    [2012/10/26 21:01:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
    [2012/10/21 11:21:07 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
    [2012/10/21 11:21:07 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
    [2012/10/21 11:21:07 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    [2012/10/20 14:29:37 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{E3BBB0F3-4683-49E2-83A9-7FB6BA5F3511}
    [2012/10/18 08:32:11 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\{B9A39449-E37E-49FF-B9E6-B2DB7E048C44}
    [2012/10/15 17:51:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AGD Interactive
    [2012/10/15 17:51:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AGD Interactive
    [2012/10/10 23:48:59 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
    [2012/10/10 23:48:59 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
    [2012/10/10 23:48:56 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
    [2012/10/10 23:48:56 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
    [2012/10/10 23:48:54 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
    [2012/10/10 23:48:53 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
    [2012/10/10 23:48:49 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
    [2012/10/10 23:48:49 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
    [2012/10/10 23:48:48 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
    [2012/10/10 23:48:48 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
    [2012/10/10 23:48:46 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
    [2012/10/10 23:48:46 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
    [2012/10/10 23:48:46 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    [2012/10/10 23:48:46 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    [2012/10/10 23:48:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
    [2012/10/10 23:48:44 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/10/10 23:48:44 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
    [2012/10/10 23:48:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/10/10 23:48:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/10/10 23:48:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
    [2012/10/10 23:48:35 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
    [2012/10/10 23:48:31 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
    [2012/10/10 23:48:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    [2012/10/10 23:48:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    [2012/10/10 23:48:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
    [2012/10/10 23:48:30 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
    [2012/10/10 23:48:29 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/10/10 23:48:25 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/10/10 23:48:25 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    [2012/10/10 23:48:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    [2012/10/10 23:48:10 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
    [2012/10/10 23:48:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
    [2012/10/10 23:48:01 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
    [2012/10/10 23:47:52 | 000,245,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\OxpsConverter.exe
    [2012/10/10 23:47:48 | 000,574,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll
    [2012/10/10 23:47:40 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\RNDISMP.sys
    [2012/10/10 10:22:28 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
    [2012/10/10 10:22:23 | 003,914,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
    [2012/10/10 10:22:22 | 003,968,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
    [2012/10/10 10:22:16 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
    [2012/10/10 10:21:57 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
    [2012/10/10 10:21:56 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
    Holden75, Nov 1, 2012
    #21

  2. Holden75 Newcomer, in training Posts: 36

    ========== Files - Modified Within 30 Days ==========

    [2012/11/01 19:10:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/11/01 19:05:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Sean\Desktop\OTL.exe
    [2012/11/01 19:05:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-793335173-2078993848-683706515-1001UA.job
    [2012/11/01 19:05:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-793335173-2078993848-683706515-1001Core.job
    [2012/11/01 19:01:00 | 000,000,254 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Messager.job
    [2012/11/01 18:45:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/11/01 18:10:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/11/01 09:17:42 | 099,133,670 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2012/11/01 07:49:01 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/11/01 07:49:01 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/11/01 07:41:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/11/01 07:41:02 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
    [2012/11/01 07:39:28 | 000,063,336 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000004-00000000-00000000-00001102-0000000B-00431102}.rfx
    [2012/11/01 07:39:28 | 000,063,336 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000004-00000000-00000000-00001102-0000000B-00431102}.rfx
    [2012/11/01 07:39:28 | 000,000,820 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000004-00000000-00000000-00001102-0000000B-00431102}.rfx
    [2012/11/01 00:38:20 | 004,991,994 | R--- | M] (Swearware) -- C:\Users\Sean\Desktop\ComboFix.exe
    [2012/10/31 23:31:27 | 036,673,312 | ---- | M] (Microsoft Corporation) -- C:\Users\Sean\Documents\USMoneyBizSunset.exe
    [2012/10/31 23:26:39 | 014,081,767 | R--- | M] () -- C:\Users\Sean\My Money Backup_2012-10-31_232639.mbf
    [2012/10/31 23:19:41 | 016,458,032 | R--- | M] () -- C:\Users\Sean\My Money Backup_2012-10-31_231940.mbf
    [2012/10/31 15:00:54 | 016,458,031 | R--- | M] () -- C:\Users\Sean\My Money Backup_2012-10-31_150054.mbf
    [2012/10/30 19:03:23 | 001,584,640 | ---- | M] () -- C:\Users\Sean\Desktop\RogueKiller.exe
    [2012/10/30 06:42:22 | 000,000,258 | R-S- | M] () -- C:\ProgramData\ntuser.pol
    [2012/10/30 06:42:03 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\DriverUpdate Startup.job
    [2012/10/29 18:15:42 | 000,455,699 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
    [2012/10/29 16:56:00 | 000,002,044 | ---- | M] () -- C:\Users\Sean\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2012/10/29 15:21:10 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/10/29 12:21:36 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/10/27 17:05:39 | 000,739,744 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/10/27 17:05:39 | 000,632,930 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/10/27 17:05:39 | 000,110,564 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/10/27 14:30:59 | 003,555,328 | ---- | M] () -- C:\Users\Sean\Documents\My Money2.mny
    [2012/10/27 14:29:51 | 003,555,328 | ---- | M] () -- C:\Users\Sean\Documents\My Money1.mny
    [2012/10/27 14:24:12 | 003,383,296 | ---- | M] () -- C:\Users\Sean\Documents\My Money1.M16
    [2012/10/27 14:23:44 | 003,383,296 | ---- | M] () -- C:\Users\Sean\Documents\My Money.mny
    [2012/10/09 07:45:17 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
    [2012/10/09 07:45:17 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    [2012/10/06 22:21:24 | 320,645,843 | ---- | M] () -- C:\Users\Sean\Desktop\rumble3.mp4

    ========== Files Created - No Company Name ==========

    [2012/10/31 23:26:39 | 014,081,767 | R--- | C] () -- C:\Users\Sean\My Money Backup_2012-10-31_232639.mbf
    [2012/10/31 23:19:41 | 016,458,032 | R--- | C] () -- C:\Users\Sean\My Money Backup_2012-10-31_231940.mbf
    [2012/10/31 15:00:54 | 016,458,031 | R--- | C] () -- C:\Users\Sean\My Money Backup_2012-10-31_150054.mbf
    [2012/10/30 19:03:20 | 001,584,640 | ---- | C] () -- C:\Users\Sean\Desktop\RogueKiller.exe
    [2012/10/29 11:59:03 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/10/29 11:59:03 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/10/29 11:59:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/10/29 11:59:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/10/29 11:59:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/10/28 10:04:40 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2012/10/27 14:29:50 | 003,555,328 | ---- | C] () -- C:\Users\Sean\Documents\My Money2.mny
    [2012/10/27 14:28:55 | 003,383,296 | ---- | C] () -- C:\Users\Sean\Documents\My Money1.M16
    [2012/10/27 14:23:43 | 003,555,328 | ---- | C] () -- C:\Users\Sean\Documents\My Money1.mny
    [2012/10/27 14:22:14 | 003,432,448 | ---- | C] () -- C:\Users\Sean\Documents\My Money.M15
    [2012/10/06 22:16:34 | 320,645,843 | ---- | C] () -- C:\Users\Sean\Desktop\rumble3.mp4
    [2012/09/23 01:53:42 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
    [2012/05/15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
    [2012/02/19 16:31:19 | 000,007,628 | ---- | C] () -- C:\Users\Sean\AppData\Local\Resmon.ResmonCfg
    [2012/02/11 17:46:23 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
    [2011/05/19 08:12:23 | 000,003,584 | ---- | C] () -- C:\Users\Sean\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/11/15 23:10:01 | 000,000,258 | R-S- | C] () -- C:\ProgramData\ntuser.pol
    [2010/11/11 00:23:01 | 000,000,092 | ---- | C] () -- C:\Users\Sean\AppData\Local\fusioncache.dat
    [2010/11/10 23:54:47 | 000,743,126 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2010/11/10 23:52:59 | 000,103,736 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2010/11/10 23:52:57 | 000,669,184 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe
    [2010/11/10 23:52:57 | 000,066,872 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2010/11/10 20:37:06 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
    [2010/11/10 20:37:05 | 000,765,952 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
    [2010/11/10 20:37:05 | 000,134,144 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
    [2010/11/10 20:37:05 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
    [2010/11/10 20:37:04 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
    [2010/11/10 18:39:15 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2010/11/10 17:28:39 | 000,164,864 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
    [2010/11/10 17:28:39 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL

    ========== ZeroAccess Check ==========

    [2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 21:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 05:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== Custom Scans ==========

    ========== Drive Information ==========

    Physical Drives
    ---------------

    Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
    Interface type: IDE
    Media Type: Fixed hard disk media
    Model: WDC WD2500JB-00GVA0 ATA Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE1 - Fixed hard disk media
    Interface type: IDE
    Media Type: Fixed hard disk media
    Model: WDC WD2000JB-00GVC0 ATA Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE2 - Fixed hard disk media
    Interface type: IDE
    Media Type: Fixed hard disk media
    Model: WDC WD5000AACS-00G8B1 ATA Device
    Partitions: 2
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE3 - External hard disk media
    Interface type: USB
    Media Type: External hard disk media
    Model: Seagate FreeAgentDesktop USB Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE4 - Removable Media
    Interface type: USB
    Media Type: Removable Media
    Model: CENTON DS Pro USB Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE5 - External hard disk media
    Interface type: USB
    Media Type: External hard disk media
    Model: WD 10EADS External USB Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Drive: \\\\.\\PHYSICALDRIVE6 - External hard disk media
    Interface type: USB
    Media Type: External hard disk media
    Model: WD Ext HDD 1021 USB Device
    Partitions: 1
    Status: OK
    Status Info: 0

    Partitions
    ---------------

    DeviceID: Disk #0, Partition #0
    PartitionType: MS-DOS V4 Huge
    Bootable: True
    BootPartition: True
    PrimaryPartition: True
    Size: 233.00GB
    Starting Offset: 32256
    Hidden sectors: 0


    DeviceID: Disk #1, Partition #0
    PartitionType: Installable File System
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 186.00GB
    Starting Offset: 32256
    Hidden sectors: 0


    DeviceID: Disk #2, Partition #0
    PartitionType: Installable File System
    Bootable: True
    BootPartition: True
    PrimaryPartition: True
    Size: 100.00MB
    Starting Offset: 1048576
    Hidden sectors: 0


    DeviceID: Disk #2, Partition #1
    PartitionType: Installable File System
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 466.00GB
    Starting Offset: 105906176
    Hidden sectors: 0


    DeviceID: Disk #3, Partition #0
    PartitionType: Installable File System
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 699.00GB
    Starting Offset: 32256
    Hidden sectors: 0


    DeviceID: Disk #4, Partition #0
    PartitionType: 16-bit FAT
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 15.00GB
    Starting Offset: 0
    Hidden sectors: 0


    DeviceID: Disk #5, Partition #0
    PartitionType: Unknown
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 932.00GB
    Starting Offset: 32256
    Hidden sectors: 0


    DeviceID: Disk #6, Partition #0
    PartitionType: Installable File System
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 1,397.00GB
    Starting Offset: 1048576
    Hidden sectors: 0

    [2010/11/10 20:44:25 | 000,000,000 | -H-D | M] -- C:\Users\Sean\AppData\Local\Microsoft\Media Player\Art Cache
    [2012/07/31 09:59:58 | 000,000,000 | RH-D | M] -- C:\Users\Sean\AppData\Local\Microsoft\Windows\Burn\Burn
    [2010/11/10 17:33:30 | 000,000,000 | -H-D | M] -- C:\Users\Sean\AppData\Roaming\Microsoft\Windows\IETldCache\Low
    [2010/11/12 10:27:28 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\LocalService\AppData
    [2010/11/15 23:05:50 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\NetworkService\AppData
    [2010/11/10 17:14:41 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Media Player\Art Cache
    [2010/11/15 23:16:01 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Media Player\Shadow Files Cache
    [2010/11/15 23:09:57 | 000,000,000 | -H-D | M] -- C:\Windows\SysNative\GroupPolicy

    < %systemroot%\system32\sysprep >

    < c:\*.xpi /s /md5 >

    < %systemroot%\Downloaded Program Files\ >

    < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /90 >

    < %SYSTEMDRIVE%\*.exe /md5 >

    < "%WinDir%\$NtUninstallKB*$." /30 >

    < %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

    < %systemroot%\*. /mp /s >

    < %systemroot%\*. /rp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\Installer\ /s >

    < %systemroot%\system32\Cache\ /s >

    < %systemroot%\system32\config\systemprofile\Application Data /s >

    < %appdata%\*.* >

    < MD5 for: AFD.SYS >
    [2011/12/27 20:59:24 | 000,498,688 | ---- | M] (Microsoft Corporation) MD5=1C7857B62DE5994A75B054A9FD4C3825 -- C:\Windows\SysNative\drivers\afd.sys
    [2011/12/27 20:59:24 | 000,498,688 | ---- | M] (Microsoft Corporation) MD5=1C7857B62DE5994A75B054A9FD4C3825 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys
    [2011/12/27 21:01:36 | 000,498,176 | ---- | M] (Microsoft Corporation) MD5=36A14FD1A23F57046361733B792CA8DB -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys
    [2010/11/20 02:23:34 | 000,499,712 | ---- | M] (Microsoft Corporation) MD5=D31DC7A16DEA4A9BAF179F3D6FBDB38C -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys
    [2011/04/24 19:34:03 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=D5B031C308A409A0A576BFF4CF083D30 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys
    [2011/04/24 20:09:35 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=F4AD06143EAC303F55D0E86C40802976 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys

    < MD5 for: ATAPI.SYS >
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\erdnt\cache64\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

    < MD5 for: EXPLORER.EXE >
    [2011/02/25 22:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
    [2011/02/24 23:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\erdnt\cache86\explorer.exe
    [2011/02/24 23:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
    [2011/02/24 23:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
    [2011/02/25 23:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
    [2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
    [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
    [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
    [2010/11/20 06:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

    < MD5 for: IPNATHLP.DLL >
    [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) MD5=B95F6501A2F8B2E78C697FEC401970CE -- C:\Windows\SysNative\ipnathlp.dll
    [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) MD5=B95F6501A2F8B2E78C697FEC401970CE -- C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\ipnathlp.dll

    < MD5 for: SERVICES.EXE >
    [2009/07/13 18:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\erdnt\cache64\services.exe
    [2009/07/13 18:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
    [2009/07/13 18:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

    < MD5 for: USERINIT.EXE >
    [2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\erdnt\cache86\userinit.exe
    [2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
    [2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
    [2010/11/20 06:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\erdnt\cache64\userinit.exe
    [2010/11/20 06:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\SysNative\userinit.exe
    [2010/11/20 06:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

    < MD5 for: VOLSNAP.SYS >
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\drivers\volsnap.sys
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e\volsnap.sys

    < MD5 for: WINLOGON.EXE >
    [2010/11/20 06:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\erdnt\cache64\winlogon.exe
    [2010/11/20 06:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\SysNative\winlogon.exe
    [2010/11/20 06:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
    [2012/09/29 19:54:26 | 000,218,184 | ---- | M] () MD5=8846E87210AD131CF71E3E2E49F647B0 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 64 bytes -> C:\Users\Sean\Desktop\Family Guy - Its a Trap.avi:TOC.WMV
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:364682BC

    < End of report >
    Holden75, Nov 1, 2012
    #22

  3. Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
    Jay Pfoutz, Nov 2, 2012
    #23

  4. Holden75 Newcomer, in training Posts: 36

    All processes killed
    ========== OTL ==========
    Prefs.js: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 removed from extensions.enabledItems
    Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
    Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
    Prefs.js: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 removed from extensions.enabledItems
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\searchplugin folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\Plugins folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\modules folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\META-INF folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\defaults folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\components folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\chrome folder moved successfully.
    C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\xifnbl6a.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03} folder moved successfully.
    C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgdkpdbfegccaffojmicomeamflpeplf\1.0_0 folder moved successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//@surf.mar@/\ deleted successfully.
    C:\Users\Sean\AppData\Local\{32A6D155-5C59-4FDB-B90F-0658EBDC85E1} folder moved successfully.
    C:\Users\Sean\AppData\Local\{C227883A-96A3-4C96-B57E-997938EFA40C} folder moved successfully.
    C:\Users\Sean\AppData\Local\{5F1B2A7B-AACF-4E01-B9B4-93C1058964E2} folder moved successfully.
    C:\Users\Sean\AppData\Local\{8D76F073-848F-4E4D-B8CD-2745DEAF9737} folder moved successfully.
    C:\Users\Sean\AppData\Local\{E3BBB0F3-4683-49E2-83A9-7FB6BA5F3511} folder moved successfully.
    C:\Users\Sean\AppData\Local\{B9A39449-E37E-49FF-B9E6-B2DB7E048C44} folder moved successfully.
    ADS C:\ProgramData\TEMP:364682BC deleted successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Sean\Desktop\cmd.bat deleted successfully.
    C:\Users\Sean\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Sean
    ->Temp folder emptied: 1883649 bytes
    ->Temporary Internet Files folder emptied: 970251126 bytes
    ->Java cache emptied: 403554 bytes
    ->FireFox cache emptied: 878321151 bytes
    ->Google Chrome cache emptied: 255446120 bytes
    ->Apple Safari cache emptied: 42651648 bytes
    ->Flash cache emptied: 389177 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56502 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 74496 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 2,050.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 11022012_170114

    Files\Folders moved on Reboot...
    C:\Users\Sean\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\Amazon Digital Video\Servicelog.adv scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    Holden75, Nov 2, 2012
    #24

  5. Holden75 Newcomer, in training Posts: 36

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46Y5SQMV\cat-and-dolphin-playing-together[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined
    E:\Downloads\Install_AIM_5.5.3595.exe Win32/Adware.WBug.A application cleaned by deleting - quarantined
    E:\Downloads\PlayFLV.exe Win32/TrojanDownloader.Adload.NIQ trojan cleaned by deleting - quarantined
    E:\Downloads\InterVideo.WinDVD.6.Platinum.keygen\keygen.exe probably a variant of Win32/Agent.LHPKIKX trojan cleaned by deleting - quarantined
    E:\Downloads\Video Strip Poker (Vsp) - Crack 1.42 & Upgrade\Video Strip Poker (VSP) - Crack 1.42 & upgrade\vsp_upgrade_142.exe probably a variant of Win32/Agent.FOSBCKS trojan cleaned by deleting - quarantined
    J:\Downloads\Nero-9.4.12.3_free.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
    J:\Downloads\XvidSetup(2).exe a variant of Win32/Adware.HotBar.H application cleaned by deleting - quarantined
    Holden75, Nov 3, 2012
    #25

  6. Holden75 Newcomer, in training Posts: 36

    AS far as I can tell I'm not having any major issues other than the fact that I can't seem to install Microsoft Money (any version) because I get an error saying "AUTORUN.INF is corrupt or missing"
    Oh and if I open c:\FRST\Quarantine I get a AVG Threat detected pop-up alert saying the file Desktop.ini is infected with Trojan horse Generic29.ANPX
    Apart from those two things, my systems seems to be running fine.
    Holden75, Nov 3, 2012
    #26
     

  7. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go ahead and delete the whole FRST folder in the C:\ directory.

    See if this clears up some problems...we'll finish up here...

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [IMG]
    • Select the More Options tab
      [IMG]
    • In the System Restore and Shadow Backups select Clean up
      [IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

      Caution: Only use the Registry feature if you are very familiar with the registry.
      Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

      Security Check

      Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
      • Save it to your Desktop.
      • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
      • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Jay Pfoutz, Nov 3, 2012
    #27

  8. Holden75 Newcomer, in training Posts: 36

    Results of screen317's Security Check version 0.99.54
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    JavaFX 2.1.1
    Java 7 Update 9
    Adobe Flash Player 11.4.402.287
    Adobe Reader X (10.1.4)
    Mozilla Firefox (16.0.2)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    ````````Process Check: objlist.exe by Laurent````````
    AVG avgwdsvc.exe
    AVG avgtray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
    Holden75, Nov 3, 2012
    #28

  9. Holden75 Newcomer, in training Posts: 36

    I still seem to be having a problem installing Microsoft Money Sunset. AUTORUN.INF file is missing or corrupt. I honestly don't know if this is a completely unrelated issue or not.
    Holden75, Nov 3, 2012
    #29

  10. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Do the following, and also let me know if you can install the program...

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
    open the newest .log file present, and copy/paste the contents of that document back here in your next post.
    Jay Pfoutz, Nov 4, 2012
    #30

  11. Holden75 Newcomer, in training Posts: 36

    I'm getting trojan horse detections from the OTM link you provided from AVG. The actual OTM.exe file is also being detected as infected with a trojan horse.
    Holden75, Nov 4, 2012
    #31

  12. Holden75 Newcomer, in training Posts: 36

    Here is what AVG detected as far as the OTM executable goes:
    Virus name: IDP.Trojan.5BD43515
    Path to file: C:\Users\Sean\Desktop\OTM.exe
    Holden75, Nov 4, 2012
    #32

  13. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go into AVG, disable the Resident Shield, and try again, please.
    Jay Pfoutz, Nov 4, 2012
    #33

  14. Holden75 Newcomer, in training Posts: 36

    Ran OTM as you specified. Program said a reboot was necessary. Upon Windows starting up I was asked if I wanted to allow OTM to run. I clicked yes. Now my computer seems to be hanging with a black screen. I can do CTRL ALT DEL and get to task manager and the options available when pressing that key combo, but it is still hanging. I'm not seeing much HDD activity either.
    Holden75, Nov 4, 2012
    #34

  15. Holden75 Newcomer, in training Posts: 36

    When I did CTRL ALT DEL I hit logoff and logged back on. Desktop came up. I now have two grey desktop.ini files on my desktop, one of which has a padlock on it. I also tried installing Money Sunset and still got the AUTORUN.INF file missing or corrupt. Will post OTM log file in next reply.
    Holden75, Nov 4, 2012
    #35

  16. Holden75 Newcomer, in training Posts: 36

    All processes killed
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Sean
    ->Temp folder emptied: 16477934 bytes
    ->Temporary Internet Files folder emptied: 14947589 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 989388180 bytes
    ->Google Chrome cache emptied: 198441689 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 6365 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 95503 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 176792757 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,331.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 11042012_132653
    Holden75, Nov 4, 2012
    #36

  17. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, so after running OTM, it still is appearing with the error?
    Jay Pfoutz, Nov 5, 2012
    #37

  18. Holden75 Newcomer, in training Posts: 36

    Yes
    Holden75, Nov 5, 2012
    #38

  19. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download this tool > System Repair Engineer
    1. Extract it to it's own folder & double click SREng.exe to run it
    2. Select 'Smart Scan' & tick "Verify Digital Signatures"
    3. Click on the [Scan] button
    4. When finished, click on the [Save Reports] button & save the log to Desktop
    5. Attach the log in your next reply. Please don't copy and paste it

    Note: You may have to rename SREngLog.log to SREngLog.txt before attaching
    Jay Pfoutz, Nov 5, 2012
    #39

  20. Holden75 Newcomer, in training Posts: 36

    Here ya go.

    Attached Files:

    Holden75, Nov 5, 2012
    #40
Page 2 of 3
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.