Jump to content

rysktkr

Honorary Members
 View Profile  See their activity

  • Posts

    95

  • Joined

  • Last visited

 Content Type 

Everything posted by rysktkr

  1. rysktkr
    I was able to get combofix to run in normal mode. Although it did complain that SEP was running even though in my system tray it was disabled. I was not successful in running dds in normal mode in two attempts. First attempt it ran and looked as though it completed (window closed) but no log showed up. Second time, I renamed dds.scr to my.exe. It completed half way through than hung the pc. I was able to successfully run it in safe mode. My Copy and paste does not appear to be working at this post. I attached the logs. comb_log.txt DDS.txt
  2. rysktkr
    Here are the log files: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.07.03.07 Windows 7 x86 NTFS Internet Explorer 9.0.8112.16421 Mark :: DSHTPC [administrator] 7/3/2012 3:37:09 PM mbam-log-2012-07-03 (15-37-09).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 196643 Time elapsed: 4 minute(s), 21 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30 Run by Mark at 15:49:45 on 2012-07-03 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3255.2379 [GMT -7:00] . AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Windows\system32\atieclxx.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe C:\Program Files\CyberLink\Shared files\brs.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\wuauclt.exe C:\Windows\notepad.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conhost.exe . ============== Pseudo HJT Report =============== . mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Device Detector] DevDetect.exe -autorun mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe" mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{2FF4A191-1B08-43AC-A5B8-4A6C6F686024} : DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{69EEA09C-0A33-418A-9A80-4B6773F36C49} : DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{7AA9D918-AA53-4E3F-8448-B3BDC1EFD192} : DhcpNameServer = 192.168.1.1 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\users\mark\appdata\roaming\mozilla\firefox\profiles\44xw4471.default\ FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157 FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll . ============= SERVICES / DRIVERS =============== . R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/07/10 19:55:37];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536] R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-2-2 172032] R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-12-17 27648] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-29 2477304] R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-2-2 5313536] R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-2-2 150016] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-28 106656] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-17 135664] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-17 135664] S3 PRISM_USB;Instant Wireless USB Network Adapter ver.2.5 Driver;c:\windows\system32\drivers\PRISMUSB.sys [2002-2-18 50264] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtTeam60.sys [2009-12-17 35840] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2009-12-17 19968] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-5 1343400] . =============== Created Last 30 ================ . 2012-07-03 22:28:19 -------- d-----w- c:\windows\system32\appmgmt 2012-07-03 19:00:01 -------- d-----w- c:\program files\Trend Micro 2012-06-28 06:00:52 -------- d-----w- c:\program files\ESET 2012-06-28 03:28:41 -------- d-----w- c:\users\mark\appdata\roaming\Malwarebytes 2012-06-28 03:28:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-28 03:28:37 -------- d-----w- c:\programdata\Malwarebytes 2012-06-28 03:28:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-06-12 21:43:32 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-12 21:43:31 2342400 ----a-w- c:\windows\system32\win32k.sys 2012-06-12 21:43:31 2342400 ----a-w- c:\windows\system32\msi.dll 2012-06-12 21:43:30 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-06-12 21:43:30 57856 ----a-w- c:\windows\system32\rdpwsx.dll 2012-06-12 21:43:30 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-06-12 21:43:28 163328 ----a-w- c:\windows\system32\profsvc.dll 2012-06-12 21:43:20 139264 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-12 21:43:20 1156608 ----a-w- c:\windows\system32\crypt32.dll 2012-06-12 21:43:20 103936 ----a-w- c:\windows\system32\cryptnet.dll . ==================== Find3M ==================== . 2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb . ============= FINISH: 15:50:13.07 ===============
  3. rysktkr
    Hi screen317 I uninstalled utorrent. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:01:43 PM, on 7/3/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v9.00 (9.00.8112.16446) Boot mode: Safe mode with network support Running processes: C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- End of file - 5478 bytes
  4. rysktkr
    I had another PC that was infected with zeroaccess inserted into tcp/ip stack. Thankfully MrC cleaned it. During this infection this pc became infected. I fear the infection may have propagated. I could not run HJT in normal mode had to run in safe mode: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:53:45 PM, on 7/3/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v9.00 (9.00.8112.16446) Boot mode: Safe mode with network support Running processes: C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- End of file - 5648 bytes
  5. rysktkr
    MrC, Truly appreciate your help on this. I have uninstalled combofix and ran OTL cleanup. Also, left you some well deserved feedback. Your a Malware cleanup rockstar!
  6. rysktkr

    Thanks MrCharlie. BTW i'm an HW MSEE and your expertise was much needed. Your responses were so quick almost felt like we were chatting. This was a difficult infection and you slayed the dragon! Thanks -rysktkr

  7. rysktkr
    Excellent. Just wish we had an explanation for ZA detection with combofix and GMER not being to complete.
  8. rysktkr
    Here's the log: catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-02 17:24:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... IPC error: 2 The system cannot find the file specified. scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830] scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0
  9. rysktkr
    Windows dialogue box pops up, "This service cannot be started in Safe Mode".
  10. rysktkr
    Unfortunately, GMER doesn't allow you to run it in safe mode even as admin.
  11. rysktkr
    MrC, How confident are you that we have removed all infections? I'm a little concerned that combofix still detects ZA and GMER is unable to run successfully.
  12. rysktkr
    Sounds good.
  13. rysktkr
    Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.07.01.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Mark :: MYPC [administrator] 7/1/2012 9:15:18 AM mbam-log-2012-07-01 (09-15-18).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 583066 Time elapsed: 3 hour(s), 6 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 8 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\l0gdw4nUSn3xA4.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Gomodu\ywnui.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Isar\pudy.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\ummcbzl.exe.vir (Trojan.LameShield) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040807.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040808.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040809.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040811.exe (Trojan.LameShield) -> Quarantined and deleted successfully. (end)
  14. rysktkr
    Here is the log 8 infections: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.07.01.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Mark :: MYPC [administrator] 7/1/2012 9:15:18 AM mbam-log-2012-07-01 (16-40-33).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 583066 Time elapsed: 3 hour(s), 6 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 8 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\l0gdw4nUSn3xA4.exe.vir (Trojan.FakeAlert) -> No action taken. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Gomodu\ywnui.exe.vir (Trojan.Agent) -> No action taken. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Isar\pudy.exe.vir (Trojan.Agent) -> No action taken. C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\ummcbzl.exe.vir (Trojan.LameShield) -> No action taken. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040807.exe (Trojan.FakeAlert) -> No action taken. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040808.exe (Trojan.Agent) -> No action taken. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040809.exe (Trojan.Agent) -> No action taken. C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040811.exe (Trojan.LameShield) -> No action taken. (end)
  15. rysktkr
    Data security is my biggest concern.
  16. rysktkr
    Seems to be running good. Performance on this PC however never seemed to be an issue even when infected.
  17. rysktkr
    Seems to be running good.
  18. rysktkr
    Enclosed is the SEP log file. It only exports into csv format. sep_log.zip
  19. rysktkr
    I ran OTL as admin in safe mode and I believe it completed. Saying it needed to ne rebooted to remove files. Here is the log file: All processes killed ========== OTL ========== Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00A6FAF6-072E-44cf-8957-5838F569A31D} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\ not found. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00A6FAF6-072E-44cf-8957-5838F569A31D} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\ not found. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Fallon ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 624 bytes ->Flash cache emptied: 0 bytes User: Linda ->Temp folder emptied: 64600 bytes ->Temporary Internet Files folder emptied: 106653255 bytes ->FireFox cache emptied: 46049365 bytes ->Apple Safari cache emptied: 1494016 bytes ->Flash cache emptied: 20854 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 636224345 bytes RecycleBin emptied: 7666 bytes Total Files Cleaned = 754.00 mb Unable to stop System Restore Service. Error code 1084. Restore points not cleared. Unable to start System Restore Service. Error code 1084. Restore point not created. OTL by OldTimer - Version 3.2.53.0 log created on 06302012_165510 Files\Folders moved on Reboot... C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\0[1].htm moved successfully. File\Folder C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\aceUAC[1].htm not found! C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot moved successfully. File\Folder C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\fastbutton[1].htm not found! C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\xframe-proxy_20110929[1].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\xframe-proxy_20110929[2].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4N1X6DOE\0[1].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\0[1].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\0[2].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\csc-render[1].htm moved successfully. C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\ext-render-secure[3].htm moved successfully. File\Folder C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\fc[1].htm not found! File\Folder C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\st[1] not found! PendingFileRenameOperations files... File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\0[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\aceUAC[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\fastbutton[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\xframe-proxy_20110929[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DF94WBM3\xframe-proxy_20110929[2].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4N1X6DOE\0[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\0[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\0[2].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\csc-render[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\ext-render-secure[3].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\fc[1].htm not found! File C:\Users\Linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N61VRK9\st[1] not found! Registry entries deleted on Reboot...
  20. rysktkr
    MrC, It seems you work all hours. Just wanted to let you know tomorrow is a busy family day for me. Church-> brunch -> Euro soccer champ with a drinking buddy at bar. Then home. So appologize if you don't here from me until early evening PST. Looking at SEP log again and it added another infection. Seems we really PO'd this ZA infection. It's throwing the kitchen sink at us.
  21. rysktkr
    Yikes! Scanning with SEP about 4 different infections detected thus far. Checkd the firewall it is on. Will post log when scan completes. I think a better acrynom for SEP would be POS. All our home computers use SEP and they all appear to have some infection. Except my daughters ipad (different OS) and my wife's laptop (windows vista). I have been trying to think why the wife's laptop is not infected. It passed MBAM, SEP, and ESET online. The only reasons I can think of is she doesn't download anything, primarily used for facebook. MrC I really appreciate your help and expertise on trying to get rid of this nasty beast. Getting rid of it for me has become personal .
  22. rysktkr
    Here is the latest OTL log file. Wasn't clear to me whether OTL finished its scan successfully. This log appeared after I rebooted because it looked like OTL was no longer working. I didn't see anything from OTL on my desktop. Files\Folders moved on Reboot... C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\0[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\0[2].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\csc-render[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\ext-render-secure[3].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\fastbutton[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\st[1] moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\0[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\0[2].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\launch[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\MainView[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CVF1H0KU\index[8].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CVF1H0KU\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\fc[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\xframe-proxy_20110929[1].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\xframe-proxy_20110929[2].htm moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully. PendingFileRenameOperations files... File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\0[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\0[2].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\csc-render[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\ext-render-secure[3].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\fastbutton[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V26PIT9G\st[1] not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\0[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\0[2].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\launch[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N6EYX6BS\MainView[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CVF1H0KU\index[8].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CVF1H0KU\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\fc[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\xframe-proxy_20110929[1].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0YF0PHVK\xframe-proxy_20110929[2].htm not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found! File C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT not found! Registry entries deleted on Reboot...
  23. rysktkr
    No it did not run the whole scan. It got all the way to Progam folder before freezing up the pc.
  24. rysktkr
    OTL started executing the script then crashed the computer. Here is the log that run produced: All processes killed Error: Unable to interpret <:OTLIE - HKU\.DEFAULT\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value foundIE - HKU\S-1-5-18\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found:Commands[emptytemp][clearallrestorepoints]> in the current context! OTL by OldTimer - Version 3.2.53.0 log created on 06302012_130926 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... :OTLIE - HKU\.DEFAULT\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value foundIE - HKU\S-1-5-18\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found:Commands[emptytemp][clearallrestorepoints]
  25. rysktkr
    Sorry, those are long scans. It just now crashed the PC before completing. The dialogue box "MS Visual C++ Runtime Library Error"
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.