Jump to content

Ukash infection and safemode disabled


Recommended Posts

Hello.

My pc has got the ukash virus on it.

I have tried to go into Safemode with networking but it fails to load as does all other Safemode with or without network cable attached. Restore to a previous working session does nothing.

I used a friend pc to put windows defender offline onto it. This found some trojans and removed them but upon relocating ukash is still there.

I cannot login to anything except the single user login which has the virus. I don't even have time to try switch user to go in as admin..

I do not have another user login to switch to on my pc like some use to remove it and I cannot get into Safemode please help

Link to post
Share on other sites

Once you have the cd, boot the computer up using it.

Note : If you do not know how to set your computer to boot from CD follow the steps here

It's going to go something like this when OTLPE loads:

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.

MrC

Link to post
Share on other sites

OTLPE log below

OTL logfile created on: 11/11/2012 6:02:02 PM - Run

OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 6.35 Gb Free Space | 17.03% Space Free | Partition Type: NTFS

Drive D: | 37.27 Gb Total Space | 21.28 Gb Free Space | 57.09% Space Free | Partition Type: NTFS

Drive E: | 232.88 Gb Total Space | 43.79 Gb Free Space | 18.80% Space Free | Partition Type: NTFS

Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)

SRV - File not found [On_Demand] -- -- (AppMgmt)

SRV - [2012/09/29 13:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/09/29 13:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV - [2010/05/12 09:10:19 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)

SRV - [2008/11/11 03:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand] -- -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand] -- -- (MREMPR5)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | On_Demand] -- -- (FsUsbExDisk)

DRV - File not found [Kernel | On_Demand] -- -- (dgderdrv)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2012/09/29 13:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)

DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2011/11/28 12:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2011/11/28 12:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2011/03/13 03:47:26 | 000,053,312 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pssdklbf.sys -- (PSSDKLBF)

DRV - [2011/01/26 17:34:32 | 006,406,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2010/09/04 05:57:34 | 000,234,392 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)

DRV - [2009/12/07 06:50:48 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2009/12/07 06:50:46 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2009/02/26 06:40:10 | 000,099,856 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV - [2008/08/26 03:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)

DRV - [2008/05/08 16:23:22 | 000,238,080 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)

DRV - [2008/02/14 09:12:00 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)

DRV - [2007/11/20 22:09:22 | 000,104,320 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)

DRV - [2007/07/19 17:44:54 | 000,110,120 | ---- | M] (Silicon Image, Inc) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\pnp680r.sys -- (Pnp680r)

DRV - [2004/08/14 13:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/cs/*http://uk.docs.yahoo.com/info/bt_side.html

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1&ucc=GB&dcc=GB&opt=0&ocid=iehp

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4E 4B B4 8A 26 91 CD 01 [binary data]

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Dale.HOMESVILLE_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en-uk

IE - HKU\Dale.HOMESVILLE_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found

IE - HKU\Dale.HOMESVILLE_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService.NT_AUTHORITY_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/08/25 03:39:25 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()

O3 - HKU\Dale.HOMESVILLE_ON_C\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()

O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [irociivikcurwyz] File not found

O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()

O4 - Startup: C:\Documents and Settings\Dale.HOMESVILLE\Start Menu\Programs\Startup\DesktopVideoPlayer.lnk = C:\Documents and Settings\Dale.HOMESVILLE\Local Settings\Application Data\vghd\bin\vghd.exe (Totem Entertainment)

O4 - Startup: C:\Documents and Settings\Dale.HOMESVILLE\Start Menu\Programs\Startup\Dropbox.lnk = File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Dale.HOMESVILLE_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKU\Dale.HOMESVILLE_ON_C Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKU\Dale.HOMESVILLE_ON_C Winlogon: Shell - (C:\Documents and Settings\Dale.HOMESVILLE\Application Data\msconfig.dat) - File not found

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

O24 - Desktop BackupWallPaper:

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/05/12 08:36:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/11/10 15:57:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft Antimalware

[2012/11/09 16:42:01 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2012/11/05 14:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\RealNetworks

[2012/11/03 08:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\Ebay

[2012/10/21 04:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dale.HOMESVILLE\Start Menu\Programs\VirtuaGirl

[2012/10/21 04:14:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dale.HOMESVILLE\Local Settings\Application Data\vghd

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/10 16:05:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/11/09 16:42:01 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2012/11/09 16:42:01 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1532298954-839522115-1004.job

[2012/11/09 16:41:33 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1532298954-839522115-1004.job

[2012/11/09 16:40:15 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2012/11/09 16:40:05 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\Express FilesUpdate.job

[2012/11/09 16:33:41 | 000,158,720 | ---- | M] () -- C:\WINDOWS\System32\wgsdgsdgdsgsd.exe

[2012/11/09 16:25:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2012/11/08 14:51:11 | 000,059,840 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\wes.jpg

[2012/11/08 14:36:45 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/11/04 09:39:01 | 001,309,126 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\attachments_2012_11_04.zip

[2012/11/04 05:24:45 | 000,136,192 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/11/03 08:44:48 | 000,175,839 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\DSCN3879.JPG

[2012/11/03 08:44:48 | 000,121,017 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\ZM0095DMillward1.pdf

[2012/10/28 02:15:41 | 000,436,026 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/10/28 02:15:41 | 000,068,796 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/10/23 10:09:32 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\gifnocsm.pad

[2012/10/23 05:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/10/23 05:21:01 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/10/23 05:20:55 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sqj.pad

[2012/10/21 04:14:40 | 000,001,165 | ---- | M] () -- C:\Documents and Settings\Dale.HOMESVILLE\Start Menu\Programs\Startup\DesktopVideoPlayer.lnk

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/09 16:33:47 | 000,158,720 | ---- | C] () -- C:\WINDOWS\System32\wgsdgsdgdsgsd.exe

[2012/11/08 14:51:49 | 000,059,840 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\wes.jpg

[2012/11/04 09:38:57 | 001,309,126 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\attachments_2012_11_04.zip

[2012/11/03 08:45:06 | 000,175,839 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\DSCN3879.JPG

[2012/11/03 08:45:06 | 000,121,017 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Desktop\ZM0095DMillward1.pdf

[2012/10/23 09:59:57 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\gifnocsm.pad

[2012/10/23 05:20:55 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/10/23 05:19:58 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sqj.pad

[2012/10/21 04:14:40 | 000,001,165 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Start Menu\Programs\Startup\DesktopVideoPlayer.lnk

[2012/10/06 15:16:33 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\rt1.bmp

[2012/10/06 15:16:29 | 000,253,366 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\rt1.png

[2012/10/06 15:14:17 | 002,359,350 | -HS- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\rt1.bmp

[2012/09/29 12:29:07 | 000,069,780 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\aueztifxssetqvq

[2012/09/12 14:52:33 | 000,000,045 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\msconfig.ini

[2012/05/30 04:03:26 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Local Settings\Application Data\recently-used.xbel

[2012/02/16 12:40:03 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/12/23 15:58:28 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe

[2011/02/19 15:40:30 | 000,000,445 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\test

[2011/01/04 11:10:56 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll

[2011/01/04 11:10:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll

[2011/01/04 11:10:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll

[2011/01/04 11:10:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll

[2010/09/25 08:59:33 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2010/09/20 01:19:33 | 000,068,640 | ---- | C] () -- C:\WINDOWS\unTMV.exe

[2010/08/30 11:03:07 | 000,136,192 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/08/29 08:04:19 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2010/08/29 07:41:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin

[2010/08/29 07:20:50 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe

[2010/08/29 07:20:22 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat

[2010/08/29 07:20:18 | 000,227,587 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat

[2010/08/29 07:20:18 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat

[2010/08/29 06:39:52 | 000,013,598 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini

[2010/08/29 06:39:30 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2010/08/29 06:39:20 | 000,013,355 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2010/08/29 06:39:20 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2010/08/29 06:29:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010/08/29 06:28:29 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/08/29 05:58:46 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\$_hpcst$.hpc

[2010/08/29 05:46:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010/08/29 05:40:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2008/10/28 12:40:48 | 000,173,552 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat

[2008/07/21 10:14:10 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 07:00:00 | 000,436,026 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 07:00:00 | 000,068,796 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2012/09/12 22:48:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Orbit

[2012/09/12 15:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ProgSense

[2012/10/06 23:49:14 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Application Data\System

[2010/08/29 06:00:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Acreon

[2012/05/30 06:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\BitLord

[2012/01/15 16:31:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\BitTorrent

[2012/08/04 09:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Cyne

[2012/11/09 16:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Dropbox

[2012/01/15 16:31:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Ebcup

[2012/08/04 10:20:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\ExpressFiles

[2011/03/13 03:56:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\GrabPro

[2012/08/04 11:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Isuxuh

[2010/08/29 05:58:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Moyea

[2012/11/04 10:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Orbit

[2011/03/13 03:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\ProgSense

[2012/05/27 04:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Python-Eggs

[2012/08/03 14:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Qelyh

[2012/01/09 05:13:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Samsung

[2012/10/06 15:16:23 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\System

[2011/11/30 16:58:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\TS3Client

[2010/08/29 05:58:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\Uhsy

[2010/08/29 05:58:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\VDownloader

[2012/01/15 16:24:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dale.HOMESVILLE\Application Data\VS Revo Group

[2012/08/04 11:24:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\036DFF85000808B661CAC4B07B07D329

[2010/08/29 08:33:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software

[2012/05/13 16:31:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Battle.net

[2011/01/12 13:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Citrix

[2011/06/03 15:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Electronic Arts

[2012/09/29 12:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\hcyuwvxikhnylwi

[2011/06/03 15:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Origin

[2012/11/09 16:40:05 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\Express FilesUpdate.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

OK, basically what we want to do is copy the text that's in the code box into the Custom Scans/Fixes box of OTLPE

Here's how to do that:

Copy the text in the code box into notepad and save it.

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [Update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()
O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [irociivikcurwyz] File not found
O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [Update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()
[2012/11/09 16:33:41 | 000,158,720 | ---- | M] () -- C:\WINDOWS\System32\wgsdgsdgdsgsd.exe
[2012/09/29 12:29:07 | 000,069,780 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\aueztifxssetqvq

Copy it to your flash drive

Boot the computer up using the OTLPE disk

Run OTLPE

Plug in the flash drive

Drag the notepad text to the desktop

Open it up and copy and paste the text into Custom Scans/Fixes

Then click the Run Fix button at the top

Copy and paste the log back here.

Computer should boot now, MrC

Link to post
Share on other sites

Error: Unable to interpret <:OTLO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.O4 - HKLM..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [irociivikcurwyz] File not foundO4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()[2012/11/09 16:33:41 | 000,158,720 | ---- | M] () -- C:\WINDOWS\System32\wgsdgsdgdsgsd.exe[2012/09/29 12:29:07 | 000,069,780 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\aueztifxssetqvq> in the current context!

OTLPE by OldTimer - Version 3.1.48.0 log created on 11112012_193105

Link to post
Share on other sites

You didn't copy it in correctly, it has to look exactly like this in the Custom Scans/Fixes:

:OTL

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O4 - HKLM..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()

O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [irociivikcurwyz] File not found

O4 - HKU\Dale.HOMESVILLE_ON_C..\Run: [update] C:\WINDOWS\system32\wgsdgsdgdsgsd.exe ()

[2012/11/09 16:33:41 | 000,158,720 | ---- | M] () -- C:\WINDOWS\System32\wgsdgsdgdsgsd.exe

[2012/09/29 12:29:07 | 000,069,780 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\aueztifxssetqvq

Try it again, MrC

Link to post
Share on other sites

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Update deleted successfully.

C:\WINDOWS\system32\wgsdgsdgdsgsd.exe moved successfully.

Registry value HKEY_USERS\Dale.HOMESVILLE_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\irociivikcurwyz deleted successfully.

Registry value HKEY_USERS\Dale.HOMESVILLE_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Update deleted successfully.

File C:\WINDOWS\system32\wgsdgsdgdsgsd.exe not found.

File C:\WINDOWS\System32\wgsdgsdgdsgsd.exe not found.

C:\Documents and Settings\All Users.WINDOWS\Application Data\aueztifxssetqvq moved successfully.

OTLPE by OldTimer - Version 3.1.48.0 log created on 11112012_200622

Link to post
Share on other sites

See if you can do this............

Please create a new system restore point before running Malwarebytes Anti-Malware.

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.