Jump to content

MoneyPak Virus


Recommended Posts

I am infected with a new variant of this ransomware yesterday.

Let me just say this one is one tough SOB.

I am not able to acaccessafe mode w/ networking nor safe mode via command prompt.

Ransomware kicked in before I type in ‘explorer’ .

I can access another user account but that accoaccounts not have admin rights.

I also have a Windows XP CD but would like to remove the virus without doing a repair install.

Any ideas?

hogrules

Link to post
Share on other sites

Well come to the forum.

This will work if you have a good system restore point:

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word explorer in black screen > enter

Step 3: Then Navigate to:

Win XP: C:\windows\system32\restore\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Let me know.....MrC

Link to post
Share on other sites

You'll need a usb flash drive and be able to burn a cd.

The cd I would like you to create is OTLPE:

Download OTLPE from here or here

Now put a blank cd-r in your burner and double click on OTLPEStd.exe, it will automatically burn the cd. (burn it at a slow speed to avoid errors)

Once you have the cd, boot the computer up using it.

Note : If you do not know how to set your computer to boot from CD follow the steps here

It's going to go something like this when OTLPE loads:

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Under the Custom Scan box paste this in:
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    /md5stop
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.

MrC

Link to post
Share on other sites

OTL logfile created on: 12/26/2012 10:18:55 AM - Run

OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 34.26 Gb Free Space | 45.97% Space Free | Partition Type: NTFS

Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- -- (AppMgmt)

SRV - [2012/12/26 00:38:00 | 000,206,200 | ---- | M] (Корпорация Майкрософт) [Auto] -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe -- (winmgmt)

SRV - [2012/10/31 15:52:30 | 000,464,256 | ---- | M] (IObit) [Auto] -- C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe -- (AdvancedSystemCareService6)

SRV - [2012/10/30 18:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)

SRV - [2012/05/04 18:29:46 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2012/01/09 19:17:44 | 000,821,592 | ---- | M] (IObit) [Auto] -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe -- (IMFservice)

SRV - [2011/05/08 23:18:34 | 000,822,424 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

SRV - [2011/03/31 15:08:14 | 000,080,896 | ---- | M] () [Auto] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)

SRV - [2009/02/06 17:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Disabled] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)

SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2005/09/09 18:09:28 | 002,066,024 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)

SRV - [2005/09/09 18:09:10 | 000,053,248 | ---- | M] (GEAR Software) [Auto] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)

SRV - [2004/12/13 14:30:10 | 000,165,488 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2004/12/13 14:30:08 | 000,079,472 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)

SRV - [2004/12/13 14:30:04 | 000,198,256 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WINIO)

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2012/10/30 18:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)

DRV - [2012/10/30 18:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2012/10/30 18:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2012/10/30 18:51:58 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2012/10/30 18:51:57 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2012/10/30 18:51:56 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2012/10/30 18:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2012/08/29 01:24:50 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)

DRV - [2012/08/29 01:24:50 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)

DRV - [2012/01/05 17:07:40 | 000,246,816 | ---- | M] (IObit) [File_System | On_Demand] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys -- (FileMonitor)

DRV - [2011/05/08 23:19:03 | 000,004,608 | ---- | M] (Symantec Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)

DRV - [2010/06/22 17:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)

DRV - [2009/10/05 09:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)

DRV - [2009/06/09 23:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)

DRV - [2009/02/19 14:22:52 | 000,127,744 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\ArcHlp.sys -- (archlp)

DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\ArcCD.sys -- (ArcCD)

DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\drivers\ArcUdfs.sys -- (ArcUdfs)

DRV - [2007/04/24 11:33:50 | 000,007,680 | ---- | M] (ArcSoft Inc.) [Recognizer | System] -- C:\WINDOWS\System32\drivers\ArcRec.sys -- (ArcRec)

DRV - [2007/02/10 22:55:50 | 000,013,824 | ---- | M] (A4Tech Co.,Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Amusbprt.sys -- (Amusbprt)

DRV - [2007/01/24 16:46:48 | 000,008,704 | ---- | M] (A4Tech Co.,Ltd.) [Kernel | System] -- C:\WINDOWS\system32\drivers\Amfilter.sys -- (Amfilter)

DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)

DRV - [2006/05/19 14:44:52 | 003,965,056 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2005/09/09 18:09:20 | 000,144,832 | ---- | M] (StorageCraft) [File_System | Boot] -- C:\WINDOWS\System32\drivers\SymSnap.sys -- (SymSnap)

DRV - [2005/09/09 18:09:20 | 000,056,192 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\drivers\V2iMount.sys -- (V2IMount)

DRV - [2005/03/16 01:23:54 | 000,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)

DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

DRV - [2001/08/17 08:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)

DRV - [2001/08/17 08:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)

DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)

DRV - [2001/08/17 08:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)

DRV - [2001/08/17 08:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)

DRV - [2001/08/17 08:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)

DRV - [2001/08/17 08:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)

DRV - [2001/08/17 08:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)

DRV - [2001/08/17 08:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp'>http://www.msn.com/?ocid=iehp

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 22 89 D3 0A 2D E3 CD 01 [binary data]

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Heber_&_Carmen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\Heber_&_Carmen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp'>http://www.msn.com/?ocid=iehp

IE - HKU\Heber_&_Carmen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\Heber_&_Carmen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 1D 09 79 F2 2C CC 01 [binary data]

IE - HKU\Heber_&_Carmen_ON_C\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)

IE - HKU\Heber_&_Carmen_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\House_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\House_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\House_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AA 22 26 82 2D 17 CC 01 [binary data]

IE - HKU\House_ON_C\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)

IE - HKU\House_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin:

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/05/08 10:53:27 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/06/28 20:59:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O3 - HKU\Heber_&_Carmen_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)

O4 - HKLM..\Run: [hpbdfawep] C:\program files\hp\dfawep\bin\hpbdfawep.exe ()

O4 - HKLM..\Run: [Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)

O4 - HKLM..\Run: [screenPrint32] C:\program files\screenprint32 v3\screenprint32.exe (Provtech Limited)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe (A4Tech Co.,Ltd.)

O4 - HKU\Heber_&_Carmen_ON_C..\Run: [Advanced SystemCare 6] C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe (IObit)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\Heber & Carmen\Start Menu\Programs\Startup\runctf.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Heber_&_Carmen_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\House_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)

O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)

O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304731960171 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341462410755 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.59.247.45 208.59.247.46 192.168.1.1

O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)

O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/05/06 20:24:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: AppMgmt - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: winmgmt - C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe (Корпорация Майкрософт)

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

========== Files/Folders - Created Within 30 Days ==========

[2012/12/26 01:16:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\House\Application Data\Malwarebytes

[2012/12/26 01:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\House\Application Data\ICAClient

[2012/12/26 01:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\House\Local Settings\Application Data\Citrix

[2012/12/26 01:15:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\House\Application Data\Real

[2012/12/26 00:57:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\House\Local Settings\Application Data\ApplicationHistory

[2012/12/26 00:51:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe

[2012/12/26 00:51:28 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE

[2012/12/26 00:51:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache

[2012/12/26 00:51:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft

[2012/12/26 00:51:05 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft

[2012/12/26 00:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

[2012/12/26 00:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu

[2012/12/26 00:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\SendTo

[2012/12/26 00:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Application Data

[2012/12/26 00:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories

[2012/12/26 00:51:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies

[2012/12/26 00:51:05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Templates

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Recent

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\PrintHood

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\NetHood

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites

[2012/12/26 00:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop

[2012/12/26 00:38:00 | 000,206,200 | ---- | C] (Корпорация Майкрософт) -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe

[2012/12/25 23:14:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heber & Carmen\Desktop\DCIM

[2012/12/25 22:58:33 | 000,181,344 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\ssudmdm.sys

[2012/12/25 22:58:32 | 000,083,168 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\ssudbus.sys

[2012/12/25 22:57:34 | 000,000,000 | ---D | C] -- C:\Program Files\SAMSUNG

[2012/12/25 22:56:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Samsung

[2012/12/25 22:50:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heber & Carmen\Desktop\New Folder

[2012/12/18 12:11:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Heber & Carmen\Recent

[2012/12/17 23:57:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heber & Carmen\My Documents\Easton

========== Files - Modified Within 30 Days ==========

[2012/12/26 08:43:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/12/26 08:42:11 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2012/12/26 01:44:50 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad

[2012/12/26 01:41:18 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job

[2012/12/26 01:40:32 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1960408961-839522115-1004.job

[2012/12/26 01:39:57 | 000,000,898 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2012/12/26 01:39:53 | 000,000,448 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_Heber & Carmen.job

[2012/12/26 01:24:40 | 000,000,304 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1960408961-839522115-1004.job

[2012/12/26 01:01:43 | 000,003,031 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js

[2012/12/26 01:01:43 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:57:55 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\House\Local Settings\Application Data\fusioncache.dat

[2012/12/26 00:56:24 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/12/26 00:47:02 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1960408961-839522115-1004UA.job

[2012/12/26 00:45:03 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat

[2012/12/26 00:38:04 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:38:00 | 000,206,200 | ---- | M] (Корпорация Майкрософт) -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe

[2012/12/25 18:52:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_Heber & Carmen.job

[2012/12/25 13:48:02 | 000,000,442 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_Heber & Carmen.job

[2012/12/25 06:47:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1960408961-839522115-1004Core.job

[2012/12/23 15:44:02 | 000,000,210 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\Desktop\Yahoo! Mail.url

[2012/12/23 11:47:34 | 000,002,479 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk

[2012/12/22 16:10:17 | 000,137,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2012/12/19 13:52:30 | 000,107,661 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\My Documents\2725_Chestnut_Ln 121612[1].pdf

[2012/12/17 23:41:46 | 003,775,379 | ---- | M] () -- C:\Documents and Settings\NetworkService\My Documents\Charlie.pdf

[2012/12/16 07:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll

[2012/12/16 07:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll

[2012/12/13 18:38:27 | 000,002,469 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Streets & Trips 2010.lnk

[2012/12/12 17:54:23 | 000,002,351 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\Desktop\Google Chrome.lnk

[2012/12/12 17:54:23 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\Heber & Carmen\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2012/12/26 01:01:43 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:57:55 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\House\Local Settings\Application Data\fusioncache.dat

[2012/12/26 00:51:05 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk

[2012/12/26 00:51:05 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk

[2012/12/26 00:45:03 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2012/12/26 00:38:04 | 000,003,031 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js

[2012/12/26 00:38:04 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Heber & Carmen\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:38:00 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad

[2012/12/19 13:52:30 | 000,107,661 | ---- | C] () -- C:\Documents and Settings\Heber & Carmen\My Documents\2725_Chestnut_Ln 121612[1].pdf

[2012/12/17 23:41:46 | 003,775,379 | ---- | C] () -- C:\Documents and Settings\NetworkService\My Documents\Charlie.pdf

[2012/12/15 18:43:01 | 000,000,448 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_Heber & Carmen.job

[2012/12/15 18:43:00 | 000,000,442 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_Heber & Carmen.job

[2012/12/15 18:43:00 | 000,000,438 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_Heber & Carmen.job

[2012/07/03 11:49:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe

[2012/07/03 11:49:25 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll

[2012/02/16 21:09:05 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/01/31 16:41:17 | 000,127,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\ArcHlp.sys

[2011/11/17 13:14:30 | 000,489,444 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2025429265-1960408961-839522115-1004-0.dat

[2011/11/17 13:14:29 | 000,125,066 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2011/11/16 11:44:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI

[2011/10/31 02:51:55 | 000,061,952 | ---- | C] () -- C:\Documents and Settings\Heber & Carmen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/05/08 23:27:06 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Heber & Carmen\Local Settings\Application Data\fusioncache.dat

[2011/05/08 12:22:26 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll

[2011/05/08 10:45:22 | 000,206,322 | ---- | C] () -- C:\WINDOWS\hpoins49.dat

[2011/05/08 10:45:22 | 000,001,241 | ---- | C] () -- C:\WINDOWS\hpomdl49.dat

[2011/05/08 09:39:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2011/05/06 23:42:23 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe

[2011/05/06 23:41:39 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll

[2011/05/06 20:41:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2011/05/06 20:26:20 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2011/05/06 20:21:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2011/05/06 16:11:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2011/05/06 16:10:15 | 000,137,256 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2007/07/26 11:01:50 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll

[2004/09/17 16:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

[2002/08/29 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2002/08/29 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2002/08/29 07:00:00 | 000,481,000 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2002/08/29 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2002/08/29 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2002/08/29 07:00:00 | 000,079,074 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2002/08/29 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2002/08/29 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2002/08/29 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2002/08/29 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2002/08/29 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[1999/12/21 10:52:36 | 000,000,019 | ---- | C] () -- C:\WINDOWS\System32\Cnc.ini

[1999/10/21 04:26:02 | 000,282,112 | ---- | C] () -- C:\WINDOWS\System32\Cncs232.dll

[1999/10/21 04:22:52 | 000,250,960 | ---- | C] () -- C:\WINDOWS\System32\CNCS216.DLL

[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2012/11/07 23:35:11 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\IObit

[2012/06/28 17:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\Catalina Marketing Corp

[2011/11/19 15:39:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\DVD Catalyst 4

[2012/01/09 19:46:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\Garmin

[2011/09/27 16:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\ICAClient

[2011/05/09 08:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\ieSpell

[2012/11/07 23:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\IObit

[2012/06/28 17:40:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\Oracle

[2012/07/03 13:42:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\Softland

[2011/05/08 11:02:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heber & Carmen\Application Data\Visan

[2012/12/26 01:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\House\Application Data\ICAClient

[2012/12/26 01:14:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\House\Application Data\IObit

[2012/07/03 13:42:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Softland

[2011/05/06 23:53:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software

[2012/09/15 09:09:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems

[2011/09/27 16:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix

[2011/11/17 01:38:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Freemake

[2012/12/05 10:01:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit

[2012/01/31 16:49:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe

[2012/12/25 22:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung

[2011/05/08 11:02:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Visan

[2012/12/26 01:41:18 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job

[2012/11/07 21:24:11 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\prismDowngrade.job

[2012/11/13 21:24:02 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\prismShakeIcon.job

[2012/12/25 13:48:02 | 000,000,442 | ---- | M] () -- C:\WINDOWS\Tasks\ReclaimerUpdateFiles_Heber & Carmen.job

[2012/12/25 18:52:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\Tasks\ReclaimerUpdateXML_Heber & Carmen.job

[2012/12/26 01:39:53 | 000,000,448 | ---- | M] () -- C:\WINDOWS\Tasks\RNUpgradeHelperLogonPrompt_Heber & Carmen.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2011/05/06 23:42:37 | 000,000,032 | ---- | M] () -- C:\ALCSetup.log

[2011/05/06 20:24:44 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2012/01/31 17:36:16 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2011/05/06 20:24:44 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2011/05/06 20:24:44 | 000,000,000 | R-S- | M] () -- C:\IO.SYS

[2011/05/06 20:24:44 | 000,000,000 | R-S- | M] () -- C:\MSDOS.SYS

[2011/05/06 20:45:14 | 000,047,564 | R-S- | M] () -- C:\NTDETECT.COM

[2011/05/06 22:45:40 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2012/12/26 08:41:19 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

[2011/10/06 15:25:13 | 019,339,008 | ---- | M] () -- C:\rootevo4ggingerbread.zip

[2012/07/05 00:05:05 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX

< MD5 for: EXPLORER.EXE >

[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe

[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

[2004/08/04 02:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: USERINIT.EXE >

[2004/08/04 02:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe

[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >

[2004/08/04 02:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

[2012/09/29 18:54:26 | 000,218,184 | ---- | M] () MD5=8846E87210AD131CF71E3E2E49F647B0 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >

Link to post
Share on other sites

OK, basically what we want to do is copy the text that's in the code box into the Custom Scans/Fixes box of OTLPE

Here's how to do that:

Copy the text in bold into notepad and save it:

:OTL

SRV - File not found [On_Demand] -- -- (AppMgmt)

SRV - [2012/12/26 00:38:00 | 000,206,200 | ---- | M] (Корпорация Майкрософт) [Auto] -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe -- (winmgmt)

O3 - HKU\Heber_&_Carmen_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

NetSvcs: winmgmt - C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe (Корпорация Майкрософт)

[2012/12/26 00:38:00 | 000,206,200 | ---- | C] (Корпорация Майкрософт) -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe

[2012/12/26 01:44:50 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad

[2012/12/26 01:01:43 | 000,003,031 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js

[2012/12/26 01:01:43 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:38:00 | 000,206,200 | ---- | M] (Корпорация Майкрософт) -- C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe

[2012/12/26 00:38:04 | 000,003,031 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js

[2012/12/26 00:38:04 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Heber & Carmen\Start Menu\Programs\Startup\runctf.lnk

[2012/12/26 00:38:00 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad

Copy it to your flash drive

Boot the computer up using the OTLPE disk

Run OTLPE

Plug in the flash drive

Drag the notepad text to the desktop

Open it up and copy and paste the text into Custom Scans/Fixes

Then click the Run Fix button at the top

Copy and paste the log back here. MrC

Link to post
Share on other sites

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt deleted successfully.

C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe moved successfully.

Registry value HKEY_USERS\Heber_&_Carmen_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.

winmgmt removed from NetSvcs value successfully!

File C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe not found.

File C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe not found.

C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad moved successfully.

C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js moved successfully.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk moved successfully.

File C:\Documents and Settings\Heber & Carmen\wgsdgsdgdsgsd.exe not found.

File C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.js not found.

C:\Documents and Settings\Heber & Carmen\Start Menu\Programs\Startup\runctf.lnk moved successfully.

File C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad not found.

OTLPE by OldTimer - Version 3.1.48.0 log created on 12262012_113318

Link to post
Share on other sites

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

I ran the tool and still no firewall. I did a system restore to two days before infection. After boot, firewall setting were back to nomal.

I then updated malwarebytes anti-malware and ran full scan; found 2 infected files - deleted them.

Re-booted then updated CCleaner and ran/cleaned.

Re-booted then updatd IObit Advance Sysytem Care and ran/cleaned.

Re-booted then updated Avast antivirus and ran/cleaned.

Re-booted and all seems as before.

I have Norton Ghost 10.0 and will create a new backup image. I did have Ghost on the machine but when I tried to recover (using their boot cd), it would not recognize the extenal drive where the backup was. I have other external drives to try. If they don't work I will burn it on some CD-RW

So thanks for your help and time. Donation on its way

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.