Jump to content

Need help with removing three types of Trojans


Recommended Posts

Hi. I'm sorry if I'm posting in the wrong section. I'm new, so please bear with me. Today, I'm asking for help in removing three different nasty pieces of Trojans, called Trojan.Downloader, Trojan.FakeAlert, and Hijack.Zones I didn't do anything yet, as I'm only keeping the results of the MBAM scan up until I'm directed to do anything. Could someone help? This is my dad's laptop. He uses it incessantly and I'd hate for it to crash. Help would be GREATLY appreciated! Thank you!

Link to post
Share on other sites

And just to add onto what's been going on, I think I have a Redirect virus and for some reason (I have both IE and Firefox) something keeps opening a popup in IE, even though I'm using Firefox. And my taskbar keeps turning white for a fraction of a second, then goes back to normal. I'm running windows 7 32-bit.

Link to post
Share on other sites

For MBAM > Make sure that everything is checked, and click Remove Selected.

TDSSKiller needs to reboot to fix the infection, so reboot the computer and run it again > nothing should be found.

Please post the logs.

Let me know, MrC

Nothing was found by TDSSKiller

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6242

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

4/2/2011 9:16:33 AM

mbam-log-2011-04-02 (09-16-33).txt

Scan type: Full scan (C:\|)

Objects scanned: 231350

Time elapsed: 33 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

The thing is, I'm not sure everything is fully gone. Is there something I can do to fully check my system?

That's what we do here, please don't run any other programs than the ones I instruct you to run.

-------------------------------

Please do this:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Here's the OTL txt:

OTL logfile created on: 4/2/2011 9:34:12 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Scott\Desktop

An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free

3.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 93.16 Gb Total Space | 73.28 Gb Free Space | 78.67% Space Free | Partition Type: NTFS

Drive D: | 7.71 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: WIN7-TEST-PC | User Name: Scott | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/02 09:32:42 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Scott\Desktop\OTL.exe

PRC - [2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe

PRC - [2011/03/23 16:48:50 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2011/03/16 14:50:10 | 000,594,200 | ---- | M] (Greatis Software) -- C:\Program Files\UnHackMe\hackmon.exe

PRC - [2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Scott\Desktop\TDSSKiller.exe

PRC - [2009/11/24 08:59:50 | 000,093,032 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\TrackPoint\tp4serv.exe

PRC - [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe

PRC - [2009/02/23 19:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files\MagicDisc\MagicDisc.exe

PRC - [2008/07/15 17:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE

========== Modules (SafeList) ==========

MOD - [2011/04/02 09:32:42 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Scott\Desktop\OTL.exe

MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/08/16 15:13:54 | 001,343,400 | ---- | M] (Microsoft Corporation) [unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)

SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)

SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)

SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)

SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2008/07/15 17:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)

========== Driver Services (SafeList) ==========

DRV - [2011/04/02 08:03:12 | 000,035,816 | ---- | M] (Greatis Software) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\Partizan.sys -- (Partizan)

DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2010/03/26 08:15:50 | 000,221,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6232.sys -- (e1express) Intel®

DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)

DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)

DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)

DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)

DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)

DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)

DRV - [2009/07/13 19:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)

DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®

DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)

DRV - [2006/11/27 17:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2005/08/17 07:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)

DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)

DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)

DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F5 A9 45 E1 88 E8 CB 01 [binary data]

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.5

FF - prefs.js..extensions.enabledItems: zigboom555@aol.com:1.2.9

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 16:48:51 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/27 16:56:40 | 000,000,000 | ---D | M]

[2011/03/19 19:41:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Scott\AppData\Roaming\Mozilla\Extensions

[2011/04/02 09:29:35 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\gjx9373r.default\extensions

[2011/03/27 18:32:29 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\gjx9373r.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

[2011/03/27 18:32:29 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\gjx9373r.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2011/03/27 18:31:38 | 000,000,000 | ---D | M] (LavaFox V1-Purple) -- C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\gjx9373r.default\extensions\zigboom555@aol.com

[2011/04/02 00:39:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/03/27 16:56:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

[2011/03/27 16:56:29 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (Lenovo Group Limited)

O4 - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004..\Run: [msnmsgr] File not found

O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)

O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found

O4 - HKLM..\RunOnceEx: [Title] File not found

O4 - Startup: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2006/10/18 14:09:03 | 000,000,031 | R--- | M] () - D:\AUTORUN.INF -- [ UDF ]

O33 - MountPoints2\{8cba1908-a97e-11df-ad27-806e6f6e6963}\Shell - "" = AutoRun

O33 - MountPoints2\{8cba1908-a97e-11df-ad27-806e6f6e6963}\Shell\AutoRun\command - "" = D:\DVD_ROM.EXE -- [2004/11/24 13:35:14 | 000,445,872 | R--- | M] (Macromedia, Inc.)

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (Partizan) - C:\Windows\System32\Partizan.exe (Greatis Software)

O34 - HKLM BootExecute: (ootExecute settings...) - File not found

O34 - HKLM BootExecute: (ount) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/02 09:32:27 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Scott\Desktop\OTL.exe

[2011/04/02 08:41:29 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Scott\Desktop\TDSSKiller.exe

[2011/04/02 08:39:45 | 000,000,000 | ---D | C] -- C:\Users\Scott\Desktop\GooredFix Backups

[2011/04/02 08:36:15 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Scott\Desktop\GooredFix.exe

[2011/04/02 08:03:12 | 000,039,192 | ---- | C] (Greatis Software) -- C:\Windows\System32\Partizan.exe

[2011/04/02 08:03:12 | 000,035,816 | ---- | C] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys

[2011/04/02 08:03:08 | 000,000,000 | ---D | C] -- C:\Users\Scott\Documents\RegRun2

[2011/04/02 08:03:02 | 000,012,808 | ---- | C] (Greatis Software, LLC.) -- C:\Windows\System32\drivers\UnHackMeDrv.sys

[2011/04/02 08:03:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe

[2011/04/02 08:03:02 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\regruninfo

[2011/04/02 08:02:57 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe

[2011/04/02 07:52:12 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2011/04/02 00:40:44 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2011/04/01 23:19:31 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation

[2011/04/01 23:19:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2011/04/01 23:15:27 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Malwarebytes

[2011/04/01 23:15:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/04/01 23:15:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2011/04/01 23:15:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011/04/01 23:15:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011/04/01 23:15:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/04/01 23:12:43 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2011/04/01 22:57:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare

[2011/04/01 22:02:18 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicDisc

[2011/04/01 22:02:14 | 000,116,736 | ---- | C] (MagicISO, Inc.) -- C:\Windows\System32\drivers\mcdbus.sys

[2011/04/01 22:00:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MagicISO

[2011/04/01 20:37:15 | 000,000,000 | ---D | C] -- C:\ProgramData\regid.1986-12.com.adobe

[2011/04/01 20:34:57 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player

[2011/04/01 20:34:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe

[2011/04/01 16:48:50 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\skypePM

[2011/04/01 16:47:14 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Skype

[2011/04/01 16:47:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype

[2011/04/01 16:22:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office Outlook Connector

[2011/04/01 16:21:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft

[2011/03/31 21:13:55 | 000,000,000 | ---D | C] -- C:\Users\Scott\Documents\The Lord of the Rings Online

[2011/03/31 21:13:55 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\The Lord of the Rings Online

[2011/03/31 21:10:21 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Turbine

[2011/03/31 21:07:51 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\ApplicationHistory

[2011/03/31 21:05:45 | 000,000,000 | ---D | C] -- C:\Windows\System32\URTTEMP

[2011/03/31 20:30:23 | 000,000,000 | ---D | C] -- C:\Program Files\Turbine

[2011/03/29 08:55:59 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt

[2011/03/28 17:40:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab

[2011/03/28 00:10:13 | 000,000,000 | ---D | C] -- C:\Users\Scott\Desktop\Music

[2011/03/27 16:56:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun

[2011/03/27 16:56:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2011/03/27 16:56:27 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2011/03/27 16:05:57 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft

[2011/03/27 15:53:00 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\{4582F8A5-1C9B-48A4-A6A4-5FDAEF6D75A1}

[2011/03/27 15:37:12 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\{2ECB5741-2143-4DAD-9E1C-8010F40BE8F9}

[2011/03/27 15:36:57 | 000,000,000 | ---D | C] -- C:\Users\Scott\Tracing

[2011/03/27 15:31:31 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Windows Live

[2011/03/27 15:31:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live

[2011/03/27 13:56:48 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\PMB Files

[2011/03/27 13:56:47 | 000,000,000 | ---D | C] -- C:\ProgramData\PMB Files

[2011/03/27 13:56:40 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks

[2011/03/27 12:39:17 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\runic games

[2011/03/27 12:22:58 | 000,000,000 | ---D | C] -- C:\Program Files\Runic Games

[2011/03/27 11:52:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MagicDisc

[2011/03/27 11:51:28 | 000,000,000 | ---D | C] -- C:\Program Files\MagicDisc

[2011/03/25 17:16:05 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Microsoft Help

[2011/03/23 16:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

[2011/03/23 16:49:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe

[2011/03/23 16:49:48 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe

[2011/03/23 16:49:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[2011/03/23 16:49:44 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Adobe

[2011/03/23 16:49:23 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee

[2011/03/22 15:34:02 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\uTorrent

[2011/03/22 14:47:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

[2011/03/22 14:47:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight

[2011/03/21 06:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent

[2011/03/21 06:34:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip

[2011/03/21 06:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip

[2011/03/19 21:43:59 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Apple Computer

[2011/03/19 21:43:58 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Apple Computer

[2011/03/19 21:43:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

[2011/03/19 21:43:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE

[2011/03/19 21:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2011/03/19 21:43:16 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2011/03/19 21:43:16 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2011/03/19 21:42:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime

[2011/03/19 21:42:15 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2011/03/19 21:42:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer

[2011/03/19 21:42:04 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Apple

[2011/03/19 21:42:02 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update

[2011/03/19 21:41:42 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2011/03/19 21:41:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple

[2011/03/19 21:41:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple

[2011/03/19 20:03:59 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Macromedia

[2011/03/19 20:03:59 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Adobe

[2011/03/19 19:41:03 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Mozilla

[2011/03/19 19:41:03 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Mozilla

[2011/03/19 13:09:10 | 000,000,000 | R--D | C] -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

[2011/03/19 13:09:10 | 000,000,000 | R--D | C] -- C:\Users\Scott\Searches

[2011/03/19 13:09:10 | 000,000,000 | R--D | C] -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

[2011/03/19 13:09:10 | 000,000,000 | -H-D | C] -- C:\Users\Scott\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned

[2011/03/19 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Identities

[2011/03/19 13:08:58 | 000,000,000 | R--D | C] -- C:\Users\Scott\Contacts

[2011/03/19 13:08:38 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\VirtualStore

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\AppData\Local\Temporary Internet Files

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Templates

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Start Menu

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\SendTo

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Recent

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\PrintHood

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\NetHood

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Documents\My Videos

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Documents\My Pictures

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Documents\My Music

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\My Documents

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Local Settings

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\AppData\Local\History

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Cookies

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\Application Data

[2011/03/19 13:08:36 | 000,000,000 | -HSD | C] -- C:\Users\Scott\AppData\Local\Application Data

[2011/03/19 13:08:35 | 000,000,000 | --SD | C] -- C:\Users\Scott\AppData\Roaming\Microsoft

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Videos

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Saved Games

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Pictures

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Music

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Links

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Favorites

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Downloads

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\My Documents

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\Desktop

[2011/03/19 13:08:35 | 000,000,000 | R--D | C] -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

[2011/03/19 13:08:35 | 000,000,000 | -H-D | C] -- C:\Users\Scott\AppData

[2011/03/19 13:08:35 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Temp

[2011/03/19 13:08:35 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Local\Microsoft

[2011/03/19 13:08:35 | 000,000,000 | ---D | C] -- C:\Users\Scott\AppData\Roaming\Media Center Programs

========== Files - Modified Within 30 Days ==========

[2011/04/02 09:32:42 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Scott\Desktop\OTL.exe

[2011/04/02 09:24:48 | 000,635,850 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011/04/02 09:24:48 | 000,111,392 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011/04/02 09:18:33 | 000,000,246 | -H-- | M] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

[2011/04/02 09:18:19 | 000,000,306 | -HS- | M] () -- C:\Windows\tasks\NTYKPUVKQ.job

[2011/04/02 09:18:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/04/02 09:18:10 | 1200,431,104 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/02 09:17:19 | 000,010,208 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/02 09:17:19 | 000,010,208 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/02 08:36:16 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Scott\Desktop\GooredFix.exe

[2011/04/02 08:03:16 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt

[2011/04/02 08:03:16 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt

[2011/04/02 08:03:16 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat

[2011/04/02 08:03:12 | 000,039,192 | ---- | M] (Greatis Software) -- C:\Windows\System32\Partizan.exe

[2011/04/02 08:03:12 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys

[2011/04/02 08:03:03 | 000,000,917 | ---- | M] () -- C:\Users\Scott\Desktop\UnHackMe.lnk

[2011/04/02 07:52:03 | 232,166,584 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2011/04/01 23:15:22 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe

[2011/04/01 23:09:40 | 000,090,112 | RHS- | M] () -- C:\Windows\System32\scrnsave9.dll

[2011/04/01 22:10:37 | 000,000,963 | ---- | M] () -- C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

[2011/04/01 22:09:10 | 003,696,656 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2011/04/01 16:48:51 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat

[2011/03/31 21:10:26 | 000,000,093 | ---- | M] () -- C:\Users\Scott\AppData\Local\fusioncache.dat

[2011/03/27 11:52:30 | 000,000,927 | ---- | M] () -- C:\Users\Scott\Documents\MagicDisc.lnk

[2011/03/27 11:09:09 | 000,001,773 | ---- | M] () -- C:\Users\Scott\Documents\MagicISO.lnk

[2011/03/25 17:22:09 | 001,572,864 | ---- | M] () -- C:\Users\Scott\Documents\Tasks.accdb

[2011/03/25 17:16:04 | 000,579,994 | ---- | M] () -- C:\Users\Scott\Documents\Tasks.accdt

[2011/03/23 16:51:52 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

[2011/03/21 06:48:47 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\

Link to post
Share on other sites

File name:

Xsagea.exe

Submission date:

2011-04-02 15:21:30 (UTC)

Current status:

queued queued analysing finished

Result:

6/ 40 (15.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.03.00 2011.04.02 -

AntiVir 7.11.5.168 2011.04.01 -

Antiy-AVL 2.0.3.7 2011.04.02 -

Avast 4.8.1351.0 2011.04.02 -

Avast5 5.0.677.0 2011.04.02 -

AVG 10.0.0.1190 2011.04.02 -

BitDefender 7.2 2011.04.02 Gen:Variant.Kazy.17829

CAT-QuickHeal 11.00 2011.04.02 -

ClamAV 0.97.0.0 2011.04.01 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8193 2011.04.02 Heur.Packed.Unknown

DrWeb 5.0.2.03300 2011.04.02 Trojan.DownLoader2.26817

eSafe 7.0.17.0 2011.04.01 -

eTrust-Vet 36.1.8248 2011.04.01 -

F-Prot 4.6.2.117 2011.04.02 -

F-Secure 9.0.16440.0 2011.04.02 -

Fortinet 4.2.254.0 2011.04.02 -

GData 22 2011.04.02 -

Ikarus T3.1.1.103.0 2011.04.02 -

Jiangmin 13.0.900 2011.03.31 -

K7AntiVirus 9.96.4280 2011.04.02 -

McAfee 5.400.0.1158 2011.04.02 -

McAfee-GW-Edition 2010.1C 2011.04.01 -

Microsoft 1.6702 2011.04.02 -

NOD32 6009 2011.04.02 -

Norman 6.07.03 2011.04.02 -

Panda 10.0.3.5 2011.04.02 Suspicious file

PCTools 7.0.3.5 2011.04.01 -

Prevx 3.0 2011.04.02 -

Rising 23.51.05.05 2011.04.02 Suspicious

Sophos 4.64.0 2011.04.02 -

SUPERAntiSpyware 4.40.0.1006 2011.04.02 Trojan.Agent/Gen-FakeSec

Symantec 20101.3.2.89 2011.04.02 -

TheHacker 6.7.0.1.164 2011.04.02 -

TrendMicro 9.200.0.1012 2011.04.01 -

TrendMicro-HouseCall 9.200.0.1012 2011.04.02 -

VBA32 3.12.14.3 2011.04.01 -

VIPRE 8896 2011.04.02 -

ViRobot 2011.4.2.4390 2011.04.02 -

VirusBuster 13.6.283.0 2011.04.02 -

Link to post
Share on other sites

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - [2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe
    O4 - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004..\Run: [msnmsgr] File not found
    O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
    O4 - HKLM..\RunOnceEx: [Title] File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    [2011/04/02 09:18:33 | 000,000,246 | -H-- | M] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
    [2011/04/02 09:18:19 | 000,000,306 | -HS- | M] () -- C:\Windows\tasks\NTYKPUVKQ.job
    [2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe
    [2011/04/01 23:09:40 | 000,090,112 | RHS- | C] () -- C:\Windows\System32\scrnsave9.dll
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - [2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe
    O4 - HKU\S-1-5-21-2767434456-3794414747-3360991820-1004..\Run: [msnmsgr] File not found
    O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
    O4 - HKLM..\RunOnceEx: [Title] File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    [2011/04/02 09:18:33 | 000,000,246 | -H-- | M] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
    [2011/04/02 09:18:19 | 000,000,306 | -HS- | M] () -- C:\Windows\tasks\NTYKPUVKQ.job
    [2011/04/01 23:09:40 | 000,164,352 | ---- | M] () -- C:\Windows\Xsagea.exe
    [2011/04/01 23:09:40 | 000,090,112 | RHS- | C] () -- C:\Windows\System32\scrnsave9.dll
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

All processes killed

========== OTL ==========

No active process named Xsagea.exe was found!

Registry value HKEY_USERS\S-1-5-21-2767434456-3794414747-3360991820-1004\Software\Microsoft\Windows\CurrentVersion\Run\\msnmsgr deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Flags deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Title deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job moved successfully.

C:\Windows\Tasks\NTYKPUVKQ.job moved successfully.

C:\Windows\Xsagea.exe moved successfully.

C:\Windows\System32\scrnsave9.dll moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56466 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: hbsuser

User: Public

User: Scott

->Temp folder emptied: 113787214 bytes

->Temporary Internet Files folder emptied: 92319767 bytes

->Java cache emptied: 592989 bytes

->FireFox cache emptied: 75205749 bytes

->Flash cache emptied: 48204 bytes

User: win7-test

->Temp folder emptied: 1509079 bytes

->Temporary Internet Files folder emptied: 49091314 bytes

->FireFox cache emptied: 117775075 bytes

->Flash cache emptied: 16839 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 12509679 bytes

RecycleBin emptied: 1263721 bytes

Total Files Cleaned = 443.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04022011_121549

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Here it is. But I also found the bugger inside the C_Windows folder when looking for the log.

Link to post
Share on other sites

Here it is. But I also found the bugger inside the C_Windows folder when looking for the log.

That's where it's supposed to be, don't delete any OTL folders in C:\

------------------

Please download and run ComboFix......

The most important things to remember when running ComboFix is download and run it from your desktop and make sure you disable your anti-virus programs before you run it.

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with XP and W2K (32-bit only) <===> Vista and Windows 7 (32-bit and 64-bit)

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

The most important things to remember when running ComboFix is download and run it from your desktop and make sure you disable your anti-virus programs before you run it.

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.