August 15th, 2010, 10:33 PM
#31
Its to big for one post.
Settings\Pam\My Documents\campedit3newarrow[1].jpg========== LOP Check ========== ========== Purity Check ========== ========== Alternate Data Streams ==========
Windows 7 Ultimate, Service Pack 1
August 15th, 2010, 11:01 PM
#32
Since you'll be using USB stick to move files between bad and good computer...Flash Disinfector , and save it to your desktop.*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. Wait until it has finished scanning and then exit the program. Reboot your computer when done. Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.on the computer you are posting from :
Code:
:OTL
SRV - [2010/08/14 14:49:08 | 000,059,904 | ---- | M] () [Auto] -- C:\Program Files\csrss.exe -- (QTUpdate)
DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\Pam\LOCALS~1\Temp\mdxgthkn.sys -- (mdxgthkn)
DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
IE - HKU\Pam_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Pam_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
IE - HKU\Pam_ON_C\..\URLSearchHook: {9927cacb-7863-42b4-95ab-7446332b7c59} - Reg Error: Key error. File not found
IE - HKU\Pam_ON_C\..\URLSearchHook: {9ee802e8-c931-47ab-b570-aa8f791598ca} - Reg Error: Key error. File not found
IE - HKU\Tim_ON_C\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\Tim_ON_C\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
O2 - BHO: (ADC PlugIn) - {19090308-636D-4e9b-A1CE-A647B6F794BF} - C:\Program Files\shk_v10.dll (Intsys)
O2 - BHO: (BrowserHelper Class) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (Make The Web Better, LLC)
O3 - HKU\Pam_ON_C\..\Toolbar\WebBrowser: (no name) - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - No CLSID value found.
O3 - HKU\Pam_ON_C\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKU\Pam_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\Pam_ON_C\..\Toolbar\WebBrowser: (no name) - {9927CACB-7863-42B4-95AB-7446332B7C59} - No CLSID value found.
O3 - HKU\Pam_ON_C\..\Toolbar\WebBrowser: (no name) - {9EE802E8-C931-47AB-B570-AA8F791598CA} - No CLSID value found.
O3 - HKU\Tim_ON_C\..\Toolbar\WebBrowser: (no name) - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - No CLSID value found.
O4 - HKU\Pam_ON_C..\Run: [ap.exe] C:\Documents and Settings\Pam\Application Data\PCenter\ap.exe ()
O4 - HKU\Pam_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe File not found
O4 - HKU\Pam_ON_C..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - HKU\Pam_ON_C..\Run: [MalwareBot] C:\Program Files\MalwareBot\MalwareBot.exe File not found
O4 - HKU\Pam_ON_C..\Run: [MsnMsgr] C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe File not found
O4 - HKU\Tim_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe File not found
O4 - HKU\Pam_ON_C..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\datamngr.dll) - C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\datamngr.dll File not found
O20 - HKU\Pam_ON_C Winlogon: Shell - (C:\Documents and Settings\Pam\Application Data\PCenter\sp.exe) - C:\Documents and Settings\Pam\Application Data\PCenter\sp.exe ()
O35 - HKLM\..exefile [open] -- C:\Program Files\conhost.exe "%1" %* ()
O37 - HKLM\...exe [@ = exefile] -- C:\Program Files\conhost.exe "%1" %* ()
[2010/08/14 18:24:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pam\Application Data\PCenter
[2010/08/14 14:49:10 | 000,372,224 | ---- | C] (Intsys) -- C:\Program Files\shk_v10.dll
[2010/08/14 14:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark Antivirus
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[23 C:\Documents and Settings\Pam\My Documents\*.tmp files -> C:\Documents and Settings\Pam\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
[2010/08/15 21:12:46 | 000,000,060 | ---- | M] () -- C:\Program Files\sh4.dat
[2010/08/15 21:12:46 | 000,000,004 | ---- | M] () -- C:\Program Files\sh3.dat
[2010/08/15 19:24:00 | 000,098,304 | ---- | M] () -- C:\Program Files\conhost.exe
[2010/08/15 19:23:59 | 000,372,224 | ---- | M] (Intsys) -- C:\Program Files\shk_v10.dll
[2010/08/15 19:23:57 | 000,001,550 | ---- | M] () -- C:\Wireshark Antivirus.lnk
[2010/08/14 14:49:09 | 000,000,009 | ---- | M] () -- C:\Program Files\nuar.old
[2010/08/14 14:49:08 | 000,059,904 | ---- | M] () -- C:\Program Files\csrss.exe
[2010/08/14 14:49:08 | 000,000,036 | ---- | M] () -- C:\Program Files\skynet.dat
[2010/08/14 14:49:07 | 000,001,684 | ---- | M] () -- C:\Documents and Settings\Pam\Desktop\Wireshark Antivirus.lnk
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Tim\My Documents\My Music:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Pam\My Documents\My Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Pam\My Documents\FirstClass:Roxio EMC Stream
:Services
:Reg
:Files
:Commands
[purity]
[emptytemp]
Open Notepad and paste it.Fix.txt on to a USB flash driveOn the infected computer the following...OTLPE Insert USB stick and find the file Fix.txt . Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.(The content of Fix.txt should appear in the box) Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done Post the log produced (you'll need to transfer it with USB stick) Attempt to reboot normally into windows.
August 15th, 2010, 11:27 PM
#33
The computer seems to have booted normally.
:OTLhttp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
Windows 7 Ultimate, Service Pack 1
August 15th, 2010, 11:35 PM
#34
The above is my fix.On bad computer ......OTL Custom Scan box paste this in:Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt . These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy ) the contents of these files, one at a time, and post them back here.
August 16th, 2010, 12:07 AM
#35
Sorry I accidentaly posted the wrong doc. Here is the correct one from the first fix. I am now preparing to run the second.
Windows 7 Ultimate, Service Pack 1
August 16th, 2010, 12:23 AM
#36
Very good STEP 1. Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes) mbam-setup.exe and follow the prompts to install the program.Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware , then click Finish .Perform Quick Scan , then click Scan .Show Results to view the results.Remove Selected .Post the log back here .log-date.txt log-date.txt STEP 2. GMER : http://www.gmer.net/files.php , by clicking on Download EXE button.http://majorgeeks.com/GMER_d5198.html http://www.softpedia.com/get/Interne...ers/GMER.shtml .exe file, select Rootkit tab and click the Scan button.Do NOT use the computer while GMER is running! Save button, and save the results as gmer.log Warning ! Please, do not select the "Show all" checkbox during the scan.IMPORTANT! If for some reason GMER refuses to run, try again.STEP 3. MBRCheck to your desktopMBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator ).MBRcheckxxxx.txt will be on your desktopDO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
August 16th, 2010, 12:40 AM
#37
Attached are the two results from the second OTL scan. I ran it before you posted back. Should I proceed with the Malware post when I continue. I will have to continue tomorrow though because I have to turn in because i have to get up early for golf practice. My dad should or I will continue with you tomorrow most likely.
Windows 7 Ultimate, Service Pack 1
August 16th, 2010, 12:42 AM
#38
Yes, proceed with steps from my previous reply.
August 16th, 2010, 10:02 PM
#39
Last edited by timmyb74; August 16th, 2010 at 10:07 PM .
Reason: aditional information added
Windows 7 Ultimate, Service Pack 1
August 16th, 2010, 10:10 PM
#40
Yes, you should run all scans on bad computer.IMPORTANT! If for some reason GMER refuses to run, try again.
August 16th, 2010, 10:15 PM
#41
GMER does run and there is a lot of stuff on the screen. I just can't save it for some reason. This scan takes quite a long time will I beable to save the results if I run it in safe mode?
Windows 7 Ultimate, Service Pack 1
August 16th, 2010, 10:18 PM
#42
Skip GMER for now.
August 16th, 2010, 10:23 PM
#43
www.malwarebytes.org
Last edited by timmyb74; August 16th, 2010 at 10:25 PM .
Reason: Added information
Windows 7 Ultimate, Service Pack 1
August 16th, 2010, 10:24 PM
#44
Looks good
August 16th, 2010, 10:27 PM
#45
I added it to my previous post
Windows 7 Ultimate, Service Pack 1
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Rules
Reply With Quote
You can tell it's me and not Samuel can't you?