Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Garda virus..

  • 18-10-2012 6:50pm
    #1
    Registered Users, Registered Users 2 Posts: 2,704 ✭✭✭


    :(

    Must be fairly prevalent the last few days.

    I ran OTL and here is my log: some help would be great..

    OTL logfile created on: 18/10/2012 19:38:53 - Run 2
    OTL by OldTimer - Version 3.2.69.0 Folder = G:\
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 2.71 Gb Available Physical Memory | 90.51% Memory free
    6.85 Gb Paging File | 6.76 Gb Available in Paging File | 98.75% Paging File free
    Paging file location(s): C:\pagefile.sys 4605 5000 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 19.53 Gb Total Space | 0.91 Gb Free Space | 4.65% Space Free | Partition Type: NTFS
    Drive D: | 107.69 Gb Total Space | 79.41 Gb Free Space | 73.74% Space Free | Partition Type: NTFS
    Drive E: | 203.10 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive F: | 102.39 Gb Total Space | 62.92 Gb Free Space | 61.46% Space Free | Partition Type: NTFS
    Drive G: | 7.45 Gb Total Space | 0.44 Gb Free Space | 5.94% Space Free | Partition Type: FAT32

    Computer Name: SLISI-L3C5814 | User Name: Cheenso | Logged in as Administrator.
    Boot Mode: SafeMode with Networking | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/10/18 19:37:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- G:\OTL.exe
    PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========


    ========== Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2012/10/14 14:52:10 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/06/03 10:44:46 | 000,071,096 | ---- | M] () [Auto | Stopped] -- F:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2012/03/07 01:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Cheenso\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2012/06/03 10:44:46 | 000,005,504 | ---- | M] () [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2012/03/07 01:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2012/03/07 01:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2012/03/07 01:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2012/03/07 01:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2012/03/07 01:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2012/03/07 01:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2012/03/07 00:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2012/01/04 15:28:36 | 000,016,128 | ---- | M] (Windows (R) Win 7 DDK provider) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtkdrv.sys -- (TrojanKillerDriver)
    DRV - [2010/10/07 12:11:38 | 006,609,920 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETwLx32.sys -- (NETwLx32)
    DRV - [2010/03/30 23:38:26 | 000,020,968 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
    DRV - [2008/06/03 13:37:04 | 000,005,632 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidshim.sys -- (hidshim)
    DRV - [2008/06/03 13:37:00 | 000,023,040 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winbondhidcir.sys -- (winbondhidcir)
    DRV - [2008/05/09 01:00:00 | 002,880,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2007/07/20 18:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV - [2007/05/30 20:04:56 | 004,424,192 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
    DRV - [2007/04/27 04:01:34 | 002,203,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32)
    DRV - [2007/03/21 22:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2007/03/01 22:22:04 | 000,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2007/03/01 22:21:24 | 000,210,688 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2007/03/01 22:21:22 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/02/21 12:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2007/02/16 15:46:42 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2007/01/23 16:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2006/12/28 12:44:44 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_en
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "www.google.ie"
    FF - prefs.js..extensions.enabledAddons: wrc@avast.com:7.0.1426
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: wrc@avast.com:7.0.1426
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: F:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/03/16 01:33:38 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/14 14:52:20 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/10/15 23:29:21 | 000,000,000 | ---D | M]

    [2010/05/05 19:12:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Extensions
    [2012/07/24 23:53:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions
    [2010/08/03 01:20:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2012/07/24 23:53:07 | 000,741,958 | ---- | M] () (No name found) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    [2012/10/14 14:50:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/03/16 01:33:38 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2012/10/14 14:52:18 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/06/24 00:46:07 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2012/09/04 17:34:18 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/06/24 00:46:07 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/06/24 00:46:07 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/10/14 14:51:53 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
    [2012/06/24 00:46:07 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    ========== Chrome ==========

    CHR - homepage: chrome://newtab/
    CHR - Extension: No name found = C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: No name found = C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: No name found = C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\
    CHR - Extension: No name found = C:\Documents and Settings\Cheenso\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2011/09/18 15:53:28 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKCU..\Run: [Facebook Update] C:\Documents and Settings\Cheenso\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
    O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk = C:\Documents and Settings\All Users\Application Data\lsass.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/05/05 17:52:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [1997/01/29 15:54:58 | 000,000,029 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    O32 - AutoRun File - [1997/01/29 15:20:22 | 000,026,624 | R--- | M] () - E:\AUTOSET.EXE -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/10/17 23:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft Trojan Killer
    [2012/10/17 00:34:07 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/15 23:28:57 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2012/10/14 14:50:15 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2012/09/30 18:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Bullfrog
    [2012/09/30 18:47:03 | 000,299,008 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
    [2012/09/30 18:46:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\WINDOWS

    ========== Files - Modified Within 30 Days ==========

    [2012/10/18 19:32:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/10/18 19:32:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/10/18 19:21:57 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad
    [2012/10/18 19:07:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/10/18 19:03:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/10/18 19:03:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    [2012/10/18 19:03:00 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
    [2012/10/18 00:33:01 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-2052111302-839522115-1003UA.job
    [2012/10/17 23:36:07 | 000,000,672 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
    [2012/10/17 23:02:12 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/10/17 00:36:21 | 000,001,052 | ---- | M] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:07 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/17 00:00:03 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-1409082233-2052111302-839522115-1003UA.job
    [2012/10/17 00:00:01 | 000,000,984 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-1409082233-2052111302-839522115-1003Core.job
    [2012/10/16 23:33:00 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-2052111302-839522115-1003Core.job
    [2012/10/11 22:29:01 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/09/30 21:26:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    [2012/09/21 23:41:34 | 000,007,735 | ---- | M] () -- C:\Documents and Settings\Cheenso\Desktop\248424_460042417373987_2080977354_n.jpg
    [2012/09/21 23:38:37 | 000,008,489 | ---- | M] () -- C:\Documents and Settings\Cheenso\Desktop\A3WVLNICAAAfEH5.jpg large.jpg

    ========== Files Created - No Company Name ==========

    [2012/10/17 23:03:42 | 000,000,672 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
    [2012/10/17 00:36:21 | 000,001,052 | ---- | C] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:10 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad
    [2012/09/21 23:41:33 | 000,007,735 | ---- | C] () -- C:\Documents and Settings\Cheenso\Desktop\248424_460042417373987_2080977354_n.jpg
    [2012/09/21 23:38:34 | 000,008,489 | ---- | C] () -- C:\Documents and Settings\Cheenso\Desktop\A3WVLNICAAAfEH5.jpg large.jpg
    [2012/08/26 01:33:59 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2012/02/16 06:31:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/09/17 00:13:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4c57cCJ.dat
    [2011/09/16 23:30:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/09/16 23:30:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/09/16 23:30:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/09/16 23:30:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/09/16 23:30:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/06/24 18:39:50 | 000,001,444 | ---- | C] () -- C:\Documents and Settings\Cheenso\.recently-used.xbel
    [2011/04/02 19:08:15 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\Cheenso\.gtk-bookmarks
    [2010/05/13 18:52:23 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Cheenso\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== ZeroAccess Check ==========

    [2010/05/05 18:44:32 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

    < End of report >


Comments

  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    open OTL copy and paste this in the custom scan/fixes box


    :OTL
    O4 - Startup: C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk = C:\Documents and Settings\All Users\Application Data\lsass.exe (Microsoft Corporation)
    O32 - AutoRun File - [1997/01/29 15:54:58 | 000,000,029 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    O32 - AutoRun File - [1997/01/29 15:20:22 | 000,026,624 | R--- | M] () - E:\AUTOSET.EXE -- [ CDFS ]
    [2012/10/17 00:34:07 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/18 19:21:57 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad
    [2012/10/17 00:36:21 | 000,001,052 | ---- | M] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:07 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/17 00:36:21 | 000,001,052 | ---- | C] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:10 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad


    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [EMPTYJAVA]
    [CREATERESTOREPOINT]
    [Reboot]
    :Files
    ipconfig /flushdns /c


    click run fix post the log it gives you.


    also when did you run combofix ?


  • Registered Users, Registered Users 2 Posts: 2,704 ✭✭✭Cheensbo


    thanks for the reply ASJ, much appreciated,


    shoot, I completely forgot about combofix,

    Ran it a long time ago to rid another virus..

    Should i run it before i continue with the otl stuff?

    my bad,,


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    na was just curious, can go on with the OTL step


  • Registered Users, Registered Users 2 Posts: 2,704 ✭✭✭Cheensbo


    :OTL
    O4 - Startup: C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk = C:\Documents and Settings\All Users\Application Data\lsass.exe (Microsoft Corporation)
    O32 - AutoRun File - [1997/01/29 15:54:58 | 000,000,029 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    O32 - AutoRun File - [1997/01/29 15:20:22 | 000,026,624 | R--- | M] () - E:\AUTOSET.EXE -- [ CDFS ]
    [2012/10/17 00:34:07 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/18 19:21:57 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad
    [2012/10/17 00:36:21 | 000,001,052 | ---- | M] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:07 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
    [2012/10/17 00:36:21 | 000,001,052 | ---- | C] () -- C:\Documents and Settings\Cheenso\Start Menu\Programs\Startup\ctfmon.lnk
    [2012/10/17 00:34:10 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nomftc.pad


    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [EMPTYJAVA]
    [CREATERESTOREPOINT]
    [Reboot]
    :Files
    ipconfig /flushdns /c

    Yeah, you actually helped me before, with a different virus (different username also) :o

    Thanks again,


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    you need to copy that into OTL and click run fix


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,704 ✭✭✭Cheensbo


    Oops pasted the wrong log :confused:

    Cant find the other one now, shyte.. but it worked.., re-booted and going good so far, going putting malwarebytes on it now..

    Cheer for the help ASJ,

    Yer a live saver :)


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    cool post a log from malwarebytes quick scan when its done


  • Registered Users, Registered Users 2 Posts: 2,704 ✭✭✭Cheensbo


    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.10.18.10

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Cheenso :: SLISI-L3C5814 [administrator]

    18/10/2012 23:28:17
    mbam-log-2012-10-18 (23-28-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 187398
    Time elapsed: 31 minute(s), 12 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Thats her there,

    Thanks again ASJ, would have been stumped without ya


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    cool, just open OTL click Cleanup and it will remove itself


  • Registered Users, Registered Users 2 Posts: 10,580 ✭✭✭✭Riesen_Meal


    A mate of mine popped over to me with a laptop with this on it the other day, luckily I was able to roll back to just before it happened, I couldnt re-install Windows as it was a machine she needed for college and had projects and the like on it, I couldnt get over how viruses have come on these days, had anyone slightly elderly or anything got it they would have gone to the Post office with 100 quid in their hand.....

    Any other tips to remove this nasty little bugger?


  • Advertisement
  • Moderators, Technology & Internet Moderators Posts: 11,017 Mod ✭✭✭✭yoyo


    Fieldog wrote: »
    A mate of mine popped over to me with a laptop with this on it the other day, luckily I was able to roll back to just before it happened, I couldnt re-install Windows as it was a machine she needed for college and had projects and the like on it, I couldnt get over how viruses have come on these days, had anyone slightly elderly or anything got it they would have gone to the Post office with 100 quid in their hand.....

    Any other tips to remove this nasty little bugger?

    GeoIP locating tables are available free of charge these days, it would be easy for hackers to use these and target specific IP addresses with their regional customizations.

    Nick


Advertisement