Admin Virus

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Solved Re: Admin Virus

Post by danielsjack on Tue Oct 09, 2012 6:15 pm

OTL logfile created on: 10/9/2012 2:11:05 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.43 Mb Total Physical Memory | 500.49 Mb Available Physical Memory | 49.29% Memory free
1.64 Gb Paging File | 1.17 Gb Available in Paging File | 71.09% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.37 Gb Free Space | 62.73% Space Free | Partition Type: NTFS
Drive D: | 55.22 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: COMPUTER_1 | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/09 14:10:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
PRC - [2012/10/09 14:07:39 | 000,031,402 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\mehuct.exe
PRC - [2012/10/09 14:07:35 | 000,012,970 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\winghoeqs.exe
PRC - [2012/09/25 05:43:01 | 001,239,064 | ---- | M] (Google Inc.) -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/11/03 18:20:58 | 000,803,144 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG PC Tuneup\BoostSpeed.exe
PRC - [2009/03/10 23:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2008/04/14 00:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/07/08 17:24:46 | 000,871,424 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2005/07/08 10:25:10 | 001,397,760 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2003/12/08 17:35:14 | 000,110,592 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/09 14:07:39 | 000,031,402 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\mehuct.exe
MOD - [2012/10/09 14:07:35 | 000,012,970 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\winghoeqs.exe
MOD - [2012/09/25 05:42:58 | 000,460,312 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\ppgooglenaclpluginchrome.dll
MOD - [2012/09/25 05:42:57 | 012,278,808 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll
MOD - [2012/09/25 05:42:55 | 004,005,912 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\pdf.dll
MOD - [2012/09/25 05:41:27 | 000,156,712 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\avutil-51.dll
MOD - [2012/09/25 05:41:26 | 000,275,496 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\avformat-54.dll
MOD - [2012/09/25 05:41:24 | 002,168,360 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\avcodec-54.dll
MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/11/03 18:21:06 | 000,350,024 | ---- | M] () -- C:\Program Files\AVG\AVG PC Tuneup\madExcept_.bpl
MOD - [2011/11/03 18:21:06 | 000,184,136 | ---- | M] () -- C:\Program Files\AVG\AVG PC Tuneup\madBasic_.bpl
MOD - [2011/11/03 18:21:06 | 000,050,504 | ---- | M] () -- C:\Program Files\AVG\AVG PC Tuneup\madDisAsm_.bpl
MOD - [2008/04/14 00:42:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 00:41:52 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll


========== Services (SafeList) ==========

SRV - [2012/07/13 14:14:14 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2005/07/08 17:24:46 | 000,871,424 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\imkrin.sys -- (abp470n5)
DRV - [2010/07/08 15:09:10 | 000,606,056 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2009/08/26 18:10:26 | 000,213,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/04/14 01:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 23:06:08 | 000,084,480 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97via.sys -- (VIAudio)
DRV - [2007/05/15 01:03:24 | 000,445,696 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/07/08 17:17:56 | 000,008,704 | ---- | M] (Nero AG) [Recognizer | System | Unknown] -- C:\WINDOWS\System32\drivers\InCDrec.sys -- (InCDrec)
DRV - [2005/07/08 17:17:54 | 000,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/07/08 17:17:36 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/07/08 10:17:32 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {443789B7-F39C-4b5c-9287-DA72D38F4FE6}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]
IE - HKLM\..\SearchScopes\{3EEF15EC-2ABA-0A31-2D9C-385F5AB25C69}: "URL" = [You must be registered and logged in to see this link.]
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{3EEF15EC-2ABA-0A31-2D9C-385F5AB25C69}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{B1D56A4B-5CED-4B41-9B77-0A5DC4BF522C}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.search.defaultenginename: "Search"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\owner\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\owner\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)


[2012/01/23 10:42:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\owner\Application Data\Mozilla\Extensions
[2012/08/21 13:55:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions
[2012/08/21 13:55:31 | 000,000,000 | ---D | M] ("Shopping Sidekick") -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.8.0.8855_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - Extension: Skype Click to Call = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.8.0.8855_0\
CHR - Extension: SaveValet = C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mffdcionknddopdmdnloanoafafkmckb\1.7.0.105_0\

O1 HOSTS File: ([2012/10/06 14:52:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (D-Link Toolbar Loader) - {f01858c7-2a68-4d93-9e22-502eae3917c2} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (D-Link Toolbar) - {61874dfa-9adf-44e5-8e61-f3913707e7d7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (D-Link Toolbar) - {61874DFA-9ADF-44E5-8E61-F3913707E7D7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKCU..\Run: [chromium] C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)
O4 - HKCU..\Run: [PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C9705ABE-3D7C-4881-9D68-3B7DD6D1B571}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/10/17 22:40:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/02/08 22:46:43 | 000,000,000 | R--D | M] - D:\AutoPlay -- [ UDF ]
O32 - AutoRun File - [2010/01/09 21:37:38 | 000,000,042 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/09 14:10:28 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
[2012/10/08 13:47:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/08 11:30:58 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\owner\Recent
[2012/10/08 11:30:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/10/06 14:59:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/10/02 19:32:36 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/10/02 19:32:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/09/28 11:18:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2012/09/16 10:52:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 15:49:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/09/15 15:48:29 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/15 15:48:29 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/15 15:48:29 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/15 15:48:29 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/15 15:48:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/15 15:48:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\owner\My Documents\My Videos
[2012/09/15 15:48:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\owner\Start Menu\Programs\Administrative Tools
[2012/09/15 15:48:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/09/14 19:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Desktop\Fix This Computer

========== Files - Modified Within 30 Days ==========

[2012/10/09 14:14:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/10/09 14:10:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
[2012/10/09 14:07:12 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/10/09 14:07:12 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/10/09 14:04:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/09 14:04:18 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On owner Logon.job
[2012/10/09 14:03:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/09 12:48:01 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1004336348-1606980848-1003UA.job
[2012/10/09 12:48:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1004336348-1606980848-1003Core.job
[2012/10/06 14:52:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/02 18:07:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/09/28 16:12:25 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/28 13:52:06 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\Google Chrome.lnk
[2012/09/28 13:52:06 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/09/15 15:50:03 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/12 14:32:42 | 000,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

========== Files Created - No Company Name ==========

[2012/09/15 15:55:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/09/15 15:50:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/09/15 15:49:59 | 000,260,272 | R-S- | C] () -- C:\cmldr
[2012/09/15 15:48:29 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/15 15:48:29 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/15 15:48:29 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/15 15:48:29 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/15 15:48:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/17 04:15:42 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2012/02/16 15:57:39 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/12 12:35:21 | 000,000,440 | R-S- | C] () -- C:\Documents and Settings\owner\ntuser.pol
[2011/10/17 22:56:11 | 000,110,592 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2011/10/17 22:42:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/17 22:37:11 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/17 18:31:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/17 18:30:02 | 000,264,616 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 09:56:22 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 00:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/04/16 10:32:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/01/10 22:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\D-Link Toolbar
[2012/02/12 14:48:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2012/05/09 08:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegWork
[2012/03/18 22:52:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/02/28 18:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\owner\Application Data\AVG
[2011/10/17 22:58:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\owner\Application Data\InterTrust
[2012/02/12 14:46:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\owner\Application Data\iolo
[2012/01/10 21:37:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\owner\Application Data\VirtualStore

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Wed Oct 10, 2012 7:33 pm

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :OTL
    PRC - [2012/10/09 14:07:39 | 000,031,402 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\mehuct.exe
    PRC - [2012/10/09 14:07:35 | 000,012,970 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\winghoeqs.exe
    MOD - [2012/10/09 14:07:39 | 000,031,402 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\mehuct.exe
    MOD - [2012/10/09 14:07:35 | 000,012,970 | ---- | M] () -- C:\Documents and Settings\owner\Local Settings\temp\winghoeqs.exe
    DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\imkrin.sys -- (abp470n5)
    IE - HKLM\..\SearchScopes\{3EEF15EC-2ABA-0A31-2D9C-385F5AB25C69}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
    IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\{B1D56A4B-5CED-4B41-9B77-0A5DC4BF522C}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKLM\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
    IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {443789B7-F39C-4b5c-9287-DA72D38F4FE6}
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    FF - prefs.js..browser.search.selectedEngine: "Search"
    FF - prefs.js..browser.search.defaultenginename: "Search"
    [2012/08/21 13:55:31 | 000,000,000 | ---D | M] ("Shopping Sidekick") -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com
    O2 - BHO: (D-Link Toolbar Loader) - {f01858c7-2a68-4d93-9e22-502eae3917c2} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
    O3 - HKLM\..\Toolbar: (D-Link Toolbar) - {61874dfa-9adf-44e5-8e61-f3913707e7d7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
    O3 - HKCU\..\Toolbar\WebBrowser: (D-Link Toolbar) - {61874DFA-9ADF-44E5-8E61-F3913707E7D7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    [2012/01/10 22:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\D-Link Toolbar
    [2012/05/09 08:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegWork
    @Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
    @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

    :files
    c:\program files\regwork

    :commands
    [emptytemp]
    [reboot]

  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by danielsjack on Thu Oct 11, 2012 2:11 pm

Stuck on windows shutting down screen. Comp not frozen though. Mouse still functional.

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Thu Oct 11, 2012 2:31 pm

Force shutdown, and start back up. See if a log pops up within 5-10 minutes. If not, please post new OTL log as above.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by danielsjack on Thu Oct 11, 2012 2:42 pm

All processes killed
========== OTL ==========
No active process named mehuct.exe was found!
No active process named winghoeqs.exe was found!
Error: Unable to stop service abp470n5!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5 deleted successfully.
File C:\WINDOWS\system32\drivers\imkrin.sys not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3EEF15EC-2ABA-0A31-2D9C-385F5AB25C69}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EEF15EC-2ABA-0A31-2D9C-385F5AB25C69}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{e917fc61-7f80-4f1f-a882-cdffffbe4c8d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e917fc61-7f80-4f1f-a882-cdffffbe4c8d}\ deleted successfully.
C:\Program Files\D-Link Toolbar\dlinktb.dll moved successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B1D56A4B-5CED-4B41-9B77-0A5DC4BF522C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1D56A4B-5CED-4B41-9B77-0A5DC4BF522C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{e917fc61-7f80-4f1f-a882-cdffffbe4c8d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e917fc61-7f80-4f1f-a882-cdffffbe4c8d}\ not found.
File C:\Program Files\D-Link Toolbar\dlinktb.dll not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Prefs.js: "Search" removed from browser.search.selectedEngine
Prefs.js: "Search" removed from browser.search.defaultenginename
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\skin folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\locale\en-US folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\locale folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\defaults\preferences folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\defaults folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\chrome\content folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com\chrome folder moved successfully.
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\n5g4619o.default\extensions\crossriderapp5058@crossrider.com folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f01858c7-2a68-4d93-9e22-502eae3917c2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f01858c7-2a68-4d93-9e22-502eae3917c2}\ deleted successfully.
File C:\Program Files\D-Link Toolbar\dlinktb.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{61874dfa-9adf-44e5-8e61-f3913707e7d7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61874dfa-9adf-44e5-8e61-f3913707e7d7}\ deleted successfully.
File Link Toolbar\dlinktb.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{61874DFA-9ADF-44E5-8E61-F3913707E7D7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61874DFA-9ADF-44E5-8E61-F3913707E7D7}\ not found.
File Link Toolbar\dlinktb.dll not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US\ui folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US\ticker folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US\rss folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US\local folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US\buttons folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources\en-US folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar\resources folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar\ieToolbar folder moved successfully.
C:\Documents and Settings\All Users\Application Data\D-Link Toolbar folder moved successfully.
C:\Documents and Settings\All Users\Application Data\RegWork\Backups folder moved successfully.
C:\Documents and Settings\All Users\Application Data\RegWork folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 .
========== FILES ==========
c:\program files\RegWork\Tmp folder moved successfully.
c:\program files\RegWork\Logs folder moved successfully.
c:\program files\RegWork folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: J
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: owner
->Temp folder emptied: 3479 bytes
->Temporary Internet Files folder emptied: 115329 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 6964996 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 601088 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16823 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10112012_094257

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1328.dat not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Fri Oct 12, 2012 5:06 pm

Good work!

Now, how is it all working. Please give summary, so we know how to continue from here...


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by danielsjack on Fri Oct 12, 2012 5:14 pm

Running normal. Only weird thing is that whenever I shut down now it gets stuck on that same "Windows shutting down. . ." screen so I have to force it. Upon rebooting I get a winlogon.exe error. Task Manager still disabled by the Admin.

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Sun Oct 14, 2012 5:41 pm

Do you have the latest Windows Updates installed?

Check at [You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by danielsjack on Mon Oct 15, 2012 2:09 pm

I'm not able to receive updates from Microsoft because of the Windows invalidation.

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Tue Oct 16, 2012 7:42 pm

That seems to be the issue at this point, and there is nothing more to be done, unfortunately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by danielsjack on Wed Oct 17, 2012 5:50 pm

Alright. Well, thank you for all your help.

danielsjack
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2012-09-14
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Solved Re: Admin Virus

Post by Dr Jay on Thu Oct 18, 2012 3:27 pm

You're welcome. Didn't mean to sound short, was way behind yesterday.

Best of luck getting that activated again. After you do that, you'll be able to update Windows and probably solve half of its problems.

Topic marked solved. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13711
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum