Virulent Police ecrime virus

pete284

pete284

New Member
Thread author
May 6, 2013
7
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-05-2013
Ran by SYSTEM on 07-05-2013 01:56:34
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [32768 2004-06-29] (Cyberlink Corp.)
HKLM\...\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-09-13] ()
HKLM\...\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [57344 2003-08-19] (Lexmark International, Inc.)
HKLM\...\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon [866816 2004-01-26] (THOMSON Telecom Belgium)
HKLM\...\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [x]
HKLM\...\Run: [SoundMan] SOUNDMAN.EXE [x]
HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [1800464 2009-11-21] (COMODO)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Winlogon: [System]
HKU\ron\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\ron\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\ron\...\Run: [Google Update] "C:\Documents and Settings\ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [ 2011-07-09] (Google Inc.)
HKU\ron\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2006-10-18] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Belkin\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Documents and Settings\ron\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat (?????????? ??????????2)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 btwdins; C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe [266295 2006-06-07] (Broadcom Corporation.)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [723632 2009-11-21] (COMODO)
S2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [303104 2003-08-18] (Lexmark International, Inc.)
S2 SLService; C:\Windows\System32\slserv.exe [57344 2004-11-01] ( )
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat [148992 2013-05-04] (?????????? ??????????2)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]

==================== Drivers (Whitelisted) ====================

S3 alcan5wn; C:\Windows\System32\DRIVERS\alcan5wn.sys [53600 2003-12-08] (THOMSON)
S3 alcaudsl; C:\Windows\System32\DRIVERS\alcaudsl.sys [70688 2003-12-08] (THOMSON)
S3 ALCXWDM; C:\Windows\System32\drivers\ALCXWDM.SYS [4122368 2008-09-24] (Realtek Semiconductor Corp.)
S3 btaudio; C:\Windows\System32\drivers\btaudio.sys [329901 2006-06-07] (Broadcom Corporation.)
S3 BTDriver; C:\Windows\System32\DRIVERS\btport.sys [30459 2006-06-07] (Broadcom Corporation.)
S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [855018 2006-06-07] (Broadcom Corporation.)
S3 BTWDNDIS; C:\Windows\System32\DRIVERS\btwdndis.sys [149028 2006-06-07] (Broadcom Corporation.)
S3 btwhid; C:\Windows\System32\DRIVERS\btwhid.sys [47811 2006-06-07] (Broadcom Corporation.)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [67384 2006-06-07] (Broadcom Corporation.)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [133064 2009-11-25] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [25160 2009-11-21] (COMODO)
S3 cmuda; C:\Windows\System32\drivers\cmuda.sys [1373120 2006-06-09] (C-Media Inc)
S3 EL90XBC; C:\Windows\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
S0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [87104 2009-11-21] (COMODO)
S3 ms_mpu401; C:\Windows\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 Mtlmnt5; C:\Windows\System32\DRIVERS\Mtlmnt5.sys [229720 2004-11-01] ( )
S3 Mtlstrm; C:\Windows\System32\DRIVERS\Mtlstrm.sys [1396048 2004-11-01] ( )
S0 RecAgent; C:\Windows\System32\DRIVERS\RecAgent.sys [14520 2004-11-01] ( )
S3 SiS315; C:\Windows\System32\DRIVERS\sisgrp.sys [217600 2004-05-14] (Silicon Integrated Systems Corporation)
S0 SiSide; C:\Windows\System32\DRIVERS\SISIDE.SYS [4096 2003-03-25] (Silicon Integrated Systems Corp.)
S1 SiSkp; C:\Windows\System32\DRIVERS\srvkp.sys [12416 2004-05-12] (Silicon Integrated Systems Corporation)
S3 SISNIC; C:\Windows\System32\DRIVERS\sisnic.sys [32256 2002-07-10] (SiS Corporation)
S3 Slntamr; C:\Windows\System32\DRIVERS\slntamr.sys [653960 2004-11-01] ( )
S3 SlNtHal; C:\Windows\System32\DRIVERS\Slnthal.sys [100176 2004-11-01] ( )
S3 SlWdmSup; C:\Windows\System32\DRIVERS\SlWdmSup.sys [13216 2004-11-01] ( )
S4 Abiosdsk; No ImagePath
S3 ALCXSENS; system32\drivers\ALCXSENS.SYS [x]
S4 Atdisk; No ImagePath
S1 Changer; No ImagePath
S1 lbrtfdc; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 Simbad; No ImagePath
S3 WDICA; No ImagePath
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-07 01:56 - 2013-05-07 01:56 - 00000000 ____D C:\FRST
2013-05-06 18:58 - 2013-05-06 18:58 - 03151954 ____A C:\lx12core3162ng.bin
2013-05-06 18:57 - 2013-05-06 18:58 - 74336731 ____A C:\u12iavi5803yp.bin
2013-05-06 18:57 - 2013-05-06 18:57 - 00002605 ____A C:\avg12infolx.ctf
2013-05-06 18:57 - 2013-05-06 18:57 - 00000705 ____A C:\avg12infoavi.ctf
2013-05-06 18:17 - 2013-05-06 18:19 - 00000403 ____A C:\Windows\wmsetup.log
2013-05-06 17:45 - 2013-05-06 17:45 - 00033280 ____N (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\rundll32.exe
2013-05-06 17:26 - 2013-05-06 17:26 - 00018744 ____A C:\Documents and Settings\ron\My Documents\cc_20130506_222633.reg
2013-05-06 17:13 - 2013-05-06 17:44 - 00065536 ____A C:\Windows\System32\config\Doctor Web.evt
2013-05-06 16:49 - 2013-05-06 16:49 - 00000000 ____D C:\Documents and Settings\ron\Doctor Web
2013-05-06 16:48 - 2013-05-06 16:48 - 00065536 ____A C:\Windows\System32\config\Doctor W.evt
2013-05-04 06:30 - 2013-05-06 18:26 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\olode8.pad
2013-05-04 06:30 - 2013-05-06 18:26 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-05-04 06:30 - 2013-05-04 06:30 - 00148992 ____A (?????????? ??????????2) C:\Documents and Settings\All Users\Application Data\8edolo.dat
2013-05-04 06:30 - 2013-05-04 06:30 - 00003062 ____A C:\Documents and Settings\All Users\Application Data\olode8.js
2013-04-10 10:08 - 2013-04-10 10:08 - 00000000 __HDC C:\Windows\$NtUninstallKB2808735$
2013-04-10 09:59 - 2013-04-10 09:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2820917$
2013-04-10 09:47 - 2013-04-10 09:47 - 00000000 __HDC C:\Windows\$NtUninstallKB2813345$
2013-04-10 09:38 - 2013-04-10 09:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2813170$

==================== One Month Modified Files and Folders ========

2013-05-07 01:56 - 2013-05-07 01:56 - 00000000 ____D C:\FRST
2013-05-06 18:58 - 2013-05-06 18:58 - 03151954 ____A C:\lx12core3162ng.bin
2013-05-06 18:58 - 2013-05-06 18:57 - 74336731 ____A C:\u12iavi5803yp.bin
2013-05-06 18:57 - 2013-05-06 18:57 - 00002605 ____A C:\avg12infolx.ctf
2013-05-06 18:57 - 2013-05-06 18:57 - 00000705 ____A C:\avg12infoavi.ctf
2013-05-06 18:26 - 2013-05-04 06:30 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\olode8.pad
2013-05-06 18:26 - 2013-05-04 06:30 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-05-06 18:26 - 2004-10-31 16:37 - 01940017 ____A C:\Windows\WindowsUpdate.log
2013-05-06 18:26 - 2004-10-31 09:32 - 00000159 ____A C:\Windows\wiadebug.log
2013-05-06 18:26 - 2004-10-31 09:32 - 00000050 ____A C:\Windows\wiaservc.log
2013-05-06 18:25 - 2011-04-30 06:42 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-06 18:25 - 2009-04-15 15:13 - 00000062 __ASH C:\Documents and Settings\ron\Local Settings\desktop.ini
2013-05-06 18:25 - 2004-10-31 16:43 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-06 18:25 - 2004-10-31 09:43 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-05-06 18:25 - 2004-10-31 09:43 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-05-06 18:19 - 2013-05-06 18:17 - 00000403 ____A C:\Windows\wmsetup.log
2013-05-06 18:18 - 2009-05-21 10:38 - 00150822 ____A C:\logfile
2013-05-06 17:45 - 2013-05-06 17:45 - 00033280 ____N (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\rundll32.exe
2013-05-06 17:45 - 2010-08-07 10:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-06 17:44 - 2013-05-06 17:13 - 00065536 ____A C:\Windows\System32\config\Doctor Web.evt
2013-05-06 17:44 - 2009-04-15 15:13 - 00000178 ___SH C:\Documents and Settings\ron\ntuser.ini
2013-05-06 17:44 - 2004-10-31 16:43 - 00032570 ____A C:\Windows\SchedLgU.Txt
2013-05-06 17:43 - 2010-09-18 06:13 - 00000000 __HDC C:\Windows\$NtUninstallKB2259922$
2013-05-06 17:40 - 2012-05-01 06:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\529C533F000033A5000022A1D151FC84
2013-05-06 17:37 - 2012-09-17 10:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-06 17:34 - 2011-07-09 05:41 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-06 17:32 - 2011-08-28 06:23 - 00000970 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3638100101-2382298926-704877491-1007UA.job
2013-05-06 17:26 - 2013-05-06 17:26 - 00018744 ____A C:\Documents and Settings\ron\My Documents\cc_20130506_222633.reg
2013-05-06 17:23 - 2010-08-07 11:24 - 00000000 ____D C:\Documents and Settings\ron\Desktop\cleaning
2013-05-06 17:23 - 2010-08-07 10:16 - 00000000 ____D C:\Program Files\Defraggler
2013-05-06 17:18 - 2010-08-07 10:14 - 00000000 ____D C:\Program Files\CCleaner
2013-05-06 16:49 - 2013-05-06 16:49 - 00000000 ____D C:\Documents and Settings\ron\Doctor Web
2013-05-06 16:48 - 2013-05-06 16:48 - 00065536 ____A C:\Windows\System32\config\Doctor W.evt
2013-05-06 14:23 - 2004-10-31 16:22 - 00001170 ____A C:\Windows\System32\wpa.dbl
2013-05-04 08:32 - 2012-09-13 08:22 - 00000918 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3638100101-2382298926-704877491-1007Core1cd91aa5678e4e6.job
2013-05-04 06:30 - 2013-05-04 06:30 - 00148992 ____A (?????????? ??????????2) C:\Documents and Settings\All Users\Application Data\8edolo.dat
2013-05-04 06:30 - 2013-05-04 06:30 - 00003062 ____A C:\Documents and Settings\All Users\Application Data\olode8.js
2013-04-27 09:37 - 2009-05-21 10:38 - 03213312 ___RA C:\Documents and Settings\All Users\Documents\ESBK.mbb
2013-04-27 09:37 - 2009-05-21 10:38 - 01879040 ___RA C:\Documents and Settings\All Users\Documents\ESBK.mb
2013-04-18 09:25 - 2005-02-18 14:40 - 00000595 ____A C:\Windows\lexstat.ini
2013-04-15 06:12 - 2004-10-31 09:30 - 00522638 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-10 10:38 - 2011-08-28 06:32 - 00002268 ____A C:\Documents and Settings\ron\Desktop\Google Chrome.lnk
2013-04-10 10:29 - 2004-10-31 09:29 - 00146808 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-10 10:18 - 2011-08-28 06:23 - 00000918 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3638100101-2382298926-704877491-1007Core.job
2013-04-10 10:17 - 2009-05-26 10:39 - 00000000 ____D C:\Windows\ie8updates
2013-04-10 10:08 - 2013-04-10 10:08 - 00000000 __HDC C:\Windows\$NtUninstallKB2808735$
2013-04-10 10:08 - 2005-03-22 20:51 - 00000000 ___HD C:\Windows\$hf_mig$
2013-04-10 09:59 - 2013-04-10 09:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2820917$
2013-04-10 09:47 - 2013-04-10 09:47 - 00000000 __HDC C:\Windows\$NtUninstallKB2813345$
2013-04-10 09:47 - 2009-05-12 08:33 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-10 09:38 - 2013-04-10 09:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2813170$

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-04-13 08:36 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP173

RP: -> 2013-04-10 09:28 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP172

RP: -> 2013-04-09 07:22 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP171

RP: -> 2013-03-30 08:00 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP170

RP: -> 2013-03-16 08:00 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP169

RP: -> 2013-03-12 07:54 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP168

RP: -> 2013-02-16 07:21 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP167

RP: -> 2013-02-09 09:52 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP166

RP: -> 2013-01-16 08:00 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP165

RP: -> 2013-01-10 09:09 - 024576 _restore{56A8C224-54F6-4B5D-94C2-563CBEC264A0}\RP164


==================== Memory info ===========================

Percentage of memory in use: 44%
Total physical RAM: 479.48 MB
Available physical RAM: 265.73 MB
Total Pagefile: 383.29 MB
Available Pagefile: 291.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.54 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:146.6 GB) (Free:133.44 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:3.72 GB) (Free:3.72 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (Size: 149 GB) (Disk ID: 5AC4A8C5)
Partition 1: (Not Active) - (Size=2 GB) - (Type=12)
Partition 2: (Active) - (Size=147 GB) - (Type=07 NTFS)

====================================================================
Disk: 1 (Size: 4 GB) (Disk ID: 0BBA1D82)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
On another PC, open notepad and copy & paste the following:

ShortcutTarget: msconfig.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat (?????????? ??????????2)
C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat [148992 2013-05-04] (?????????? ??????????2)
2013-05-06 18:58 - 2013-05-06 18:58 - 03151954 ____A C:\lx12core3162ng.bin
2013-05-06 18:57 - 2013-05-06 18:58 - 74336731 ____A C:\u12iavi5803yp.bin
2013-05-06 17:45 - 2013-05-06 17:45 - 00033280 ____N (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\rundll32.exe
2013-05-04 06:30 - 2013-05-06 18:26 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\olode8.pad
2013-05-04 06:30 - 2013-05-06 18:26 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-05-04 06:30 - 2013-05-04 06:30 - 00148992 ____A (?????????? ??????????2) C:\Documents and Settings\All Users\Application Data\8edolo.dat
2013-05-06 18:57 - 2013-05-06 18:57 - 00002605 ____A C:\avg12infolx.ctf
2013-05-06 18:57 - 2013-05-06 18:57 - 00000705 ____A C:\avg12infoavi.ctf
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

THen attempt to reboot normally,

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 
pete284

pete284

New Member
Thread author
May 6, 2013
7
Fiery,

Thanks for your assistance much appreciated.

I have run FRST and the following log was generated:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-05-2013
Ran by SYSTEM at 2013-05-07 17:44:25 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat => Moved successfully.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat => File/Directory not found.
winmgmt => Service deleted successfully.
C:\lx12core3162ng.bin => Moved successfully.
C:\u12iavi5803yp.bin => Moved successfully.
C:\Documents and Settings\All Users\Application Data\rundll32.exe => Moved successfully.
C:\Documents and Settings\All Users\Application Data\olode8.pad => Moved successfully.
C:\Documents and Settings\All Users\Application Data\as98213.txt => Moved successfully.
C:\Documents and Settings\All Users\Application Data\8edolo.dat => File/Directory not found.
C:\avg12infolx.ctf => Moved successfully.
C:\avg12infoavi.ctf => Moved successfully.

==== End of Fixlog ====

I have managed to boot back into the machine which shows an error dialogue
"file C:\Documents and Settings\All Users\Application Data\olode8.pad not found"

Malwarebytes rootkit downloaded and run, results were nothing found. The log files requested are below.

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.05.07.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ron :: HOME [administrator]

07/05/2013 18:20:28
mbar-log-2013-05-07 (18-20-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25325
Time elapsed: 22 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.948000 GHz
Memory total: 502775808, free: 134897664

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.948000 GHz
Memory total: 502775808, free: 125980672

------------ Kernel report ------------
05/07/2013 17:56:10
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
aliide.sys
cmdide.sys
toside.sys
viaide.sys
intelide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
SISIDE.SYS
VolSnap.sys
cpqarray.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
atapi.sys
aha154x.sys
sparrow.sys
symc810.sys
aic78xx.sys
dac960nt.sys
ql10wnt.sys
amsint.sys
asc.sys
asc3550.sys
mraid35x.sys
i2omp.sys
ini910u.sys
ql1240.sys
aic78u2.sys
symc8xx.sys
sym_hi.sys
sym_u3.sys
ABP480N5.SYS
asc3350p.sys
cd20xrnt.sys
ultra.sys
adpu160m.sys
dpti2o.sys
ql1080.sys
ql1280.sys
ql12160.sys
perc2.sys
perc2hib.sys
hpn.sys
cbidf2k.sys
dac2w2k.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
inspect.sys
\WINDOWS\System32\DRIVERS\NDIS.SYS
\WINDOWS\System32\DRIVERS\TDI.SYS
SISAGPX.sys
viaagp.sys
RecAgent.sys
Mup.sys
agp440.sys
alim1541.sys
amdagp.sys
agpCPQ.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\sisgrp.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ALCXWDM.SYS
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\sisnic.sys
\SystemRoot\system32\DRIVERS\slntamr.sys
\SystemRoot\system32\DRIVERS\SlWdmSup.sys
\SystemRoot\system32\DRIVERS\Mtlmnt5.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\gameenum.sys
\SystemRoot\system32\drivers\msmpu401.sys
\SystemRoot\system32\DRIVERS\btkrnl.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\btaudio.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\DRIVERS\cmdguard.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\cmdhlp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\srvkp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\SiSGRV.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR5
Upper Device Object: 0xffffffff85c86030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000090\
Lower Device Object: 0xffffffff85c876c0
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86748030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff867973e8
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Load Function returned 0x0
Downloaded database version: v2013.05.07.06
Downloaded database version: v2013.05.01.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86748030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86748e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86748030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86795f18, DeviceName: \Device\00000081\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff867973e8, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe1164d10, 0xffffffff86748030, 0xffffffff85bc89c0
Lower DeviceData: 0xffffffffe3993ca8, 0xffffffff867973e8, 0xffffffff85e52520
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\WINDOWS\system32\drivers\sfi.dat (0x00000005)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5AC4A8C5

Partition information:

Partition 0 type is Other (0x12)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 5124672

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 5124735 Numsec = 307451970
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 160040803840 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312559695-312579695)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff85c86030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c889a0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff85c86030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85c876c0, DeviceName: \Device\00000090\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe39fdc08, 0xffffffff85c86030, 0xffffffff85c6f578
Lower DeviceData: 0xffffffffe26dbbd0, 0xffffffff85c876c0, 0xffffffff8600da58
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: BBA1D82

Partition information:

Partition 0 type is Other (0xb)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 7823655
Partition file system is FAT32
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 4009754624 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "c:\WINDOWS\$NtUninstallKB938464-v2_0$\gdiplus.man" is compressed (flags = 1)
Read File: File "c:\WINDOWS\$NtUninstallKB938464-v2_0$\gdiplus.man.001" is compressed (flags = 1)
Done!
Scan finished
=======================================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
We are making progress :) But we are not in the clear yet.

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.

If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
 
pete284

pete284

New Member
Thread author
May 6, 2013
7
ADW Cleaner Result:

# AdwCleaner v2.300 - Logfile created 05/08/2013 at 10:13:19
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ron - HOME
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ron\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and Settings\ron\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1174 octets] - [08/05/2013 10:13:19]

########## EOF - C:\AdwCleaner[S1].txt - [1234 octets] ##########

Rogue Killer Result:

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : ron [Admin rights]
Mode : Scan -- Date : 05/08/2013 10:25:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[STARTUP][SUSP PATH] msconfig.lnk @ron : C:\WINDOWS\system32\rundll32.exe|C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat,FG00 [7] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7e42c9a88b959695bf4e213f3b35762b
[BSP] 3cda4424f20ae62ff0f903d6e46a684a : Legit.B MBR Code
Partition table:
0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 2502 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 5124735 | Size: 150123 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05082013_02d1025.txt >>
RKreport[1]_S_05082013_02d1025.txt


I have attached the OTL files as requested.
 

Attachments

  • OTL.Txt
    59.3 KB · Views: 93
  • Extras.Txt
    30.1 KB · Views: 90
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Re--run RogueKiller again, perform a scan. After the scan, make sure the only entry ticked is:

[STARTUP][SUSP PATH] msconfig.lnk @ron : C:\WINDOWS\system32\rundll32.exe|C:\DOCUME~1\ALLUSE~1\APPLIC~1\8edolo.dat,FG00 [7] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

Then press delete

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2013/05/04 11:30:22 | 000,003,062 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\olode8.js
[2013/04/18 14:25:13 | 000,000,595 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2013/05/06 22:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\529C533F000033A5000022A1D151FC84

:Commands
[EMPTYTEMP]
Click to expand...

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, update Malwarebytes and perform a Quick Scan
 
pete284

pete284

New Member
Thread author
May 6, 2013
7
All completed. Logfile from OTL:

All processes killed
========== OTL ==========
C:\Documents and Settings\All Users\Application Data\olode8.js moved successfully.
C:\WINDOWS\lexstat.ini moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\529C533F000033A5000022A1D151FC84\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 10892566 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: ron
->Temp folder emptied: 640581298 bytes
->Temporary Internet Files folder emptied: 9246903 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1916435 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39533 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 288341449 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 764877 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 910.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 05082013_203215

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

************************************
Malwarebytes updated and quick scan completed and no malicious items detected.

Pete
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Looking good :D

Please let me know how your PC is functioning.

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A notepad document should open automatically called checkup.txt.
  • Please post the contents of that document in your next reply. Please do not attach it!
 
pete284

pete284

New Member
Thread author
May 6, 2013
7
Fiery said:
Please let me know how your PC is functioning.
Click to expand...

Computer is running well with no noticeable problems.

ESET run and 2 detections:

C:\FRST\Quarantine\8edolo.dat Win32/Reveton.R trojan
C:\_OTL\MovedFiles\05082013_203215\C_Documents and Settings\All Users\Application Data\olode8.js Win32/Reveton.N trojan

----------------------

Security Check run:

Results of screen317's Security Check version 0.99.63
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
COMODO Internet Security
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Looks good! The 2 items detected by ESET were in quarantine already.

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall



Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one



Keep your system updated
Please go to control panel and uninstall the following:

Adobe Reader 7


Currently, the following programs on your PC are outdated:
  • Adobe reader - Update Adobe Reader here
Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:
  • Download and install Update Checker. It will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 
pete284

pete284

New Member
Thread author
May 6, 2013
7
Excellent thanks for all your assistance much appreciated, will hand the machine back to my father-in-law.

I will stick with Linux at home!
 

Similar threads

K
  • Locked
PowerShell/MaleficAms Powershell Infection Please Help
Replies
2
Views
1,991
Windows Malware Removal Help & Support
nasdaq
nasdaq
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
1,845
Windows Malware Removal Help & Support
nasdaq
nasdaq
F
    • Like
  • Locked
Service Host: Network List Service...Virus?
Replies
11
Views
1,846
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top