1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

eddie, can you rescue?

Discussion in 'Virus & Other Malware Removal' started by nittiley, Jul 9, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    eddie means eddie5659, in case there are any other eddies round here. if so, sorry for the confusion!

    ---------

    eddie
    :)

    well, guess what? another laptop lost the plot. it was a blank screen the last several times i messed with it, & then recently a whole assortment of things happened that began with, "thermal shutdown occurred.." :eek:

    it's running now, sort of (mwbytes had 238 items in quarantine & more followed. i don't know if it's finished yet :eek:). it's freezing too.. can you peek @ it?

    my thanks, of course :))))

    ps) i didn't run HJT in case it wasn't necessary since mwbytes is already on. i'll jump on the list if need be, let me know..
     
  2. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    apparently all i have to do is tell a laptop you'll be after it, & it straightens itself out :p!

    it's running ok now, so if you get to this, you can just disregard :)
     
  3. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Hiya

    I'll have a look at it anyway, as it may have other things on there ;)

    Can you post the MBAM log.

    Also, can you run this:

    Download OTL to your Desktop

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Select All Users
    • Please copy the text in the code box below and paste it in the Custom Scans/Fixes box in OTL:

      Code:
      netsvcs
      activex
      msconfig
      %SYSTEMDRIVE%\*.
      %PROGRAMFILES%\*.exe
      %LOCALAPPDATA%\*.exe
      %windir%\Installer\*.*
      %windir%\system32\tasks\*.*
      %windir%\system32\tasks\*.* /64
      %systemroot%\Fonts\*.exe
      %systemroot%\*. /mp /s
      /md5start
      consrv.dll
      explorer.exe
      winlogon.exe
      regedit.exe
      Userinit.exe
      svchost.exe
      /md5stop
      C:\Windows\assembly\tmp\U\*.* /s
      %Temp%\smtmp\1\*.*
      %Temp%\smtmp\2\*.*
      %Temp%\smtmp\3\*.*
      %Temp%\smtmp\4\*.*
      >C:\commands.txt echo list vol /raw /hide /c
      /wait
      >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
      /wait
      type c:\diskreport.txt /c
      /wait
      erase c:\commands.txt /hide /c
      /wait
      erase c:\diskreport.txt /hide /c
      CREATERESTOREPOINT
      
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

    eddie
     
  4. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    this went wonky before & then worked fine for a while.. you sure you want to bother right away?
    it's not :eek: 911 or anything :).
     
  5. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Its entirely up to you :)

    Its no biggie if you want to post it, as I can just see if anything jumps out.

    However, if you want to wait until it happens again, just post the logs ;)

    eddie
     
  6. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    can you let me know when you get to the
    pm? it's likely submerged in a bunch of other pm's :eek:. anyway, after that, then i'll know what to do ;). thanks a tonne!!
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Already done ;)
     
  8. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    i've got to start adopting your methodical approach! :D
    although if i get that organised & linear, it could scare people :p

    i'll try to get at this wednesday. if you get busy, let me know, as it can always wait. (& we're never messing with this thing on fridays, ever!! :cool:)

    thanks eddie :)
     
  9. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Its okay to do this anytime, I'll get thru each thread, so it will be usually a day max to wait, unless I have to work late ;)
     
  10. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667

    ok, here's what i have.. btw, the mouse wouldn't work on it before, but now it does -- in case that has anything to do with anything :s

    before the whole thing was sluggish enough that i was about to drive over it with the truck, & back up to make sure i did a good job :D

    it's a:
    windows 7 / hewlitt packard presario CQ56 notebook
    2 gig ram / 1.74 usable
    64 bit op sys

    ---------
    feel free to skip this historical part unless it's vital:

    last attempts ~a month ago produced a blank screen after powering on
    07/08/12:
    1) thermal shutdown occurred.
    2) “system bios ..” then screen disappeared before i could type remainder
    3) windows failed to start. msg: “a recent hardware or software change might..
    4) says computer was unable to start & launches startup repair
    5) loads files
    6) microsoft logo @ bottom
    7) “start up repair is checking your system for problems..”
    8) asks if i want to use system restore, restore is clicked
    9) it attempts repairs & restarts
    10) windows logo + copyright microsoft appears, password entered
    11) welcome with spinny circle
    12) it’s spins long enough that i make a cuppa & drink it. have a snack as well.
    13) everything finally loads & spotify opens
    14) shut down spotify via task manager
    15) run disc cleanup, notice antivirus isn’t working & registration missing (likely due to system restore?)
    16) uninstall & reinstall antivirus
    17) avast scans
    18) opened _____ & task manager (i failed to make a notation & don't remember what the blank was now :rolleyes:)
    19) “failure to display security and shut down options” clicked ok
    20) avast finishes scan
    21) secunia 85% / windows defender requires updating
    22) malwarebytes updates, scan, finds malware, quite a lengthy list, starting with
    PUP.AdurrPlugin Registry Key HKCR/CLSID/(056c-9352-88cb3-4465-9290-8...
    C:/Program Files {x86} /Object

    238 total !! :eek:

    23) i click on the selected to remove & result is completely frozen screen
    24 ) control/alt/ delete. no response, even after repeating
    25) disconnect power & pop battery out
    26) background image loads, endless spinning circle again..
    27) after quite a while, reboot
    28) freezes while opening computer from start menu & registering avast
    29) control/alt/delete produces windows msg about the app not responding & it may if i wait. do i want to end process?
    30) failure to display security and shut down options – “the logon process was unable to display..”
    31) i get end process question & click *end process*
    32) mainscreen, run malwarebytes again
    33) 47 objects detected
    34) mbam urges restart
    35) restart & subsequent windows update proceeds & terminates
    36) start secunia

    got sick of the whole bloody mess & left it for a while.

    -----------
    today:

    mbam threw up "not responding" @ first, but then everything went chugging along
    mbam looks most squeaky clean :)


    Malwarebytes Anti-Malware (PRO) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.18.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    peckent :: PKE [administrator]

    Protection: Enabled

    7/18/2012 12:14:08 PM
    mbam-log-2012-07-18 (12-14-08).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 354839
    Time elapsed: 1 hour(s), 59 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ============================

    OTL logfile created on: 7/18/2012 2:40:35 PM - Run 1
    OTL by OldTimer - Version 3.2.54.0 Folder = F:\
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.75 Gb Total Physical Memory | 0.27 Gb Available Physical Memory | 15.51% Memory free
    3.49 Gb Paging File | 1.20 Gb Available in Paging File | 34.52% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 215.36 Gb Total Space | 154.81 Gb Free Space | 71.88% Space Free | Partition Type: NTFS
    Drive D: | 17.22 Gb Total Space | 2.49 Gb Free Space | 14.46% Space Free | Partition Type: NTFS
    Drive F: | 7.60 Gb Total Space | 7.60 Gb Free Space | 99.99% Space Free | Partition Type: FAT32

    Computer Name: PKE | User Name: peckent | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/18 14:28:20 | 000,596,480 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
    PRC - [2012/07/13 02:56:29 | 000,186,832 | ---- | M] (Google Inc.) -- C:\Users\peckent\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
    PRC - [2012/07/11 17:58:17 | 001,551,384 | ---- | M] (Google Inc.) -- C:\Users\peckent\AppData\Local\Google\Chrome\Application\20.0.1132.57\Installer\setup.exe
    PRC - [2012/07/06 11:53:20 | 000,217,536 | ---- | M] (Facebook) -- C:\Users\peckent\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe
    PRC - [2012/07/03 11:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2012/07/03 11:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/03/23 10:12:26 | 000,217,256 | ---- | M] (Visicom Media Inc. (Powered by Panda Security)) -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
    PRC - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/10/11 13:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe
    PRC - [2011/09/02 08:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    PRC - [2011/08/15 08:49:50 | 001,191,216 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    PRC - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psia.exe
    PRC - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\sua.exe
    PRC - [2011/04/19 01:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    PRC - [2011/03/28 18:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    PRC - [2010/11/09 15:20:36 | 000,586,296 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    PRC - [2010/11/09 15:20:34 | 000,026,680 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2010/02/22 17:30:52 | 000,266,240 | ---- | M] () -- C:\Program Files (x86)\HP Button Manager\BM.exe
    PRC - [2008/09/18 10:59:10 | 000,104,960 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/07/08 21:54:38 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll
    MOD - [2012/07/08 21:54:07 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
    MOD - [2012/07/08 21:53:58 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
    MOD - [2012/07/05 20:58:56 | 021,015,488 | ---- | M] () -- C:\Users\peckent\AppData\Local\Facebook\Messenger\2.1.4570.0\libcef.dll
    MOD - [2012/07/05 20:58:16 | 000,284,096 | ---- | M] () -- C:\Users\peckent\AppData\Local\Facebook\Messenger\2.1.4570.0\CefSharp.WinForms.dll
    MOD - [2012/07/05 20:56:24 | 000,456,128 | ---- | M] () -- C:\Users\peckent\AppData\Local\Facebook\Messenger\2.1.4570.0\CefSharp.dll
    MOD - [2012/05/22 15:45:18 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\f3814b488d9e083cbbc623e01b389f09\System.Data.ni.dll
    MOD - [2012/05/22 15:40:01 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
    MOD - [2012/05/22 15:39:21 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
    MOD - [2012/05/22 15:39:18 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
    MOD - [2012/05/22 15:38:55 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
    MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
    MOD - [2010/11/04 20:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2010/02/22 17:30:52 | 000,266,240 | ---- | M] () -- C:\Program Files (x86)\HP Button Manager\BM.exe


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/07/03 11:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2010/09/20 01:56:00 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2010/06/18 18:26:18 | 000,103,992 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe -- (HP Wireless Assistant Service)
    SRV:64bit: - [2009/11/17 21:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
    SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/07/12 15:39:57 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/09/09 18:10:28 | 000,086,072 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
    SRV - [2011/09/02 08:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
    SRV - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
    SRV - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\sua.exe -- (Secunia Update Agent)
    SRV - [2011/03/28 18:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
    SRV - [2010/11/09 15:20:34 | 000,026,680 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe -- (HPWMISVC)
    SRV - [2010/10/12 12:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
    SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

    Extras
    OTL Extras logfile created on: 7/18/2012 2:40:35 PM - Run 1
    OTL by OldTimer - Version 3.2.54.0 Folder = F:\
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.75 Gb Total Physical Memory | 0.27 Gb Available Physical Memory | 15.51% Memory free
    3.49 Gb Paging File | 1.20 Gb Available in Paging File | 34.52% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 215.36 Gb Total Space | 154.81 Gb Free Space | 71.88% Space Free | Partition Type: NTFS
    Drive D: | 17.22 Gb Total Space | 2.49 Gb Free Space | 14.46% Space Free | Partition Type: NTFS
    Drive F: | 7.60 Gb Total Space | 7.60 Gb Free Space | 99.99% Space Free | Partition Type: FAT32

    Computer Name: PKE | User Name: peckent | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1
     
  11. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    cross posted..

    absolutely no rush at all!!
    tell work to stuff it though ;), & that's so you get free time :cool:, not for this!!
     
  12. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Okay, firstly can you post the mbam log that you ran when it came up with over 200 items.

    So, as you have run MBAM, this is how to get the log and attach it :)

    Firstly, go to Start | programs, and open up Malware Bytes AntiMalware. Most call it MBAM for short.

    [​IMG]

    Then, click on the Logs tab:

    [​IMG]

    Now, select the log which you removed the files. Normally its the latest one. Click on it to highlight it, then select Open in the bottom left:

    [​IMG]

    Now, a notepad will open up. Mine is blank, but yours will have the 100 or so items in. Click on Edit | Select All and paste as normal.

    ----------------

    As for the OTL log, both are not complete. Can you make sure that's all that was in them both, as your uninstall list etc isn't there on the Extra's and the 04's etc aren't showing on the OTL log.
     
  13. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    yep, i'll go retrieve that :)

    well, that's strange.. although i copied them to a word doc, then to a jump drive, then here, so.. :eek:

    anyway, i'll back with those later. thanks v. much e!! :)
     
  14. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,793
    Why did you need to copy them to a word document? They should just open in Notepad, that's all I need ;)

    If they look jumbled up, click Format and make sure WordWrap is ticked.
     
  15. nittiley

    nittiley Banned Thread Starter

    Joined:
    Aug 15, 2011
    Messages:
    2,667
    sheer (unthinking) habit on my part :rolleyes:.
    thanks for the wordwrap tip (y) :)! i recall that happening some other time (not recently, nor with this though)..

    even though these logs are for later, i can't get them to post now :mad:!! tried several times & get the charming delay message repeatedly, so i'm going to e them instead. sorry to flip it there :(!! but you'll know how to get them on this thread..& they're not going on for me, bleah!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1060337