Welcome to Smokey's Security Forums.
Guests only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Locky ransomware: Why this menace keeps coming back

It's one of the most successful forms of ransomware.
Here's why the Locky ransomware keeps disappearing - only to reappear again.

Locky ransomware: Why this menace keeps coming back

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: Uing OTL to "run fix"?  (Read 3018 times)

0 Members and 1 Guest are viewing this topic.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Uing OTL to "run fix"?
« Reply #11 on: August 05, 2013, 05:48:33 PM »
Very odd that it wouldn't install on the flash drive.

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Re: Uing OTL to "run fix"?
« Reply #10 on: August 04, 2013, 07:31:34 PM »
The instructions in your link are the same as that of the youtube video I had tried.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Uing OTL to "run fix"?
« Reply #9 on: August 04, 2013, 05:47:43 PM »
Did you look at the link i posted (with the example) it explains exactly how to download and use it.

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Re: Uing OTL to "run fix"?
« Reply #8 on: August 04, 2013, 05:28:10 PM »
Actually, I had tried Hitmanpro when first researching the best option for this particular virus before posting here for help, the problem I had was it would not install on my flash drive.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Uing OTL to "run fix"?
« Reply #7 on: August 04, 2013, 05:24:29 PM »
Quote
Does that ring a bell for you or got anything similar you can recommend please?


No, sorry it doesn't ring any bells.

Quote
I am seeking a way to get rid of viruses when I can't boot into Safe Mode and the Rescue disks don't work


Two things you could try:
  • HitmanPro run from a USB stick.
    Example and instructions Here.
  • Run rstrui.exe (system restore) from a Command Prompt using the Recovery Environment.
    This is the lowest level at which System Restore can be run, so normally there's no malware running at this level to stop the procedure.

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Re: Uing OTL to "run fix"?
« Reply #6 on: August 02, 2013, 10:49:06 PM »
Oh Yes, sorry I've been a little swamped lately and forgot to post here, thank you very much Pete! The OTL fix got rid of the virus. I am seeking a way to get rid of viruses when I can't boot into Safe Mode and the Rescue disks don't work [it never does] and since I won't know which code to use for the Run Fix feature in OTL, that is why I asked about the software in my earlier post? Does that ring a bell for you or got anything similar you can recommend please?

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Uing OTL to "run fix"?
« Reply #5 on: August 02, 2013, 10:35:47 PM »
Did the fix allow you to boot into normal mode?

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Re: Uing OTL to "run fix"?
« Reply #4 on: August 01, 2013, 10:55:55 PM »
Ok, running it now [thanks]. I could have sworn Pete that either you or Kenny had given me instructions on running OTL and from the Reatogo desktop there was a way to run a virus repair from within it, if it was not OTL then it was something similar, I checked and checked all of my past threads for this but cannot find that topic, do you have any idea of what I am referring to please?

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Uing OTL to "run fix"?
« Reply #3 on: August 01, 2013, 10:24:16 PM »
Hi Mike,

No there is no generic fix available.
The fix is always made up of what is showing in the reports.

See if this helps.

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Code: [Select]
:otl
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} -  File not found
O4 - HKLM..\Run: [aSQw8ccL0] C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe (NCSOFT Company)
O4 - HKU\Cliff_ON_C..\Run: [aSQw8ccL0]  File not found
O4 - HKU\User_ON_C..\Run: [aSQw8ccL0] C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe (NCSOFT Company)
[2013/07/29 20:15:53 | 000,183,296 | ---- | C] (NCSOFT Company) -- C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe
[2013/07/29 18:30:03 | 000,316,553 | ---- | M] () -- C:\Documents and Settings\Cliff\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/29 18:12:27 | 000,316,553 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/29 18:12:20 | 000,183,296 | ---- | M] (NCSOFT Company) -- C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe
[2013/07/22 20:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
@Alternate Data Stream - 246 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95

:Files
ipconfig /flushdns /c

:commands
[emptytemp]


Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file fix.txt
Save the file to a USB stick.

Start OTLPE as you did previously from CD

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
  • If you cannot drag and drop for some reason.  Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
.
If you can now boot into normal mode, update MBAM and run a scan.

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Re: Uing OTL to "run fix"?
« Reply #2 on: August 01, 2013, 05:55:49 PM »
Oh BTW Pete, my present issue for this, I am trying to clean a Dell XPS 410 machine which has the

"U.S. Department of Homeland Security virus (MoneyPak Scam)"

so I can't go to desktop or into Safe mode and I tried 3 rescue disks [KS, Bitefender and Comodo] and they would not clean it. Right now, I am trying to run any Online Scanners via the Realtogo desktop but I am posting the OTL log file here if you should read this before the online scanner is finished:

OTL logfile created on: 8/1/2013 4:40:42 PM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,022.00 Mb Total Physical Memory | 832.00 Mb Available Physical Memory | 81.00% Memory free
906.00 Mb Paging File | 852.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.39 Gb Total Space | 260.28 Gb Free Space | 88.71% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004
 
========== Win32 Services (SafeList) ==========
 
SRV - [2013/06/12 09:54:20 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/03 19:47:15 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe -- (NIS)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (i2omgmt)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2012/06/18 20:01:14 | 000,821,920 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/06/14 14:39:26 | 000,369,632 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120731.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/05/30 22:37:20 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/05/30 22:37:20 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/15 20:47:16 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120731.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/05/15 20:47:16 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120731.002\NAVENG.SYS -- (NAVENG)
DRV - [2012/02/24 19:30:31 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/04/20 21:37:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\NIS\1207020.003\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/30 23:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand] -- C:\WINDOWS\System32\Drivers\NIS\1207020.003\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 23:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/14 22:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\symefa.sys -- (SymEFA)
DRV - [2011/01/27 02:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\symds.sys -- (SymDS)
DRV - [2010/11/15 21:45:33 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\Ironx86.SYS -- (SymIRON)
DRV - [2006/03/20 17:06:04 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/04 16:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/05/25 18:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2005/01/10 19:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/01/10 19:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/11/17 19:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 19:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 19:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Cliff_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Cliff_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Cliff_ON_C\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\Cliff_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Cliff_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
 
 
IE - HKU\User_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\User_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\User_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\User_ON_C\..\URLSearchHook:  - Reg Error: Key error. File not found
IE - HKU\User_ON_C\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\User_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@sony.com/Some: C:\Program Files\Sony\Bloggie Software\npsome.dll (Sony)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Cliff\Local Settings\Application Data\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Cliff\Local Settings\Application Data\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn\ [2012/02/25 07:17:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn_2011_7_13_2 [2013/08/01 15:29:54 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} -  File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\Cliff_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O3 - HKU\User_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [aSQw8ccL0] C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe (NCSOFT Company)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\Cliff_ON_C..\Run: [aSQw8ccL0]  File not found
O4 - HKU\User_ON_C..\Run: [aSQw8ccL0] C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe (NCSOFT Company)
O4 - HKU\User_ON_C..\Run: [EPSON Artisan 837 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHOA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bloggie Watcher Utility.lnk = C:\Program Files\Sony\Bloggie Software\BGVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Cliff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\User_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/02/24 18:59:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/08/01 10:16:56 | 000,000,000 | ---D | C] -- C:\bd_logs
[2013/07/31 17:13:32 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2013/07/29 20:15:53 | 000,183,296 | ---- | C] (NCSOFT Company) -- C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe
[2013/07/29 18:12:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2013/07/22 20:32:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2013/07/22 20:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/07/22 20:31:38 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013/07/22 20:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013/07/22 20:28:23 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/08/01 15:32:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/01 15:30:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/01 15:30:50 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/01 08:57:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1682526488-839522115-1004UA.job
[2013/08/01 08:54:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/08/01 08:49:10 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1682526488-839522115-1003UA.job
[2013/08/01 08:26:10 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/01 06:38:12 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/07/29 18:30:03 | 000,316,553 | ---- | M] () -- C:\Documents and Settings\Cliff\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/29 18:12:27 | 000,316,553 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/29 18:12:20 | 000,183,296 | ---- | M] (NCSOFT Company) -- C:\Documents and Settings\User\Local Settings\Application Data\Q6dQAjy.exe
[2013/07/29 17:42:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/07/29 16:49:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1682526488-839522115-1003Core.job
[2013/07/28 21:57:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1682526488-839522115-1004Core.job
[2013/07/25 21:57:52 | 000,002,302 | ---- | M] () -- C:\Documents and Settings\Cliff\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/25 21:57:52 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Cliff\Desktop\Google Chrome.lnk
[2013/07/22 20:32:35 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2013/07/22 20:32:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2013/07/13 21:28:59 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/07/12 21:52:57 | 000,002,295 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/12 21:52:57 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Google Chrome.lnk
[2013/07/11 03:18:29 | 000,190,592 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/11 03:02:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/07/29 18:30:03 | 000,316,553 | ---- | C] () -- C:\Documents and Settings\Cliff\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/29 18:12:27 | 000,316,553 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\9f2c10a0-f56c-464d-b90f-23109eb5be53
[2013/07/22 20:32:35 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2013/07/13 21:28:59 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/12/20 17:12:04 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/11 04:11:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/10 15:31:20 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/10 11:58:47 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2012/03/10 11:58:47 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2012/03/03 13:28:11 | 000,022,629 | ---- | C] () -- C:\WINDOWS\System32\CiFilter.ini
[2012/02/24 19:01:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/02/24 18:56:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/02/24 16:17:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/02/24 10:53:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/02/24 10:52:42 | 000,190,592 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/11/13 18:03:06 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2006/11/13 18:02:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2006/11/13 18:02:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2005/03/21 19:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 19:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
========== LOP Check ==========
 
[2012/06/25 21:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cliff\Application Data\CompuClever
[2012/12/03 19:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Genieo
[2013/07/22 20:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/02/24 19:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/03/21 18:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2012/06/25 21:54:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 246 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95
< End of report >

mikehendeTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 71
Uing OTL to "run fix"?
« Reply #1 on: August 01, 2013, 03:43:25 PM »
Hey Pete, is there a "generic" code available to use the Run Fix option to get OTL to clean an infected system? If yes, can you link me to that code please? Or would you fist need to run the scan to generate the log file then after reviewing the log file you would know which code or directives to use in the Run fix? If the latter then this will not help me as I would not have your expertise so what I would need then is a way to clean an infected system which does not go into Safe Mode or go to windows and this means that no Rescue Disk would have cleaned the infected system, please advise?
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle