Thanks in advance...
Trojan Laptop - Unknown version [Closed]
#1
Posted 10 March 2010 - 09:41 PM
Thanks in advance...
#2
Posted 12 March 2010 - 07:39 AM
Here are some of the details, I'm like the local guy that folks go to to have thier PC's cleaned up but this one so far has me stumped. She first noticed that she was having issues when her friends started getting spam email from her....she is running win vista home sp2 with the latest updates I think. She has MBAM and super antispyware along with avast, but if you try to run any of them including the online scanners the run for about 2 mins then the whole machine locks up, I am able to update MBAM but just can not get a complete scan. Most all of them stop when scanning the following files C:\windows\system32\mfc40u.dll or MFC70.dll....I have alos thrown several resuce CD antivirus programs to no avail either...I'm currently running dr. web rescue cd to see if it finds anything.....however it locks up in graphical mode and while it finds the trojan it doesn't clean it in command line mode...
Thanks in advance...
Anybody have time????
#3
Posted 12 March 2010 - 01:02 PM
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity. - Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
THEN
Download OTL to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
#4
Posted 12 March 2010 - 03:10 PM
#5
Posted 12 March 2010 - 03:23 PM
#6
Posted 12 March 2010 - 07:23 PM
Edited by bishoptf, 12 March 2010 - 09:52 PM.
#7
Posted 13 March 2010 - 04:49 AM
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
#8
Posted 13 March 2010 - 08:26 AM
Update I tried running rkill to see if I could kill whatever is stopping the scans from completing it appears something locks the computer up when a scan gets to a certain point...when I was runing a avira rescue CD it found several items but was unable to clean them, one of them it labeled as a stop acl file......
Edited by bishoptf, 13 March 2010 - 08:49 AM.
#9
Posted 13 March 2010 - 09:26 AM
Lets try OTL and fix it in baby steps
Download OTL to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
#10
Posted 13 March 2010 - 09:47 AM
Edited by bishoptf, 13 March 2010 - 09:49 AM.
#11
Posted 13 March 2010 - 09:49 AM
#12
Posted 13 March 2010 - 09:58 AM
OTL logfile created on: 3/13/2010 9:53:08 AM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Users\Michele\Desktop\cleanup
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.60 Gb Total Space | 78.02 Gb Free Space | 56.70% Space Free | Partition Type: NTFS
Drive D: | 11.44 Gb Total Space | 1.93 Gb Free Space | 16.87% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 955.08 Mb Total Space | 949.86 Mb Free Space | 99.45% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: MICHELE-PC
Current User Name: Michele
Logged in as Administrator.
Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/03/12 19:04:54 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Michele\Desktop\cleanup\OTL.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
========== Modules (SafeList) ==========
MOD - [2010/03/12 19:04:54 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Michele\Desktop\cleanup\OTL.exe
MOD - [2009/04/11 00:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/07/31 16:41:46 | 000,015,872 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/06 14:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/03 16:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/03/05 10:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...o&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...o&pf=laptop
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...o&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.gmail.com/"
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..extensions.enabledItems: [email protected]:4.60
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..keyword.URL: "http://slirsredirect...0fftrab&query="
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009/11/17 09:18:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/19 22:30:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/03 16:22:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.16\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/12/03 14:16:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.16\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
[2009/09/04 18:29:47 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Mozilla\Extensions
[2009/09/04 18:29:47 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Mozilla\Extensions\[email protected]
[2010/03/06 22:10:13 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\extensions
[2009/06/25 15:03:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/20 11:12:46 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/14 15:37:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/04/14 15:37:17 | 000,001,739 | ---- | M] () -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\searchplugins\aim-search.xml
[2009/08/06 10:31:13 | 000,000,930 | ---- | M] () -- C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\iwonpu18.default\searchplugins\facebook.xml
[2010/03/13 08:17:59 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 00:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2007/04/16 11:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe File not found
O4 - HKLM..\Run: [ATT-SST_UninstallTracking] C:\Users\Michele\AppData\Local\Temp\InstallHelper.exe File not found
O4 - HKLM..\Run: [HP Health Check Scheduler] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [V0510Mon.exe] C:\Windows\V0510Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ATT-SST] C:\Program Files\ATT-SST\McciBrowser.exe File not found
O4 - HKCU..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html ()
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: glencoe.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: hallmarkinsights.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: motive.com ([pattta.att] https in Trusted sites)
O15 - HKCU\..Trusted Domains: motive.com ([patttbc.att] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.99.99.4 208.67.222.222
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Michele\2010-1-25\@Johnnyrockets 031.JPG
O24 - Desktop BackupWallPaper: C:\Users\Michele\2010-1-25\@Johnnyrockets 031.JPG
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/27 01:45:25 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 09:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 14 Days ==========
[2010/03/13 08:41:42 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/03/13 08:41:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/13 08:18:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/13 08:18:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/13 08:18:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/13 08:18:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/13 08:10:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/12 19:22:18 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/12 19:18:35 | 000,000,000 | ---D | C] -- C:\Users\Michele\Desktop\cleanup
[2010/03/12 13:46:09 | 000,000,000 | -HSD | C] -- C:\found.000
[2010/03/09 18:03:38 | 000,000,000 | ---D | C] -- C:\Users\Michele\DoctorWeb
[2010/03/08 16:04:29 | 000,000,000 | ---D | C] -- C:\%SystemDrive%
[2010/03/08 15:42:05 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/03/08 12:24:34 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/06 16:11:54 | 000,000,000 | ---D | C] -- C:\Users\Michele\AppData\Roaming\Malwarebytes
[2010/03/06 16:11:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/06 16:11:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/06 16:11:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/06 16:11:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/01 09:51:53 | 000,000,000 | ---D | C] -- C:\Users\Michele\2010-03-01
========== Files - Modified Within 14 Days ==========
[2010/03/13 09:52:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/13 09:42:51 | 002,621,440 | -HS- | M] () -- C:\Users\Michele\ntuser.dat
[2010/03/13 09:41:00 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{38519E9B-1B40-4EED-B767-99BD4649A422}.job
[2010/03/13 09:33:43 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/13 09:33:43 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/13 09:33:43 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/13 09:29:27 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/13 09:29:26 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/13 09:29:22 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/13 08:12:20 | 000,524,288 | -HS- | M] () -- C:\Users\Michele\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/03/13 08:12:20 | 000,065,536 | -HS- | M] () -- C:\Users\Michele\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/03/12 19:22:33 | 000,391,952 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/12 19:22:04 | 140,922,044 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/08 16:01:50 | 002,672,312 | ---- | M] () -- C:\esetsmartinstaller_enu.exe
[2010/03/08 15:41:58 | 000,000,036 | ---- | M] () -- C:\Users\Michele\AppData\Local\housecall.guid.cache
[2010/03/08 14:49:43 | 032,224,681 | ---- | M] () -- C:\ivdf_fusebundle_nt_en.zip
[2010/03/08 12:20:52 | 030,909,992 | ---- | M] () -- C:\avira_antivir_personal_en.exe
[2010/03/05 16:28:31 | 000,179,242 | ---- | M] () -- C:\Users\Michele\Desktop\Palmer9.jpg
[2010/03/04 23:10:20 | 000,020,145 | ---- | M] () -- C:\Users\Michele\Documents\Maniac magee.odt
[2010/03/04 23:10:10 | 000,038,984 | ---- | M] () -- C:\Users\Michele\Documents\daniel boone legend.odt
[2010/03/04 22:40:28 | 000,012,836 | ---- | M] () -- C:\Users\Michele\Documents\talltale.odt
[2010/03/04 18:11:17 | 000,219,252 | ---- | M] () -- C:\Users\Michele\Documents\JoeMagarac.odt
[2010/03/04 17:37:18 | 000,467,851 | ---- | M] () -- C:\Users\Michele\Documents\Windwagon Smith.odt
[2010/03/04 06:48:13 | 000,170,224 | ---- | M] () -- C:\Users\Michele\Documents\American Folk Heroes Scrapbook.odt
[2010/03/03 21:11:00 | 000,031,783 | ---- | M] () -- C:\Users\Michele\Documents\Rip Van Winkle.odt
[2010/03/02 16:12:51 | 000,011,369 | ---- | M] () -- C:\Users\Michele\Documents\Cookie Booth.odt
[2010/03/01 11:10:28 | 000,027,648 | ---- | M] () -- C:\Users\Michele\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/27 23:37:05 | 000,000,330 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForMichele.job
[2010/02/27 16:45:36 | 000,009,441 | ---- | M] () -- C:\Users\Michele\Documents\scopes trial notes.odt
========== Files Created - No Company Name ==========
[2010/03/13 08:18:22 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/13 08:18:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/13 08:18:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/13 08:18:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/13 08:18:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/12 19:22:04 | 140,922,044 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/08 16:04:17 | 002,672,312 | ---- | C] () -- C:\esetsmartinstaller_enu.exe
[2010/03/08 15:41:58 | 000,000,036 | ---- | C] () -- C:\Users\Michele\AppData\Local\housecall.guid.cache
[2010/03/08 14:48:03 | 032,224,681 | ---- | C] () -- C:\ivdf_fusebundle_nt_en.zip
[2010/03/08 12:23:53 | 030,909,992 | ---- | C] () -- C:\avira_antivir_personal_en.exe
[2010/03/05 16:43:29 | 000,179,242 | ---- | C] () -- C:\Users\Michele\Desktop\Palmer9.jpg
[2010/03/04 22:40:28 | 000,012,836 | ---- | C] () -- C:\Users\Michele\Documents\talltale.odt
[2010/03/04 18:22:15 | 000,020,145 | ---- | C] () -- C:\Users\Michele\Documents\Maniac magee.odt
[2010/03/04 18:11:17 | 000,219,252 | ---- | C] () -- C:\Users\Michele\Documents\JoeMagarac.odt
[2010/03/03 20:48:56 | 000,031,783 | ---- | C] () -- C:\Users\Michele\Documents\Rip Van Winkle.odt
[2010/03/03 20:02:03 | 000,467,851 | ---- | C] () -- C:\Users\Michele\Documents\Windwagon Smith.odt
[2010/03/03 19:21:19 | 000,038,984 | ---- | C] () -- C:\Users\Michele\Documents\daniel boone legend.odt
[2010/03/03 18:04:20 | 000,170,224 | ---- | C] () -- C:\Users\Michele\Documents\American Folk Heroes Scrapbook.odt
[2010/02/27 16:45:36 | 000,009,441 | ---- | C] () -- C:\Users\Michele\Documents\scopes trial notes.odt
[2010/02/25 21:12:36 | 000,000,000 | ---- | C] () -- C:\Users\Michele\AppData\Local\FnF4.txt
[2009/12/28 19:17:03 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/09/11 06:47:30 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/29 10:59:18 | 000,003,654 | ---- | C] () -- C:\Windows\System32\drivers\Sonyhcp.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/11/10 10:23:22 | 000,001,072 | ---- | C] () -- C:\Users\Michele\AppData\Roaming\wklnhst.dat
[2008/08/01 21:18:09 | 000,027,648 | ---- | C] () -- C:\Users\Michele\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/04 22:14:48 | 000,005,648 | ---- | C] () -- C:\Users\Michele\AppData\Local\d3d9caps.dat
[2008/07/04 15:00:27 | 000,000,000 | ---- | C] () -- C:\Users\Michele\AppData\Local\QSwitch.txt
[2008/07/04 15:00:27 | 000,000,000 | ---- | C] () -- C:\Users\Michele\AppData\Local\DSwitch.txt
[2008/07/04 15:00:27 | 000,000,000 | ---- | C] () -- C:\Users\Michele\AppData\Local\AtStart.txt
[2008/04/17 19:24:00 | 000,155,648 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2008/02/27 01:59:45 | 000,000,731 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2007/11/06 14:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2007/08/20 06:34:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1318.dll
[2007/08/20 06:25:00 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/08/20 06:10:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
========== LOP Check ==========
[2008/07/22 00:59:54 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\iWin
[2009/09/21 15:11:49 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\LimeWire
[2008/08/01 21:23:44 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\muvee Technologies
[2008/08/05 18:35:44 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Opera
[2008/11/10 10:23:30 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Template
[2008/08/13 21:47:06 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Thunderbird
[2008/08/03 19:31:58 | 000,000,000 | ---D | M] -- C:\Users\Michele\AppData\Roaming\Wireshark
[2010/03/12 19:12:50 | 000,032,566 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/13 09:41:00 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{38519E9B-1B40-4EED-B767-99BD4649A422}.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >
Attached Files
Edited by Essexboy, 13 March 2010 - 10:05 AM.
#13
Posted 13 March 2010 - 10:07 AM
Download avz4.zip from HERE
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window:
- Click Start to begin the update
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
- It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
- All applications will work properly after the system restart.
When restarted
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
To attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
#14
Posted 13 March 2010 - 10:14 AM
#15
Posted 13 March 2010 - 10:16 AM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users