Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unsure Virus / Infection (Extremely Urgent!)

Started by FireMage , Dec 21 2010 10:47 PM

  • Please log in to reply

#1
FireMage
Posted 21 December 2010 - 10:47 PM

FireMage

    New Member

  • Member
  • Pip
  • 1 posts
This is not my system, it is a co-worker of my mother's who thought that I might be able to fix his problem. Thus, it is really urgent for me to get help. He said that things got bad after he opened something through a link from a friend on Facebook. After researching, I figured it's the Koobface worm. I've been debugging and fixing this computer for 2 full days now.

His system is an HP Pavilion dv7 Notebook PC, running Windows Vista Ultimate with Service Pack 2. It is also a 64-bit system.

The computer will NOT start up normally: it reaches the log-in screen then goes to a blue error screen, where it restarts and gives the option of starting in Safe Mode. It does start in Safe Mode, however attempts to run McAfee (the antivirus he had on here before it seems) have not worked. I have been using Safe Mode with Networking.

I first used Microsoft's Malicious Software Removal Tool. It removed one infected file, and did nothing else to help.

I went to install Avast! Anti-virus as it is what I use mostly. Once installed, there was a side-by-side configuration error, which when I looked into it, dealt with Microsoft Visual C++. I tried to install Redistributable of Visual C++ but it had problems with running Windows Install in Safe Mode. I eventually added registry commands from the CMD (with help from command-lines online) and was able to install, or at least appear to install, the Visual C++. Avast! still had the same error and has not shown up in the running processes or services.

I next moved to Malwarebytes. It installed successfully, updated, and I started a full system scan. It removed two files, one which did indeed say "Koobface" in the name. I thought it would be fine. But no, the problems are still the same: blue screen if started up normally, problems with anti-virus, etc. You still need to run Safe Mode. And after rebooting the computer, Malwarebytes gives Run-time errors '0' and '440' which I assume has something to do with the infection blocking the program.

So I moved on to try Ad-Aware. I could not get that installed at first, but finally did. It has errors when trying to start the program however so again I gave up on this.

And much same for AVG. I can't get AVG to even install, more errors abound. So I have uninstalled and removed basically all of the programs that have not worked. I've uninstalled and reinstalled Malwarebytes a couple times because it seems to be able to update and scan so long as the computer is not rebooted after it has been installed. Each scan afterwards comes up with no infections.

I've turned to the internet for help of course and have read some other tutorials and eventually have run things like ComboFix (and yes, I was careful in running it and it did not damage the computer). However, even ComboFix has done nothing for me.

At which point, I am struggling with this. I've tried manually searching for worm files or infected registry, etc. And so I am no longer sure what to do. Any help would be great. I have limited time to get the computer back to the person, although I did not guarantee I could fix it of course. Here's the OTL log from OldTimer:


OTL logfile created on: 12/21/2010 11:33:29 PM - Run 1
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\dave hunter\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.35 Gb Total Space | 197.52 Gb Free Space | 68.98% Space Free | Partition Type: NTFS
Drive D: | 11.74 Gb Total Space | 1.92 Gb Free Space | 16.32% Space Free | Partition Type: NTFS

Computer Name: DAVEHUNTER-PC | User Name: dave hunter | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/21 23:32:32 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\dave hunter\Desktop\OTL.exe


========== Modules (SafeList) ==========

MOD - [2010/12/21 23:32:32 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\dave hunter\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\AGI\core\3.0\AGCoreService.exe -- (AGCoreService)
SRV:64bit: - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV:64bit: - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV:64bit: - [2008/06/27 10:53:06 | 000,089,088 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_8adfd0a8\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/06/27 10:43:28 | 000,246,784 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_8adfd0a8\STacSV64.exe -- (STacSV)
SRV:64bit: - [2008/03/18 19:25:40 | 000,023,040 | ---- | M] (Hewlett-Packard Corporation) [Auto | Stopped] -- C:\Windows\SysNative\Hpservice.exe -- (hpsrv)
SRV:64bit: - [2008/01/20 21:50:23 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/01/20 21:46:39 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/12/11 15:11:30 | 000,015,872 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\SysNative\agr64svc.exe -- (AgereModemAudio)
SRV - [2010/03/19 09:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/04/26 03:15:26 | 000,361,808 | ---- | M] () [Auto | Stopped] -- C:\Windows\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2010/09/07 10:47:33 | 000,061,008 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2010/09/07 10:47:10 | 000,020,048 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2008/07/08 05:16:30 | 000,140,888 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\jmcr.sys -- (JMCR)
DRV:64bit: - [2008/06/27 10:44:18 | 000,457,216 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)
DRV:64bit: - [2008/05/13 21:09:00 | 000,054,816 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2008/05/02 08:59:48 | 000,166,912 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/04/28 01:38:12 | 004,730,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64) Intel®
DRV:64bit: - [2008/03/27 15:10:56 | 000,026,984 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV:64bit: - [2008/03/27 15:10:14 | 000,040,296 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Accelerometer.sys -- (Accelerometer)
DRV:64bit: - [2008/02/29 18:59:32 | 001,252,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2008/01/24 08:24:24 | 000,060,928 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\enecir.sys -- (enecir)
DRV:64bit: - [2008/01/20 21:46:04 | 003,154,432 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NETw3v64.sys -- (NETw3v64) Intel®
DRV:64bit: - [2008/01/20 21:46:02 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2008/01/18 06:31:30 | 000,320,560 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2007/06/18 19:13:12 | 000,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV:64bit: - [2006/10/03 20:45:36 | 000,273,408 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
DRV:64bit: - [2006/09/18 16:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/25 21:33:25 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/12/20 16:17:49 | 000,000,822 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll File not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: 164.109.25.72 ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: 207.130.86.35 ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: acura.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: ahmdealer.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: ahm-ownerlink.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: edcor.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: honda.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: honda.com ([www.in] http in Trusted sites)
O15 - HKCU\..Trusted Domains: hondacars.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: xmradio.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} http://www.in.honda....AX/RraainAX.CAB (RRAAINAX_02.RRAAINAX)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: CabBuilder http://ak.imgag.com/...llerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/21 23:32:32 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\dave hunter\Desktop\OTL.exe
[2010/12/21 22:53:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/12/21 22:53:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/21 22:52:43 | 007,622,112 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\dave hunter\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/21 17:12:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010/12/21 16:32:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/12/21 16:21:30 | 000,000,000 | ---D | C] -- C:\MGtools
[2010/12/21 16:19:47 | 000,000,000 | ---D | C] -- C:\Users\dave hunter\AppData\Local\temp
[2010/12/21 16:12:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/12/21 16:11:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/12/21 16:11:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/12/21 16:11:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/12/21 16:11:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/21 16:11:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/21 14:40:32 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/12/20 18:49:49 | 000,000,000 | ---D | C] -- C:\ProgramData\AGI
[2010/12/20 18:37:59 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2010/12/20 18:27:21 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/12/20 18:27:18 | 000,049,752 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010/12/20 18:26:32 | 000,000,000 | ---D | C] -- C:\Users\dave hunter\AppData\Local\Sunbelt Software
[2010/12/20 18:25:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/12/20 18:25:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/12/20 17:08:20 | 000,000,000 | ---D | C] -- C:\Users\dave hunter\AppData\Roaming\Malwarebytes
[2010/12/20 17:08:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/20 17:08:10 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/12/20 16:34:08 | 000,000,000 | -H-D | C] -- C:\ProgramData\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
[2010/12/20 16:28:01 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/12/15 16:19:39 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/12/15 13:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2009/05/03 20:56:23 | 003,063,561 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MobileTV.exe
[2009/05/03 20:56:23 | 002,989,660 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\DVD.exe
[2009/05/03 20:56:22 | 002,864,396 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MPV.exe
[2009/05/03 20:56:22 | 002,331,174 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Karaoke.exe
[2009/05/03 20:56:22 | 002,231,606 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Games.exe
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/21 23:32:32 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\dave hunter\Desktop\OTL.exe
[2010/12/21 22:53:48 | 000,000,862 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/21 22:52:48 | 007,622,112 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\dave hunter\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/21 22:49:14 | 000,773,076 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/12/21 22:49:14 | 000,653,128 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/12/21 22:49:14 | 000,121,952 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/12/21 22:44:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/21 22:44:23 | 268,435,456 | -HS- | M] () -- C:\Windows\SysNative\temppf.sys
[2010/12/21 22:36:32 | 000,000,732 | ---- | M] () -- C:\Users\dave hunter\AppData\Local\d3d9caps64.dat
[2010/12/21 22:33:53 | 000,001,356 | ---- | M] () -- C:\Users\dave hunter\AppData\Local\d3d9caps.dat
[2010/12/21 22:10:30 | 000,028,409 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/12/21 16:21:30 | 000,020,264 | ---- | M] () -- C:\MGlogs.zip
[2010/12/21 14:42:39 | 002,416,140 | ---- | M] () -- C:\MGtools.exe
[2010/12/20 18:30:59 | 000,000,430 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{73D2F3A8-72FC-4359-92A9-4D2FC1969E90}.job
[2010/12/20 18:27:18 | 000,049,752 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010/12/20 18:26:05 | 000,001,033 | ---- | M] () -- C:\Users\dave hunter\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/12/20 18:26:05 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,024,152 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/12/20 16:28:06 | 000,001,796 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/20 16:28:06 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2010/12/20 16:17:49 | 000,000,822 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2010/12/15 16:00:22 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/15 13:12:28 | 000,028,409 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/12/11 15:11:53 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/09 20:19:21 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/09 20:19:21 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/03 04:05:34 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/11/28 15:37:24 | 000,007,168 | ---- | M] () -- C:\Users\dave hunter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/21 22:53:09 | 000,000,862 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/21 16:21:30 | 000,020,264 | ---- | C] () -- C:\MGlogs.zip
[2010/12/21 16:11:23 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/12/21 16:11:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/12/21 16:11:23 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2010/12/21 16:11:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/12/21 16:11:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/12/21 14:42:38 | 002,416,140 | ---- | C] () -- C:\MGtools.exe
[2010/12/20 18:26:05 | 000,001,033 | ---- | C] () -- C:\Users\dave hunter\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/12/20 18:26:05 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/12/20 16:28:06 | 000,001,796 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/15 17:10:04 | 000,000,732 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\d3d9caps64.dat
[2010/12/15 16:00:18 | 268,435,456 | -HS- | C] () -- C:\Windows\SysNative\temppf.sys
[2010/07/02 14:34:14 | 000,443,348 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\dd_vcredistMSI21F1.txt
[2010/07/02 14:34:07 | 000,012,994 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\dd_vcredistUI21F1.txt
[2009/09/24 10:08:40 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/09/24 10:08:30 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/09/15 16:23:04 | 000,000,000 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\FnF4.txt
[2009/09/14 19:21:56 | 000,001,356 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\d3d9caps.dat
[2009/07/20 20:19:30 | 000,007,168 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/03 20:56:21 | 000,000,021 | ---- | C] () -- C:\ProgramData\hpqp.txt
[2008/12/31 03:15:32 | 000,000,000 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\QSwitch.txt
[2008/12/31 03:15:32 | 000,000,000 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\DSwitch.txt
[2008/12/31 03:15:32 | 000,000,000 | ---- | C] () -- C:\Users\dave hunter\AppData\Local\AtStart.txt
[2008/12/08 06:30:55 | 000,000,253 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2008/12/08 06:23:10 | 000,028,409 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/12/08 06:22:42 | 000,028,409 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/08/01 08:15:54 | 000,000,751 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008/08/01 07:42:59 | 000,787,448 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2008/01/20 21:49:10 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini

========== LOP Check ==========

[2009/10/31 15:10:02 | 000,000,000 | ---D | M] -- C:\Users\dave hunter\AppData\Roaming\Amazon
[2009/11/03 02:37:45 | 000,000,000 | ---D | M] -- C:\Users\dave hunter\AppData\Roaming\DriverCure
[2009/09/08 14:22:59 | 000,000,000 | ---D | M] -- C:\Users\dave hunter\AppData\Roaming\Sammsoft
[2009/11/15 13:25:09 | 000,000,000 | ---D | M] -- C:\Users\dave hunter\AppData\Roaming\Uniblue
[2010/10/27 02:15:56 | 000,032,610 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/12/20 18:30:59 | 000,000,430 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{73D2F3A8-72FC-4359-92A9-4D2FC1969E90}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP