Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Scans show trojan that can't be removed

Started by thedeadlystoat , Feb 26 2011 08:12 PM

  • This topic is locked This topic is locked

#1
thedeadlystoat
Posted 26 February 2011 - 08:12 PM

thedeadlystoat

    Member

  • Member
  • PipPip
  • 73 posts
Good afternoon.

First of all I'd like to apologize for my English in case I mistranslate some results that I get from software versions in Spanish. By the way, I'm writing you from Mexico.
I am sorry for the long read. I guess some information may be irrelevant but I wanted to leave that decision to you and avoid making a mistake based on my ignorance.
Thanks in advance for your help.
Here are some specifications: I share the infected laptop with my family. We have never had a firewall.

Last Wednesday I searched something in Google. When I pressed the link in the results page I was redirected to one of those suspicious advertising websites. I thought the site had been hacked so I just left it and browsed somewhere else. It happened again and then the antivirus I had, named Prodigy Antivirus (my ISP provided me with it), warned me about something in a file that contained the name Firefox but unfortunately I didn't pay attention. I uninstalled Firefox but the problem remained when I tried with IE8.

I looked for a solution in another laptop, where I am writing this, which works perfectly well, no redirecting, using the same wireless connection. I found one that consisted in downloading Malware Bytes, CCleaner and TSSKiller and execute them in that order. I ran all of them along with a full scan of Prodigy AV. TSSKiller didn't find anything but the rest of the programs found several infected files that were apparently successfully removed. The solution I found also had me run Cmd and input the following: "ipconfig /flushdns". It didn't work, it said "the requested operation requires elevation". The redirecting kept happening. As the problem wasn't solved I downloaded Chrome to use instead of IE, which predictably also redirected the results.

I removed Prodigy Antivirus using Revo Uninstaller and tried to install Avira Antivir (from this point forward, all the software I used was downloaded to this clean computer and burnt to CDs to be taken to the infected laptop). I couldn't install it due to "a Windows update" (that's exactly what it said, not "Windows Update"). I killed the process of Windows Update using the Hunter Mode of Revo Uninstaller and manually disabled Windows Defender and successfully installed Avira. I ran a scan and it found a trojan located in C:\Windows\System32\k.dll but it couldn't remove it and asked me to restart the computer to finish the process. When it restarted, Windows couldn't boot and went to Startup Repair, which was able to restore to a point previous to the installation of Avira but after I had removed Prodigy AV, which left me with no antivirus at all. For that reason I haven't browsed in that computer ever since, so I'm not certain that the redirecting still happens. Should I search for something in Chrome to check it out? Since I have no protection against potential virus in redirected sites I didn't know if I should.

Afterwards, I downloaded AVG Antivirus and couldn't install in the Safe Mode with Networking, it kept saying there was an error so I installed it in Normal Mode and ran a scan. It delivered this results:

Troyano Generic3_c.AVBG located in c:\Windows\System32\k.dll <----I am sure it said AVBG, not AVG.
Process: C:\Windows\System32\wininit.exe
Process ID: 544
Detected when opening

It appeared in the threats box and it replicated every minute or so, appearing in the list with the same name and location. This was happening while the scanning was still in process so by the end of the scan, the threat box warned me of the same file listing it over 50 times in the same list. When I asked it to remove them, a message box said "The action was unsuccessful. The object does not exist or is inaccesible".

I wanted to run a scan in Safe Mode so I rebboted, but once again it failed to boot, but this time Sartup Repair didn't work. I had to manually restore the computer to the same point it had restored itself before (Question: What is it restoring? The registry, the memory or what?). After thet, I could start the computer normally but because of that I had no antivirus once again.

This is where I found you guys. I followed the tutorial on How to Fix Google Redirects.

- I executed ERUNT
- I ran OTM but I couldn't copy the results because it prompted me to restart when it finished and couldn't access the results behind that message box. After rebooting, 2 files named desktop.ini appeared in my desktop. I can also see one named the same in every CD I used on it since then.
- I ran GooredFix
- I ran TDSSKiller and again it found nothing

After this I tried to install AVG again, but it showed a message box like this:

Message Error
basex:0
Cancel Retry

Only that. When I pressed "retry" the box only repeated itself so I pressed cancel.

Then I went to your Malware Removal Guide.
I installed Avira again. Before I ran the scan a message popped up:

Guard: Malware found
Type: Detection
A virus or unwanted program "TR/ATRAPS.Gen" was found in "C:\Windows\System32\k.dll"
Access to file was denied.

I ran the full scan with the following results:

A virus or unwanted program was found!
Detections:

Object .................................................................... Detection...................... Action

k.dll ................................................................... TR/ATRAPS.Gen -----------------Move to quarantine
IMBoosterSetup.4qvcxeiah10jxlvrapcskp45.exe ...... TR/Dldr.Agent.496640 -----------Move to quarantine
secupdat.dat ....................................................... TR/Spy.Gen ----------------------- Move to quarantine
101111170427903.rsc ......................................... JAVA/Dldr.Agent ------------------Move to quarantine

The summary came up like this:
Statistics
Paths: 23898
Scanned: 582388
Archives: 8503
Detections: 5
Objects searched: 607617
Hidden Objects: 0
Warnings: 1
Suspicious: 0
Repaired: 0
Wiped: 0
Deleted: 0
Moved: 3

Warnings
k.dll could not be copied to quarantine or deleted.

It asked me to reboot to complete the repair. The same happened again, couldn't restart, Startup Repair, no Avira again.
Also, when it restarted a message box popped up saying this:

C:\Windows\ERDNT\AutoBackup\29-02-2011\ERDNT.INF

Registry backup will continue, but no restore information for the ERDNT program will be saved. This means that later restoration of the registry can only be done manually, by using another OS to copy back the files.

I read there were some compatibility issues with ERUNT and Vista. Is this what's going on? I read you recommend this program as prevention in your guides so I figured I could keep it after all the problems are solved.

Finally, I still didn't have antivirus so I installed Avast! to try all the options you suggest. Unlike Avira and AVG, Avast! didn't find any threat, neither with full scans searching for PUPs nor with the boot-time scan. It's still installed, should I uninstall it and run one of the previous ones that did worked?

One more thing, when writing this I went to the infected computer to check the version of IE I have. I went offline before opening it but it took me 3 attempts for IE to start. The first 2 times it didn't work, it kind of opened and instantly closed, because I got to see the window opening for an instant. Is that related to a problem?

I had ran OTL before I had completed all the steps so I ran it a second time when I finished (the log in the end is from that second time, even after writing this message). The difference is that for the second time I had installed Avast! and one thing drew my attention. Avast recommended opening OTL in the sandbox but I said no and opened it normally. The warning also said this:

File: C:\Users\Manuel\Desktop\OTL.exe
Opened by: C:\Windows\System32\wininit.exe

That was the same process that AVG said was running Troyano Generic3_c.AVBG!
Is there a problem with that or is it normal??

I wrote a draft of this message in the clean computer, burnt it to a CD, opened it in the infected computer and added the OTL log, burnt another CD with the complete entry and uploaded it from a cybercafe with the owner's permission after being warned of my problems.

Once again, I am sorry for having you read so much and thank you for making in it all the way to the end.
I hope this problem can be fixed.

- Manuel
EDIT: I made some editions just to correct some grammar. The important stuff was left the same. Thanks.

UPDATE 02/27/11: Okay, last night I checked Chrome in the infected computer and turns out the redirecting still happens, that's for sure. However in the precise moment when Google redirected me to some mobile ad site, the good computer's cooling system began to work, you know, like when the computer is working really hard. I kind of freaked out! Was it downlolading the virus to this machine?! I understand that even under ridiculously unlikely chances correlation doesn't always imply causation, but what are the odds that both actions were unrrelated?? I turned off the good computer immediately. I checked this morning being sure I had screwed up the good computer I had, but it hasn't redirected any of my searches. By the way, this computer has Windows 7.

Here is the OTL log:


OTL logfile created on: 26/02/2011 07:22:05 p.m. - Run 2
OTL by OldTimer - Version 3.2.22.0 Folder = C:\Users\Manuel\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 0000080A | Country: México | Language: ESM | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 387.00 Mb Available Physical Memory | 38.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.16 Gb Total Space | 81.01 Gb Free Space | 57.80% Space Free | Partition Type: NTFS
Drive D: | 8.89 Gb Total Space | 4.38 Gb Free Space | 49.31% Space Free | Partition Type: NTFS

Computer Name: MILAPTOP | User Name: Manuel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/26 00:42:02 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTL.exe
PRC - [2011/02/23 09:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Archivos de programa\AVAST Software\Avast\AvastUI.exe
PRC - [2011/02/23 09:04:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Archivos de programa\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/05/14 10:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/08/18 10:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 10:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/10/29 00:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/25 11:44:34 | 000,031,072 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/01/09 13:20:30 | 001,232,896 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Windows Sidebar\sidebar.exe
PRC - [2007/01/17 00:34:18 | 000,634,880 | ---- | M] (Motorola Inc.) -- C:\Archivos de programa\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2006/11/02 06:36:04 | 000,895,488 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Windows Media Player\wmpnetwk.exe
PRC - [2006/11/02 06:36:04 | 000,201,728 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Windows Media Player\wmpnscfg.exe
PRC - [2006/09/29 11:39:20 | 000,151,552 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/09/29 11:38:50 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (SafeList) ==========

MOD - [2011/02/26 00:42:02 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTL.exe
MOD - [2011/02/23 09:04:17 | 000,197,208 | ---- | M] (AVAST Software) -- C:\Archivos de programa\AVAST Software\Avast\snxhk.dll
MOD - [2006/11/02 03:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/02/23 09:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/08/02 10:41:19 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Archivos de programa\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/09/29 11:38:50 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/02/23 08:56:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/02/23 08:56:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/02/23 08:55:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/02/23 08:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/02/23 08:55:03 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/02/23 08:54:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/12/30 11:21:16 | 000,027,192 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\revoflt.sys -- (Revoflt)
DRV - [2007/01/17 00:38:52 | 000,983,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2007/01/02 02:44:30 | 000,649,216 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2006/12/18 19:12:22 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Controlador del adaptador Intel®
DRV - [2006/11/02 01:30:56 | 002,589,184 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw2v32.sys -- (NETw2v32) Controlador de conexión de red Intel®
DRV - [2006/07/06 00:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/02/24 13:16:30 | 000,015,781 | R--- | M] () [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2003/10/28 15:56:56 | 000,029,744 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SQCaptur.sys -- (DCamUSBSQTECH) Dual-Mode DSC(2770)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prodigy.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.live.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://prodigy.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...s=PTB&M=MX6947M
IE - HKLM\..\URLSearchHook: {9a6be539-96ea-454d-898b-61891e0844d5} - C:\Archivos de programa\Online_Radio_America\tbOnli.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prodigy.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>


[2011/02/22 19:24:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Manuel\AppData\Roaming\mozilla\Extensions
[2009/06/05 19:52:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Manuel\AppData\Roaming\mozilla\Extensions\[email protected]
[2011/02/25 05:51:10 | 000,000,000 | ---D | M] (No name found) -- C:\Archivos de programa\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/08/02 10:33:51 | 000,004,992 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Aplicación auxiliar de vínculos de Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Archivos de programa\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Archivos de programa\AVAST Software\Avast\aswWebRepIE.dll ()
O2 - BHO: (Aplicación auxiliar de inicio de sesión de Windows Live ID) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Online Radio America Toolbar) - {9a6be539-96ea-454d-898b-61891e0844d5} - C:\Archivos de programa\Online_Radio_America\tbOnli.dll (Conduit Ltd.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll (Gateway Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Archivos de programa\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Archivos de programa\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Archivos de programa\AVAST Software\Avast\aswWebRepIE.dll ()
O3 - HKLM\..\Toolbar: (Online Radio America Toolbar) - {9a6be539-96ea-454d-898b-61891e0844d5} - C:\Archivos de programa\Online_Radio_America\tbOnli.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Archivos de programa\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Online Radio America Toolbar) - {9A6BE539-96EA-454D-898B-61891E0844D5} - C:\Archivos de programa\Online_Radio_America\tbOnli.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MFARestart] C:\ProgramData\MFAData\pack\avgrunasx.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [MSConfig] C:\Windows\System32\msconfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Archivos de programa\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Archivos de programa\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: E&xportar a Microsoft Excel - C:\Archivos de programa\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Archivos de programa\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Archivos de programa\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Archivos de programa\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Archivos de programa\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://www.pandasecu...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} http://www.nullsoft....ayx_vp3_mp3.cab (NsvPlayX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....NPUpldes-mx.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Archivos de programa\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Manuel\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel tapiz de Galería fotográfica de Windows.jpg
O24 - Desktop BackupWallPaper: C:\Users\Manuel\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel tapiz de Galería fotográfica de Windows.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2004/04/30 18:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{410e1f2d-2ca3-11de-9807-00e0b8c7f0f7}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
O33 - MountPoints2\{410e1f2d-2ca3-11de-9807-00e0b8c7f0f7}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
O33 - MountPoints2\{410e1f2d-2ca3-11de-9807-00e0b8c7f0f7}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
O33 - MountPoints2\{4a258bed-3802-11dc-a58e-001b7736a218}\Shell\1\Command - "" = .\System\Memory\autorun.exe
O33 - MountPoints2\{4a258bed-3802-11dc-a58e-001b7736a218}\Shell\2\Command - "" = .\System\Memory\autorun.exe
O33 - MountPoints2\{4a258bed-3802-11dc-a58e-001b7736a218}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\System\Memory\autorun.exe
O33 - MountPoints2\{541086dc-f867-11dc-bc86-00e0b8c7f0f7}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
O33 - MountPoints2\{541086e1-f867-11dc-bc86-00e0b8c7f0f7}\Shell - "" = AutoRun
O33 - MountPoints2\{541086e1-f867-11dc-bc86-00e0b8c7f0f7}\Shell\AutoRun\command - "" = G:\LaunchU3.exe
O33 - MountPoints2\{b2d0c60d-d1ea-11de-ab63-00e0b8c7f0f7}\Shell - "" = AutoRun
O33 - MountPoints2\{b2d0c60d-d1ea-11de-ab63-00e0b8c7f0f7}\Shell\AutoRun\command - "" = F:\iStudio.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/26 02:33:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/02/26 02:33:07 | 000,301,528 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/02/26 02:33:07 | 000,019,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/02/26 02:33:03 | 000,049,240 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/02/26 02:33:03 | 000,025,432 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/02/26 02:33:02 | 000,371,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/02/26 02:32:59 | 000,053,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/02/26 02:32:08 | 000,190,016 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/02/26 02:32:08 | 000,040,648 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/02/26 02:31:33 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/02/26 02:31:33 | 000,000,000 | ---D | C] -- C:\Archivos de programa\AVAST Software
[2011/02/26 00:49:41 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTL.exe
[2011/02/26 00:21:53 | 000,000,000 | ---D | C] -- C:\avrescue
[2011/02/25 22:34:32 | 000,000,000 | ---D | C] -- C:\Users\Manuel\AppData\Roaming\Avira
[2011/02/25 21:59:37 | 000,000,000 | ---D | C] -- C:\Users\Manuel\Desktop\GooredFix Backups
[2011/02/25 21:29:05 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/02/25 21:21:57 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/02/25 21:20:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/02/25 21:20:19 | 000,000,000 | ---D | C] -- C:\Archivos de programa\ERUNT
[2011/02/25 21:14:32 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTM.exe
[2011/02/25 21:14:32 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Manuel\Desktop\GooredFix.exe
[2011/02/24 14:13:02 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/02/24 14:06:16 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/02/24 14:01:09 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/02/24 13:59:23 | 000,000,000 | ---D | C] -- C:\Archivos de programa\AVG
[2011/02/23 20:57:41 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/02/23 20:47:42 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Users\Manuel\Desktop\avg_free_stb_all_2011_1204_free.exe
[2011/02/23 19:58:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2011/02/23 19:58:12 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Avira
[2011/02/23 14:50:42 | 000,000,000 | ---D | C] -- C:\Users\Manuel\AppData\Local\VS Revo Group
[2011/02/23 14:50:20 | 000,027,192 | ---- | C] (VS Revo Group) -- C:\Windows\System32\drivers\revoflt.sys
[2011/02/23 14:50:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/02/23 14:50:18 | 000,000,000 | ---D | C] -- C:\Archivos de programa\VS Revo Group
[2011/02/23 01:38:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/02/23 01:35:26 | 000,000,000 | ---D | C] -- C:\Archivos de programa\CCleaner
[2011/02/22 22:41:55 | 000,000,000 | ---D | C] -- C:\Users\Manuel\AppData\Roaming\Malwarebytes
[2011/02/22 22:41:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/02/22 22:41:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/22 22:41:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/02/22 22:41:37 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/02/22 22:41:37 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[2011/02/22 22:17:52 | 001,372,248 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Manuel\Desktop\tdsskiller.exe
[2011/02/22 00:16:57 | 000,000,000 | ---D | C] -- C:\Users\Manuel\dwhelper
[2011/02/08 22:33:12 | 000,000,000 | ---D | C] -- C:\PerfLogs
[2011/02/08 21:21:18 | 000,000,000 | ---D | C] -- C:\38e107bdc5e10e2e5e

========== Files - Modified Within 30 Days ==========

[2011/02/26 19:26:00 | 000,001,024 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/26 19:26:00 | 000,000,476 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{79B37A82-D378-47A7-95FE-AE69C4ADACDE}.job
[2011/02/26 19:24:43 | 000,000,394 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{18D5EA73-F2B9-4043-9B23-A38431E2E374}.job
[2011/02/26 19:14:33 | 000,000,998 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/02/26 19:12:07 | 000,001,020 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/26 19:11:29 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/26 19:11:29 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/26 19:11:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/26 19:11:17 | 1063,444,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/26 02:33:08 | 000,001,865 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/02/26 02:32:59 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/02/26 02:23:22 | 054,078,264 | ---- | M] () -- C:\Users\Manuel\Desktop\setup_av_free_eng.exe
[2011/02/26 00:42:02 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTL.exe
[2011/02/25 21:21:13 | 000,000,949 | ---- | M] () -- C:\Users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/02/25 21:20:19 | 000,000,750 | ---- | M] () -- C:\Users\Manuel\Desktop\ERUNT.lnk
[2011/02/25 20:51:58 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Manuel\Desktop\GooredFix.exe
[2011/02/25 20:51:27 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Users\Manuel\Desktop\OTM.exe
[2011/02/23 20:44:36 | 000,052,736 | ---- | M] () -- C:\Users\Manuel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/23 19:12:57 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Users\Manuel\Desktop\avg_free_stb_all_2011_1204_free.exe
[2011/02/23 14:50:22 | 000,001,101 | ---- | M] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2011/02/23 14:22:10 | 000,008,627 | ---- | M] () -- C:\Windows\System32\PAV_FOG.OPC
[2011/02/23 09:04:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/02/23 09:04:17 | 000,190,016 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/02/23 08:56:55 | 000,371,544 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/02/23 08:56:45 | 000,301,528 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/02/23 08:55:49 | 000,049,240 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/02/23 08:55:10 | 000,025,432 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/02/23 08:55:03 | 000,053,592 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/02/23 08:54:55 | 000,019,544 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/02/23 03:02:55 | 000,317,794 | ---- | M] () -- C:\Users\Manuel\Documents\cc_20110223_030234.reg
[2011/02/23 01:38:37 | 000,002,007 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/02/23 01:35:28 | 000,000,840 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/02/22 22:41:42 | 000,000,942 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/22 22:17:56 | 001,372,248 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Manuel\Desktop\tdsskiller.exe
[2011/02/13 09:25:43 | 000,687,582 | ---- | M] () -- C:\Windows\System32\perfh00A.dat
[2011/02/13 09:25:43 | 000,610,142 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/02/13 09:25:43 | 000,122,196 | ---- | M] () -- C:\Windows\System32\perfc00A.dat
[2011/02/13 09:25:42 | 000,103,924 | ---- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2011/02/26 11:42:14 | 1063,444,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/26 02:33:08 | 000,001,865 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/02/26 02:29:32 | 054,078,264 | ---- | C] () -- C:\Users\Manuel\Desktop\setup_av_free_eng.exe
[2011/02/25 21:21:13 | 000,000,949 | ---- | C] () -- C:\Users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/02/25 21:20:19 | 000,000,750 | ---- | C] () -- C:\Users\Manuel\Desktop\ERUNT.lnk
[2011/02/23 14:50:22 | 000,001,101 | ---- | C] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2011/02/23 03:02:40 | 000,317,794 | ---- | C] () -- C:\Users\Manuel\Documents\cc_20110223_030234.reg
[2011/02/23 01:38:37 | 000,002,007 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/02/23 01:35:28 | 000,000,840 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/02/22 22:41:42 | 000,000,942 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/14 02:00:24 | 000,000,680 | ---- | C] () -- C:\Users\Manuel\AppData\Local\d3d9caps.dat
[2007/12/26 20:51:22 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/12/21 13:20:50 | 000,015,781 | R--- | C] () -- C:\Windows\System32\drivers\mdc8021x.sys
[2007/12/13 21:13:57 | 000,000,021 | ---- | C] () -- C:\Windows\progman.ini
[2007/12/13 21:13:44 | 000,000,064 | ---- | C] () -- C:\Windows\swcmpc.ini
[2007/08/02 10:33:51 | 000,003,584 | ---- | C] () -- C:\Windows\System32\k.dll
[2007/07/19 17:36:46 | 000,052,736 | ---- | C] () -- C:\Users\Manuel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/19 19:05:52 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1147.dll
[2007/04/19 19:05:52 | 000,053,248 | ---- | C] () -- C:\Windows\System32\oemdspif.dll
[2007/04/19 19:05:49 | 000,077,824 | ---- | C] () -- C:\Windows\System32\hccutils.dll
[2007/04/19 19:05:48 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/22 00:00:37 | 000,352,256 | ---- | C] () -- C:\Windows\System32\HotlineClient.exe
[2006/11/02 09:46:21 | 000,687,582 | ---- | C] () -- C:\Windows\System32\perfh00A.dat
[2006/11/02 09:46:21 | 000,336,930 | ---- | C] () -- C:\Windows\System32\perfi00A.dat
[2006/11/02 09:46:21 | 000,122,196 | ---- | C] () -- C:\Windows\System32\perfc00A.dat
[2006/11/02 09:46:21 | 000,040,258 | ---- | C] () -- C:\Windows\System32\perfd00A.dat
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,380,168 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,610,142 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,103,924 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 01:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 01:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2010/11/11 17:25:01 | 000,000,000 | ---D | M] -- C:\Users\Manuel\AppData\Roaming\Auslogics
[2011/02/23 22:36:52 | 000,000,000 | ---D | M] -- C:\Users\Manuel\AppData\Roaming\LimeWire
[2007/07/19 17:20:40 | 000,000,000 | ---D | M] -- C:\Users\Manuel\AppData\Roaming\SampleView
[2011/02/26 18:24:37 | 000,032,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/02/26 19:24:43 | 000,000,394 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{18D5EA73-F2B9-4043-9B23-A38431E2E374}.job
[2011/02/26 19:26:00 | 000,000,476 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{79B37A82-D378-47A7-95FE-AE69C4ADACDE}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:07BF512B

< End of report >

Edited by thedeadlystoat, 28 February 2011 - 09:24 PM.

  • 0

Advertisements

#2
Salagubang
Posted 02 March 2011 - 02:18 AM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi thedeadlystoat,

Welcome to Geekstogo. My name is Salagubang and I'll be helping you with this problem.

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
  • English is not my first language, so please do not use slang or idioms, as this makes it difficult to understand for me.


Ok lets dig in and have some fun. :D


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image


  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
  • 0

#3
thedeadlystoat
Posted 02 March 2011 - 09:42 PM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hi Salagubang, your help is much appreciated.

I have a question with this, though:

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


You told me to select the download that is appropriate for my OS, but this link takes me to "How to obtain Windows XP Setup disks for a floppy boot installation" but I have Windows Vista. Is that a mistake or should I download one of these?:

Step 1: Download the Setup disk program
Download the version of Setup disks that corresponds to your version of the Windows XP CD-ROM. The version should be displayed on the CD-ROM disk, and the version will indicate if a Service Pack is included.

Windows XP original release
For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:
Windows XP Home Edition
http://www.microsoft...55-BD5AFEE126D8 (http://www.microsoft...55-BD5AFEE126D8)

Windows XP Professional
http://www.microsoft...B7-4FED408EA73F (http://www.microsoft...B7-4FED408EA73F)
Windows XP Service Pack 1 (SP1)
Note Windows XP CD-ROMs that include SP1 have the text "Includes Service Pack 1" on the CD-ROM.

For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:
Windows XP Home Edition SP1
http://www.microsoft...05-719F45C382A4 (http://www.microsoft...05-719F45C382A4)

Windows XP Professional SP1
http://www.microsoft...C2-631504EF5E26 (http://www.microsoft...C2-631504EF5E26)
Windows XP Service Pack 2 (SP2)
For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:
Windows XP Home Edition SP2
http://www.microsoft...;displaylang=en (http://www.microsoft...&displaylang=en)

Windows XP Professional SP2
http://www.microsoft...;displaylang=en (http://www.microsoft...&displaylang=en)


I have already downloaded ComboFix and I'm ready to begin but I had this doubt.
  • 0

#4
Salagubang
Posted 02 March 2011 - 09:46 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi,

Skip the recovery console instruction and proceed with combofix.
  • 0

#5
thedeadlystoat
Posted 02 March 2011 - 09:49 PM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Ok, so I don't have to drag anything onto ComboFix? I just execute it?
  • 0

#6
Salagubang
Posted 02 March 2011 - 09:51 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts

Ok, so I don't have to drag anything onto ComboFix? I just execute it?


Yep. :D
  • 0

#7
thedeadlystoat
Posted 02 March 2011 - 09:58 PM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Ok, I'm in the cafe internet and it's about to close. I'll go home and run ComboFix. Sadly for me I'll have to post the log until tomorrow, as soon as it opens in the morning. The time difference between Philippines and Mexico is a problem but I hope you can help me. Thanks Salagubang.
  • 0

#8
Salagubang
Posted 02 March 2011 - 10:08 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi,

Sadly for me I'll have to post the log until tomorrow, as soon as it opens in the morning. The time difference between Philippines and Mexico is a problem but I hope you can help me.


You're in luck. I am online most of the day and night - 17 hours online - and spent the other 7 sleeping: 12:00 to 7:00 a.m. GMT +8 :D

Note: If you encounter problems running combofix, be sure to try running it in safemode also.

P.S. I thought you has internet at home?
  • 0

#9
thedeadlystoat
Posted 02 March 2011 - 10:57 PM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Yes I do, but I didn't want to browse from the infected computer and my mother hadn't arrived with her laptop, where I'm writing you from right now.

Hope you read this anytime soon:

Combofix finished running and began restarting the computer, but Windows has been trying to log off for over 20 minutes and hasn't shut down. Should I turn it off manually by pressing the power button?
  • 0

#10
Salagubang
Posted 02 March 2011 - 11:29 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Give it another 10 minutes, if not then you may restart manually. Combofix will continue after restarting. :D
  • 0

Advertisements

#11
thedeadlystoat
Posted 02 March 2011 - 11:31 PM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Cool. :D
  • 0

#12
thedeadlystoat
Posted 03 March 2011 - 12:21 AM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Something happened!

I shut it down manually and then started it again. Windows couldn't start and the only thing in screen was a black background and a message box like this:

The ordinal 874 could not be located in the dynamic link library
SHELL32.dll

Windows Explorer stopped working

I can't login to my account and it prompts me to search for Windows updates.
How do I solve this?
  • 0

#13
Salagubang
Posted 03 March 2011 - 12:26 AM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi,

Check if you can still boot in safe mode:

Restart computer then press F8 until the boot menu appears. Choose Safe Mode.

Tell me how it goes.
  • 0

#14
thedeadlystoat
Posted 03 March 2011 - 12:30 AM

thedeadlystoat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
It displays the accounts but when I try to log in with mine the same message about the ordinal 874 comes up, now with the black background with Safe Mode written in the corners.
  • 0

#15
Salagubang
Posted 03 March 2011 - 12:37 AM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi,

Ok windows explorer had gone awol, corrupt and/or infected and we need to find a replacement. Do you still have the Vista Installation Disk with you?

Restart your computer to normal mode.
When you reach the black screen, press Ctrl+Alt+Del. This should bring up the task manager.
Click on the File Menu and choose new task run. Using the browse button locate OTL.exe and run it.

  • Run OTL
  • Click the None button at the top
  • Under the Custom Scan box type this in:

    /md5start
    explorer.exe
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open a notepad window. Post OTL.Txt here.

Next

Look for the combofix log in C:\Combofix.txt and post it in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP