Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Help


  • This topic is locked This topic is locked

#1
Mattc6969

Mattc6969

    New Member

  • Member
  • Pip
  • 7 posts
Hi
I have a PC that is infected with viruses - vundo and 'avg' redirect to name two that I have identified. Please help me remove them - I have tried a number of virus scans and the how to guide to no avail. The viruses first slowed down my Internet connection but now it cuts out all the time and is almost unusable!!
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello Mattc6969 and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 2

Download OTL to your Desktop

  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
    . Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 3

Please don't forget to include these items in your reply:

  • Combofix log
  • OTL log
  • OTL Extras log
It would be helpful if you could post each log in separate post
  • 0

#3
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi mailprog thanks for your help... Here are the logs
  • 0

#4
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 11-08-16.05 - Matt 17/08/2011  16:25:33.4.4 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3584.2621 [GMT 10:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-17 to 2011-08-17  )))))))))))))))))))))))))))))))
.
.
2011-08-17 06:30 . 2011-08-17 06:30    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2011-08-17 06:30 . 2011-08-17 06:30    --------    d-----w-    c:\users\Public\AppData\Local\temp
2011-08-17 06:30 . 2011-08-17 06:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2011-08-17 06:11 . 2011-08-17 06:30    --------    d-----w-    c:\users\Matt\AppData\Local\temp
2011-08-17 05:46 . 2011-08-17 06:03    --------    d-----w-    C:\## aswSnx private storage
2011-08-17 03:24 . 2011-08-17 03:24    --------    d-----w-    c:\program files\Common Files\Adobe
2011-08-17 03:11 . 2011-06-23 04:33    3912576    ----a-w-    c:\windows\system32\ntoskrnl.exe
2011-08-17 03:11 . 2011-06-23 04:33    3967872    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2011-08-17 03:11 . 2011-07-09 02:30    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2011-08-17 03:09 . 2011-07-13 03:39    6881616    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{16AAEC30-7497-4C01-A674-3DECBE9B1B2F}\mpengine.dll
2011-07-24 09:18 . 2011-08-17 06:04    --------    d-----w-    c:\programdata\AVAST Software
2011-07-24 09:18 . 2011-07-24 09:18    --------    d-----w-    c:\program files\AVAST Software
2011-07-24 04:29 . 2011-08-17 02:45    --------    d-----w-    c:\programdata\STOPzilla!
2011-07-24 04:07 . 2011-07-24 04:20    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2011-07-24 04:06 . 2011-07-24 04:06    --------    d-----w-    c:\programdata\Symantec
2011-07-24 04:01 . 2011-07-24 04:02    --------    d-----w-    c:\users\Matt\AppData\Local\Tific
2011-07-24 04:01 . 2011-07-24 04:01    --------    d-----w-    c:\users\Matt\AppData\Roaming\Tific
2011-07-24 04:01 . 2011-08-17 02:48    --------    d-----w-    c:\programdata\Norton
2011-07-21 08:49 . 2011-07-21 08:49    --------    d-----w-    c:\program files\iPod
2011-07-21 08:47 . 2011-07-21 08:47    --------    d-----w-    c:\program files\Bonjour
2011-07-19 11:58 . 2011-07-21 08:45    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2011-07-18 14:00 . 2011-06-11 02:29    2334208    ----a-w-    c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 02:50 . 2011-05-13 14:50    404640    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 01:20 . 2011-07-12 01:20    83816    ----a-w-    c:\windows\system32\dns-sd.exe
2011-07-12 01:20 . 2011-07-12 01:20    73064    ----a-w-    c:\windows\system32\dnssd.dll
2011-07-12 01:20 . 2011-07-12 01:20    50536    ----a-w-    c:\windows\system32\jdns_sd.dll
2011-07-12 01:20 . 2011-07-12 01:20    178536    ----a-w-    c:\windows\system32\dnssdX.dll
2011-05-24 10:44 . 2011-06-29 11:03    293376    ----a-w-    c:\windows\system32\umpnpmgr.dll
2011-05-24 09:14 . 2011-01-08 09:47    222080    ------w-    c:\windows\system32\MpSigStub.exe
2011-05-20 20:01 . 2011-07-03 07:17    2560616    ----a-w-    c:\windows\system32\nvsvcr.dll
2011-05-20 20:01 . 2011-07-03 07:17    543336    ----a-w-    c:\windows\system32\easyupdatusapiu.dll
2011-05-20 20:01 . 2011-05-20 20:01    899688    ----a-w-    c:\windows\system32\nvdispco3220150.dll
2011-05-20 20:01 . 2011-05-20 20:01    865896    ----a-w-    c:\windows\system32\nvgenco322090.dll
2011-05-20 20:01 . 2011-05-20 20:01    57960    ----a-w-    c:\windows\system32\OpenCL.dll
2011-05-20 20:01 . 2011-05-20 20:01    5301352    ----a-w-    c:\windows\system32\nvcuda.dll
2011-05-20 20:01 . 2011-05-20 20:01    2804328    ----a-w-    c:\windows\system32\nvcuvid.dll
2011-05-20 20:01 . 2011-05-20 20:01    2082408    ----a-w-    c:\windows\system32\nvcuvenc.dll
2011-05-20 20:01 . 2011-05-20 20:01    16456296    ----a-w-    c:\windows\system32\nvoglv32.dll
2011-05-20 20:01 . 2011-05-20 20:01    13011560    ----a-w-    c:\windows\system32\nvcompiler.dll
2011-05-20 20:01 . 2011-05-20 20:01    12392    ----a-w-    c:\windows\system32\drivers\nvBridge.kmd
2011-05-20 20:01 . 2011-05-20 20:01    11992680    ----a-w-    c:\windows\system32\nvd3dum.dll
2011-05-20 20:01 . 2011-05-20 20:01    10589800    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2011-05-20 20:01 . 2010-07-09 18:37    6555240    ----a-w-    c:\windows\system32\nvwgf2um.dll
2011-05-20 20:01 . 2010-07-09 18:37    2335848    ----a-w-    c:\windows\system32\nvapi.dll
2011-05-20 20:01 . 2010-07-09 05:37    66664    ----a-w-    c:\windows\system32\nvshext.dll
2011-05-20 20:01 . 2010-07-09 05:37    615528    ----a-w-    c:\windows\system32\nvvsvc.exe
2011-05-20 20:01 . 2010-07-09 05:37    3693672    ----a-w-    c:\windows\system32\nvcpl.dll
2011-05-20 20:01 . 2010-07-09 05:37    2557544    ----a-w-    c:\windows\system32\nvsvc.dll
2011-05-20 20:01 . 2010-07-09 05:37    111208    ----a-w-    c:\windows\system32\nvmctray.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Matt\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX1000"="c:\windows\vVX1000.exe" [2010-05-20 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes' Anti-Malware (reboot)"="d:\matt pc\Programs\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="d:\program files\iTunesHelper.exe" [2011-07-19 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 13:50]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 13:50]
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2254996027-1421625699-4183034034-1001Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 22:42]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2254996027-1421625699-4183034034-1001UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: health.gov.au\access
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\z0ljaw1e.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dbfcacf&i=23&tp=ab&nt=1&q=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-08-17  16:31:17
ComboFix-quarantined-files.txt  2011-08-17 06:31
ComboFix2.txt  2011-02-27 10:47
ComboFix3.txt  2011-02-27 02:41
.
Pre-Run: 106,969,894,912 bytes free
Post-Run: 106,919,313,408 bytes free
.
- - End Of File - - FD983E96924F4AD05C36AEE5263F22B4
  • 0

#5
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ÿþOTL logfile created on: 17/08/2011 5:13:48 PM - Run 2

OTL by OldTimer - Version 3.2.26.4 Folder = C:\Users\Matt\Desktop

Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7601.17514)

Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy



3.50 Gb Total Physical Memory | 2.51 Gb Available Physical Memory | 71.70% Memory free

7.00 Gb Paging File | 5.99 Gb Available in Paging File | 85.63% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 101.33 Gb Free Space | 67.99% Space Free | Partition Type: NTFS

Drive D: | 222.89 Gb Total Space | 46.56 Gb Free Space | 20.89% Space Free | Partition Type: NTFS

Drive E: | 104.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF



Computer Name: MATT-PC | User Name: Matt | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days



========== Processes (SafeList) ==========



PRC - [2011/08/17 16:02:07 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Matt\Desktop\OTL.exe

PRC - [2011/07/19 18:29:00 | 000,421,736 | ---- | M] (Apple Inc.) -- D:\Program Files\iTunesHelper.exe

PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

PRC - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

PRC - [2011/05/21 06:01:00 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

PRC - [2011/05/21 06:01:00 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

PRC - [2010/11/20 22:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe

PRC - [2010/05/20 14:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe

PRC - [2009/07/14 11:14:29 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PrintIsolationHost.exe





========== Modules (No Company Name) ==========



MOD - [2011/03/21 17:30:20 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2006/10/26 12:56:46 | 000,757,008 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL





========== Win32 Services (SafeList) ==========



SRV - [2011/08/17 13:07:29 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)

SRV - [2011/01/13 10:23:06 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)

SRV - [2010/05/20 14:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)

SRV - [2009/07/14 11:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)

SRV - [2009/07/14 11:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)





========== Driver Services (SafeList) ==========



DRV - File not found [Kernel | Unknown | Running] -- -- (aswTdi)

DRV - File not found [Kernel | Unknown | Running] -- -- (aswSP)

DRV - File not found [File_System | Unknown | Running] -- -- (aswSnx)

DRV - File not found [Kernel | Unknown | Running] -- -- (aswRdr)

DRV - File not found [File_System | Unknown | Running] -- -- (aswMonFlt)

DRV - File not found [File_System | Unknown | Running] -- -- (aswFsBlk)

DRV - [2011/05/21 06:01:00 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2010/11/20 20:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)

DRV - [2010/11/20 19:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)

DRV - [2010/08/12 11:07:48 | 000,298,216 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmf6232.sys -- (NVNET)

DRV - [2010/05/20 14:27:26 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VX1000.sys -- (VX1000)

DRV - [2009/07/14 08:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)

DRV - [2008/07/22 06:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)





========== Standard Registry (SafeList) ==========





========== Internet Explorer ==========





IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 9B BB F5 4F 0E CC 01 [binary data]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



========== FireFox ==========



FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"

FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178

FF - prefs.js..keyword.URL: "http://search.avg.co...&tp=ab&nt=1&q="



FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Matt\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)

FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Matt\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Matt\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Matt\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)



FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: D:\Matt PC\Programs\Mozilla Firefox\components [2011/08/17 12:49:07 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: D:\Matt PC\Programs\Mozilla Firefox\plugins [2011/08/17 13:24:58 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: D:\Matt PC\Programs\Mozilla Firefox\components [2011/08/17 12:49:07 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: D:\Matt PC\Programs\Mozilla Firefox\plugins [2011/08/17 13:24:58 | 000,000,000 | ---D | M]



[2011/01/09 11:08:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matt\AppData\Roaming\Mozilla\Extensions

[2011/01/10 16:18:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\z0ljaw1e.default\extensions

File not found (No name found) --



O1 HOSTS File: ([2011/08/17 16:11:35 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)

O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] D:\Matt PC\Programs\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [VX1000] C:\Windows\vVX1000.exe (Microsoft Corporation)

O4 - HKCU..\Run: [googletalk] C:\Users\Matt\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)

O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll (Google Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKCU\..Trusted Domains: health.gov.au ([access] https in Trusted sites)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/11 07:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2009/06/11 07:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found



NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found



CREATERESTOREPOINT

Restore point Set: OTL Restore Point



========== Files/Folders - Created Within 30 Days ==========



[2011/08/17 16:30:55 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2011/08/17 16:24:55 | 000,000,000 | ---D | C] -- C:\ComboFix

[2011/08/17 16:11:32 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2011/08/17 16:11:32 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Local\temp

[2011/08/17 16:05:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2011/08/17 16:05:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2011/08/17 16:05:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2011/08/17 16:02:03 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Matt\Desktop\OTL.exe

[2011/08/17 16:00:05 | 004,174,574 | R--- | C] (Swearware) -- C:\Users\Matt\Desktop\ComboFix.exe

[2011/08/17 15:46:50 | 000,000,000 | ---D | C] -- C:\## aswSnx private storage

[2011/08/17 13:24:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

[2011/08/17 13:24:42 | 000,000,000 | ---D | C] -- C:\Config.Msi

[2011/07/24 19:18:51 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software

[2011/07/24 19:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software

[2011/07/24 14:29:13 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!

[2011/07/24 14:07:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared

[2011/07/24 14:06:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec

[2011/07/24 14:01:25 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\Tific

[2011/07/24 14:01:25 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Local\Tific

[2011/07/24 14:01:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton

[2011/07/24 14:01:08 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller

[2011/07/24 14:00:59 | 013,999,560 | ---- | C] (Symantec Corporation) -- C:\Users\Matt\Desktop\PCCheckupInstaller.exe

[2011/07/22 18:26:09 | 000,000,000 | ---D | C] -- C:\Users\Matt\Documents\WBM

[2011/07/21 18:49:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

[2011/07/21 18:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2011/07/21 18:47:32 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2011/07/19 22:17:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Exterminate It!

[2011/07/19 22:16:37 | 004,969,864 | ---- | C] (CURIOLAB S.M.B.A.) -- C:\Users\Matt\Desktop\ExterminateItSetup.exe

[2011/07/19 21:58:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy

[2011/07/19 21:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy

[2011/07/19 21:53:17 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\Matt\Desktop\spybotsd162.exe



========== Files - Modified Within 30 Days ==========



[2011/08/17 17:16:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2254996027-1421625699-4183034034-1001UA.job

[2011/08/17 17:09:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/08/17 16:24:35 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/08/17 16:11:35 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2011/08/17 16:02:07 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Matt\Desktop\OTL.exe

[2011/08/17 16:00:28 | 004,174,574 | R--- | M] (Swearware) -- C:\Users\Matt\Desktop\ComboFix.exe

[2011/08/17 15:10:19 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2011/08/17 15:10:18 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2011/08/17 15:07:16 | 000,307,650 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011/08/17 15:07:16 | 000,037,510 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011/08/17 15:02:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/08/17 15:02:41 | 2818,220,032 | -HS- | M] () -- C:\hiberfil.sys

[2011/08/17 13:24:58 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

[2011/08/17 12:44:22 | 000,000,768 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg

[2011/08/16 23:16:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2254996027-1421625699-4183034034-1001Core.job

[2011/07/24 19:19:05 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt

[2011/07/24 19:18:21 | 056,167,608 | ---- | M] () -- C:\Users\Matt\Desktop\setup_av_free.exe

[2011/07/24 14:01:02 | 013,999,560 | ---- | M] (Symantec Corporation) -- C:\Users\Matt\Desktop\PCCheckupInstaller.exe

[2011/07/22 18:24:06 | 000,000,215 | ---- | M] () -- C:\Users\Matt\Desktop\World Basketball Manager 2010.url

[2011/07/21 18:49:16 | 000,001,512 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/07/19 22:17:04 | 000,000,781 | ---- | M] () -- C:\Users\Public\Desktop\Exterminate It!.lnk

[2011/07/19 22:16:44 | 004,969,864 | ---- | M] (CURIOLAB S.M.B.A.) -- C:\Users\Matt\Desktop\ExterminateItSetup.exe

[2011/07/19 21:58:23 | 000,000,948 | ---- | M] () -- C:\Users\Matt\Desktop\Spybot - Search & Destroy.lnk

[2011/07/19 21:58:23 | 000,000,948 | ---- | M] () -- C:\Users\Matt\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2011/07/19 21:54:49 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\Matt\Desktop\spybotsd162.exe

[2011/07/19 20:44:22 | 000,412,432 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT



========== Files Created - No Company Name ==========



[2011/08/17 16:05:21 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2011/08/17 13:24:58 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk

[2011/08/17 13:24:58 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

[2011/08/17 12:40:03 | 000,000,768 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg

[2011/07/24 19:17:32 | 056,167,608 | ---- | C] () -- C:\Users\Matt\Desktop\setup_av_free.exe

[2011/07/22 18:24:06 | 000,000,215 | ---- | C] () -- C:\Users\Matt\Desktop\World Basketball Manager 2010.url

[2011/07/21 18:49:16 | 000,001,512 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/07/19 22:17:04 | 000,000,781 | ---- | C] () -- C:\Users\Public\Desktop\Exterminate It!.lnk

[2011/07/19 21:58:23 | 000,000,948 | ---- | C] () -- C:\Users\Matt\Desktop\Spybot - Search & Destroy.lnk

[2011/07/19 21:58:23 | 000,000,948 | ---- | C] () -- C:\Users\Matt\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2011/06/23 21:18:33 | 000,187,432 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat

[2011/02/28 23:09:00 | 000,307,650 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2011/02/28 23:09:00 | 000,037,510 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2011/02/28 22:50:21 | 000,011,164 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin

[2011/02/27 12:33:35 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2011/02/27 12:33:35 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2011/02/27 12:33:35 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2011/02/27 12:33:35 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2009/07/14 14:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2009/07/14 14:33:53 | 000,412,432 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/07/14 12:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2009/07/14 12:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2009/07/14 12:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2009/07/14 12:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2009/07/14 09:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2009/07/14 09:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll

[2009/07/14 09:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

[2009/06/26 16:21:02 | 000,015,498 | ---- | C] () -- C:\Windows\VX1000.ini

[2009/06/11 07:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat



========== LOP Check ==========



[2011/02/27 15:12:49 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\AVG10

[2011/07/10 23:38:43 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\BitTorrent

[2011/01/30 20:08:43 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Childish Things

[2011/02/18 07:50:50 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Citrix

[2011/01/25 20:21:55 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\ICAClient

[2011/02/18 07:50:50 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Netscape

[2011/07/24 14:01:25 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Tific

[2011/04/14 17:35:23 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT



========== Purity Check ==========







========== Custom Scans ==========





< %SYSTEMDRIVE%\*.exe >





< MD5 for: EXPLORER.EXE >

[2011/02/26 15:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe

[2009/07/14 11:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe

[2011/02/26 15:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe

[2009/10/31 15:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe

[2011/02/26 15:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe

[2010/11/20 22:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe

[2011/02/25 15:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\ERDNT\cache\explorer.exe

[2011/02/25 15:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe

[2011/02/25 15:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe

[2009/08/03 15:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe

[2009/08/03 15:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe

[2009/10/31 16:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe



< MD5 for: SVCHOST.EXE >

[2009/07/14 11:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\ERDNT\cache\svchost.exe

[2009/07/14 11:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe

[2009/07/14 11:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe



< MD5 for: USERINIT.EXE >

[2010/11/20 22:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\ERDNT\cache\userinit.exe

[2010/11/20 22:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe

[2010/11/20 22:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe

[2009/07/14 11:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe



< MD5 for: WINLOGON.EXE >

[2009/10/28 16:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe

[2009/10/28 15:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe

[2010/11/20 22:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\ERDNT\cache\winlogon.exe

[2010/11/20 22:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe

[2010/11/20 22:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe

[2009/07/14 11:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe



< %systemroot%\*. /mp /s >



< hklm\software\clients\startmenuinternet|command /rs >

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: D:\Matt PC\Programs\Mozilla Firefox\firefox.exe [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "D:\Matt PC\Programs\Mozilla Firefox\firefox.exe" -preferences [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "D:\Matt PC\Programs\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2010/11/20 22:22:51 | 000,673,040 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2010/11/20 22:22:51 | 000,673,040 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)



< hklm\software\clients\startmenuinternet|command /64 /rs >

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "D:\Matt PC\Programs\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/17 12:49:06 | 000,712,976 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: D:\Matt PC\Programs\Mozilla Firefox\firefox.exe [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "D:\Matt PC\Programs\Mozilla Firefox\firefox.exe" -preferences [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "D:\Matt PC\Programs\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/17 12:49:06 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2010/11/20 22:17:13 | 000,176,128 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2010/11/20 22:22:51 | 000,673,040 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2010/11/20 22:22:51 | 000,673,040 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)



< End of report >
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's see what AVP has to say :):

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#8
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
User returned

Hi Mattc6969,

Did you manage to get AVP log? Please post it if you did.
  • 0

#9
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I didnt manage to get the avp log.. I scanned till about 60% and it took about 3 days then crashed I am scanning again it is up to 4% after 10 mins... Not sure if it is working properly?
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Let's install the free Avast:

http://www.avast.com...ivirus-download

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It will take many hours (like overnight) and unfortunately you may need to check back with it once in a while to see if it needs an input from you. If the scan hangs that may indicate a hardware problem.
  • 0

Advertisements


#11
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry I already tried avast before I sought help on the forum and I don't have access to the Internet on my PC (this is a smartphone) are there any other steps I can take to identify this virus?
  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Can you please write down you current problems. I don't see any trace of malware in scans we did. Maybe it will help me decide what to do next.
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
I would also like to see these logs:

Step 1

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 3

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#14
Mattc6969

Mattc6969

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sure I will do those scans. A variety of scans have mentioned vundo and palvero viruses... Could that be causing it? It is mainly a redirect thing - my browser always redirects to a AVG search plus my Internet is dropping out all the time but the SP says nothing is wrong!!
  • 0

#15
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Please do scans and post logs. Can you also post logs that finds vundo on your PC. I would like to see them.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP