• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

Windows Repair

Moderator: Moderators

Topic locked

Re: Windows Repair

Postby stephuk » Sat Apr 09, 2011 7:24 pm

Hi, thanks again so much for helping and guiding me step by step with this, really appreciated 5and sorry for being a pain - it is so frustrating though)

I've tried to email you the 2 files but hotmail wont send them because they have an error. When I clicked on show the rror it said that they were both empty files.

I've logged on normal mode, put a new picture as background picture and it worked.

I've logged off and logged back on in safe mode and the picture is not there anymore (I seem to remember it still should appear even in Safe mode, am I correct?)

Done Fixncr and the vista security shield at bottom of screen disappeared. Tried with rkill again but it wont start (as before), all it does is "preparing rkill" and then the black window disapear. Malwarebytes stopped and froze the computer on the same file again (still showing 4 infected objects)

Gonna try with SuperAntiSpyware now. Restarted in Safe mode, vista anti-spyware shield back on and pop ups coming whilst scanning. Had to re-run Fixncr as SuperAntiSpyware wouldnt come up straight away (Vista Anti Spyware fake scan instead) - I'll post log if I manage to get to there eventually.



PS- what should I do re Windows Security Center (e.g. turn firewall on, click on show me available options for malware protection?) - I use AVG Free 2011 on my other computer, shall I download it to this one too (I thought it was there already to be fair - I'm sure it was at some point)
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Sat Apr 09, 2011 7:36 pm

So it seems the FixNCR is helping, would that be safe to say?

Since that seemed to help, you may also want to try FixShell by Prevx.
fixshell.zip
or EXEHelper

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Extract the ZIP file to your desktop, double-click on fixshell.exe and when prompted click "YES".
Let me know if you get a log file, even if the scanner doesn't remove it, if I know where it's at we can use other tools to remove them!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Sat Apr 09, 2011 7:43 pm

It helped in the way that I've managed to run SuperAntiSpyware yeah but Vista Anti Spyware is still there and keeps sending warnings every other minute...

SuperAS scan nearly finished - or I mean almost on the the files which makes it crash everytime so gonna stop it now. It found 12 adware cookies and just deleted them.

Will do next step in a bit. Thanks:)
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Sat Apr 09, 2011 8:23 pm

We need to run another CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
KillAll::

Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000]


Save this as CFScript.txt, in the same location as ComboFix.exe (Your Desktop)
And Drag and Drop the File onto Combofix to start the removal script.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Sat Apr 09, 2011 8:29 pm

I didnt get a log from Fixshell. Restarted in normal mode now and opened Internet Explorer and so far nothing dodgy seems to happen!! Fingers crossed!! Do you think that means that it all been removed?

Could you please guide me re Windows Security Center as I genuinely never seen this before - what to do for the firewall (it's currently set to Off but if I put it On will I still be able to download stuff online?), Windows Defender turned Off, shall I turn it On or choose another option?

Also, how do I set up that restore points get created automatically? Cant find the option but before all this happened I do know restore points were automatically created.

It's been on for about 10 min now and nothing bad happened this time, the only thing is that it's quite noisy (the fan / or "thinking") but I guess it prob was always like that and I'm just really over-suspicious about eveything now!!


Anyway thank you so much for all that, fingers crossed it's all sorted but anyway I do feel that if it's not we're now on a good way!! I'll let you know tmrw morning how it goes:)




***EDIT***

Just seen your last message re running new script - I'll do this in the morning, thanks:)
(but was I supposed to this before Fixshell or still ok to do now?)
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Sat Apr 09, 2011 8:41 pm

I didnt get a log from Fixshell. Restarted in normal mode now and opened Internet Explorer and so far nothing dodgy seems to happen!! Fingers crossed!! Do you think that means that it all been removed?


That's great! I've kinda pinpointed some setting that generally are modified by this type of infection, those tools I've listed reset them to the defaults!
No, I don't think it's all been removed, just disabled, the files still may be present, try the CFScript and the scanners to remove them.
Let me know...

Could you please guide me re Windows Security Center as I genuinely never seen this before - what to do for the firewall (it's currently set to Off but if I put it On will I still be able to download stuff online?), Windows Defender turned Off, shall I turn it On or choose another option?


Turning on a firewall should not disrupt normal browsing, etc.. they are designed to block intrusion and data theft attempts (usually on outside networks such as infected servers.)
They may however, block P2P and other extremely risky behaviors, in order to protect your computer.

I really can't recommend Windows Defender as a solid Anti-Virus program, I suggest you install Avast! or AVG.

As per your System Restore questions see this link.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Sun Apr 10, 2011 9:01 am

Hi,

I've started computer in normal mode this morning. When I opened internet browser I could hear people talking, like if a movie was being played in the background. I remember reading that this was one of the things the virus do.

I looked at the History and there were a few random websites listed under "today" but I've only checked my Hotmail and this forum so I'm guessing that's a concequence of the adware cookies that keep coming back on.

I've ran CFScript with ComboFix, here is the log. When ComboFix started a "CatchMe" .log file got created on desktop, I'm gonna email it to you in case it's suspicious. The log appeared after reboot (in normal mode) and I've tried to go online to post it here but when clicking on Explorer icon or shortcuts this message came up "Explorer.exe : Illegal operation attempted on a registry key that has been marked for deletion." Tried to launch Google Chrome but another error message came up. Looks like I cant go online from there at the moment so back on my other computer to post log and email you the file.

I need to go out for a bit but when I'm back I'll run SuperAntiSpyware again to see if anything new comes up.


ComboFix 11-04-08.02 - Lee & Steph 10/04/2011 9:23.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1604 [GMT 1:00]
Running from: c:\users\Lee & Steph\Desktop\ComboFix.exe
Command switches used :: c:\users\Lee & Steph\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Microsoft
c:\windows\system32\Microsoft\Protect\S-1-5-18\a7c42af7-5798-4298-a130-e26ab8080090
c:\windows\system32\Microsoft\Protect\S-1-5-18\Preferred
c:\windows\system32\Microsoft\Protect\S-1-5-18\User\3234eeca-43ee-43db-a69d-6043e59e8425
c:\windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 08:30 . 2011-04-10 08:30 -------- d-s---w- c:\windows\system32\Microsoft
2011-04-04 15:36 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 15:36 . 2011-04-05 15:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 13:23 . 2011-04-03 13:23 -------- d-----w- c:\program files\Trend Micro
2011-03-27 16:14 . 2011-03-27 16:14 -------- d-----w- c:\program files\Common Files\Skype
2011-03-23 16:26 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 16:26 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 16:26 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-15 16:38 . 2011-03-15 16:38 -------- d-----w- c:\program files\iPod
2011-03-15 16:38 . 2011-03-15 16:39 -------- d-----w- c:\program files\iTunes
2011-03-15 16:35 . 2011-03-15 16:35 -------- d-----w- c:\program files\Bonjour
2011-03-14 17:59 . 2011-03-14 18:00 -------- d-----w- c:\program files\GIMP-2.0
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 18:11 . 2010-07-05 19:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 16:17 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 16:17 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 16:17 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 16:17 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-09 16:17 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 16:17 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-09 16:17 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 16:17 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 16:17 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 16:17 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 16:17 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 16:17 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 16:17 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 16:17 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 16:17 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 16:17 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 16:17 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 16:17 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 16:17 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 16:17 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 16:17 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 16:17 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 16:17 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 16:17 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 16:17 683008 ----a-w- c:\windows\system32\d2d1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOMERunner.exe" [2010-08-24 247144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-02 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-04-25 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-04-25 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-26 30192]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
"PlayMovie"="c:\program files\Acer Arcade Live\Acer PlayMovie\PMVService.exe" [2009-09-14 177384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 13:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
R2 gupdate1c9cc9d5e423763;Google Update Service (gupdate1c9cc9d5e423763);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-04 133104]
R3 CFcatchme;CFcatchme;c:\users\LEE&ST~1\AppData\Local\Temp\CFcatchme.sys [x]
R3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNIMp50.sys [2006-11-16 21504]
R3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNISp50.sys [2006-11-16 20480]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-26 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]
R3 S2usbser;S2 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\S2usbser.sys [2008-03-20 103680]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-13 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2010-10-03 59240]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-27 390528]
S1 RapportCerberus_25641;RapportCerberus_25641;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641.sys [2011-04-09 56888]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-10-03 169320]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-13 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-27 67656]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};Power Control [2010/02/27 11:46];c:\program files\Acer Arcade Live\Acer PlayMovie\000.fcl [2009-09-14 10:31 87536]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-04-25 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-10-03 767208]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME\TomTomHOMEService.exe [2010-08-24 92008]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-04-22 43552]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-04 09:47]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-04 09:47]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: %SYSTEMROOT%\system32\nvLsp.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 09:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Live\Acer PlayMovie\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7592)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\nvLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\bin32\nSvcAppFlt.exe
c:\program files\bin32\nSvcIp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-04-10 09:36:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-10 08:36
ComboFix2.txt 2011-04-09 08:21
ComboFix3.txt 2011-04-08 16:36
ComboFix4.txt 2011-04-05 16:29
ComboFix5.txt 2011-04-10 08:22
.
Pre-Run: 36,517,724,160 bytes free
Post-Run: 36,416,081,920 bytes free
.
- - End Of File - - 92AAE271ACC0F246D04FA98B69F99EBE
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby stephuk » Sun Apr 10, 2011 6:35 pm

Hi, I've ran SuperAntiSpyware and it found 17 adware tracking cookies.

I've downloaded AVG from this computer and transfered it to my "infected" one (as I cant go online at the minute with it - as stated in previous message) - after restart this message came up "choose the program you want to use to open this file" but I'm not sure what files was refered to. I tried to launch AVG but a similar message came up "ssvagent.exe choose the program you want to use to open this file" - I ran FixNCR and it did the trick one more time. AVG detected 2 trojans automatically and asked for "reboot now".

Restart of the computer, same message about what program to use. Currently running AVG whole computer scan. Will post log if I get one.


When I click on IE or Google Chrome I still cant go online (but now the browser open and the page stays blank)
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby stephuk » Sun Apr 10, 2011 7:20 pm

AVG didnt find any further infections.

Decided on trying Malwarebytes. It ran for longer than usual. Picked up on 4 infected objects which have been automatically picked up as well by AVG Shield and transfered to Vault. Then Malwarebytres finally froze and I had to manually shut down.

If not all done yet, I feel like we're on a good way of removing all the nasty things which were on there!!

Thanks for your advices re restore points etc. :) Now what shall I do re the internet? It is definately connected (via WiFi) but still cant go online...
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Sun Apr 10, 2011 8:56 pm

Re: The Internet
1. Check your browser settings, and make sure that the connection is not using a proxy, some malware will add one like (localhost:6534), remove and disable that setting.
2. Ensure that your firewall is allowing your browser normal access to the Internet.

Re: Other Infections.
1. Restart Into Safe Mode.
2. Navigate to C:\Program Files\Malwarebytes' Anti-Malware
3. Rename the mbam.exe file to new1234.exe
4. Run the newly re-named MalwareBytes executable. (Note: The shortcut on your desktop will be broken, but we can fix that later.)
5. Update and Re-Scan.
6. Remove Infections, Post Log File for review.

The reason we sometimes rename removal tools, is due to the fact that some malware targets process names, but they generally can't target randomly named files!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Mon Apr 11, 2011 10:53 am

Hi, thanks for the advice re the internet. The proxy box was checked, u were right! Now it works.

Re Malwarebytes, even with the name change it still freezes eventually> I never managed to complete a full scan.
SuperAntiSpyware picked up on more adware tracking cookies but thats all.
Please see attached printscreen of AVG Virus Vault.

PS- have you received my email with the "catch me" attachment?


I still have the what prog do u wanna use for this file message at start up and random website in my History when I look at it.Also have script errors, similar to the one I described earlier (with url www24.glam or something different)
You do not have the required permissions to view the files attached to this post.
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Mon Apr 11, 2011 3:14 pm

Looks like AVG is cleaning house...
Is there an option to export the quarantined files?
If so, place them all in a folder, ZIP them, and e-mail it to me: trappmanrhett@fastmail.fm


Glad you removed the proxy....
No I haven't received the "catchme" file, but it was created by Combofix's GMER utility (rootkit scan), not harmful.


Try running this tool...here!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Mon Apr 11, 2011 4:28 pm

I've dowloaded the Microsoft tool but it didnt find anything suspicious.

I had to download it from my other computer as the web page wouldnt load on the Microsoft webiste i.e. the download wouldnt start. It happened as well when I used the PC Analyzer tool in AVG - after the scan it is required to click on "Fix" which should open a webpage then a download but download wouldnt start.

There are no options for exporting the quarantined files I'm afraid :(

Whilst Microsoft Malicious Software Tool was scanning, error scripts came up again and random noises/sounds. On one of them I could hear the name of a website (apparentlmy it was a video on how to make chicken curry!), cant remember what it was but with "video" in the name and I checked History and could see it there.

Dunno what else to do. I've tried running AVG again but it froze and crashed the computer. After restart the "firwall" has been turned Off and I couldn't switch it back on (either throught Windows Security or directly through AVG). Another restart and it's back On.
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top

Re: Windows Repair

Postby 12056 » Mon Apr 11, 2011 10:38 pm

Wow, this malware must be hidden deep!

Please download OTL from here.
* Save it to your desktop.
* Double click on the icon on your desktop.
* Click the "Scan All Users" checkbox.
* Push the "Run Scan" button.
* The scan should take just a few minutes.
* Two reports will open (OTL.txt and Extra.txt).

Post back with both OTL logs. Post each log in separate post.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: Windows Repair

Postby stephuk » Tue Apr 12, 2011 8:19 am

OTL.txt


OTL logfile created on: 12/04/2011 09:11:27 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lee & Steph\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.15 Gb Total Space | 34.91 Gb Free Space | 25.09% Space Free | Partition Type: NTFS
Drive D: | 142.94 Gb Total Space | 13.96 Gb Free Space | 9.77% Space Free | Partition Type: NTFS

Computer Name: LEESTEPH-PC | User Name: Lee & Steph | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/12 09:04:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\OTL.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/21 03:24:02 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe


========== Modules (SafeList) ==========

MOD - [2011/04/12 09:04:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\OTL.exe
MOD - [2010/08/31 16:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- -- (McShield)
SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/02/15 05:38:06 | 007,421,280 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2011/02/08 05:33:40 | 002,707,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgfws.exe -- (avgfws)
SRV - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/08/24 10:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Program Files\TomTom HOME\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/01/02 13:05:42 | 003,098,152 | ---- | M] (Kontiki Inc.) [Auto | Stopped] -- C:\Program Files\Kontiki\KService.exe -- (KService)
SRV - [2008/04/25 21:30:26 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe -- (ETService)
SRV - [2008/03/05 07:38:34 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Stopped] -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008/01/29 20:25:10 | 000,598,016 | ---- | M] () [Auto | Stopped] -- C:\Program Files\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2008/01/29 20:24:46 | 000,163,840 | ---- | M] () [Auto | Stopped] -- C:\Program Files\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2008/01/26 02:49:04 | 000,269,448 | ---- | M] (CyberLink) [Auto | Stopped] -- C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe -- (Acer HomeMedia Connect Service)


========== Driver Services (SafeList) ==========

DRV - [2011/04/09 18:31:15 | 000,056,888 | ---- | M] (Trusteer Ltd.) [Kernel | System | Stopped] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641.sys -- (RapportCerberus_25641)
DRV - [2011/03/30 17:16:52 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:12:38 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 07:54:00 | 000,296,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/02/10 07:53:30 | 000,028,624 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 07:53:28 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/19 04:32:56 | 000,032,464 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/10/03 23:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 23:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2010/07/12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2010/06/27 15:07:12 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/13 14:31:23 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/13 14:31:22 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/27 11:18:51 | 000,390,528 | ---- | M] (Trusteer Ltd.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\RapportBuka.sys -- (RapportBuka)
DRV - [2010/01/12 12:03:34 | 011,586,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/09/14 11:31:48 | 000,087,536 | ---- | M] (CyberLink Corp.) [2010/02/27 11:46:24] [Kernel | Auto | Stopped] -- C:\Program Files\Acer Arcade Live\Acer PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796})
DRV - [2009/09/02 19:27:45 | 000,005,632 | ---- | M] () [File_System | System | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008/09/29 17:12:04 | 000,012,832 | ---- | M] (Acer, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/04/22 01:49:00 | 000,043,552 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/03/20 05:11:52 | 000,103,680 | ---- | M] (AMOI Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\S2usbser.sys -- (S2usbser)
DRV - [2008/01/29 06:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/25 13:02:02 | 000,140,832 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/10/12 09:53:10 | 000,013,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/05/02 11:11:18 | 000,109,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_mdm.sys -- (ss_mdm)
DRV - [2007/05/02 11:11:18 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_mdfl.sys -- (ss_mdfl)
DRV - [2007/05/02 11:11:16 | 000,083,592 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_bus.sys -- (ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM)
DRV - [2007/02/03 10:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 10:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2006/11/16 14:36:28 | 000,020,480 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DNISP50.sys -- (DNISp50)
DRV - [2006/11/16 14:36:18 | 000,021,504 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DNIMP50.sys -- (DNIMp50)
DRV - [2005/09/05 11:21:06 | 000,362,944 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WG11TND5.sys -- (AR5523)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?ocid=getmsn
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50545

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/04/10 15:28:26 | 000,000,000 | ---D | M]

[2009/07/24 12:49:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lee & Steph\AppData\Roaming\Mozilla\Extensions
[2009/07/24 12:49:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lee & Steph\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2010/10/06 18:32:06 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES\TOMTOM HOME\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2011/04/10 09:30:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Program Files\Acer\Empowering Technology\SysMonitor.exe ()
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [EmpoweringTechnology] File not found
O4 - HKLM..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe ()
O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Live\Acer PlayMovie\PMVService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000..\Run: [conhost] C:\Users\Lee & Steph\AppData\Roaming\Microsoft\conhost.exe ()
O4 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Reg Error: Value error. File not found
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O15 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-2900729692-2678787737-2178929654-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resourc ... dfr-fr.cab (MSN Photo Upload Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/ph ... dfr-fr.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.172,93.188.160.232
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Users\Lee & Steph\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Lee & Steph\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/12 09:06:05 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\OTL.exe
[2011/04/12 09:05:21 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{E8B1668D-82DC-4467-B326-2D386D99C98B}
[2011/04/11 17:36:59 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\AVG
[2011/04/11 17:35:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC Tuneup 2011
[2011/04/11 17:35:01 | 007,592,248 | ---- | C] (AVG ) -- C:\Users\Lee & Steph\Desktop\avg_pct_stf_all_2011_24_c5.exe
[2011/04/11 17:00:34 | 012,502,472 | ---- | C] (Microsoft Corporation) -- C:\Users\Lee & Steph\Desktop\windows-kb890830-v3.17.exe
[2011/04/11 09:36:57 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{1F2157AA-01A4-4ACD-90CC-F01E269CA3B5}
[2011/04/10 20:08:53 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/04/10 15:29:57 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\AVG10
[2011/04/10 15:28:55 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/04/10 15:28:44 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Security Toolbar
[2011/04/10 15:28:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/04/10 15:26:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/04/10 15:26:42 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/04/10 15:25:35 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/10 14:00:59 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/04/10 14:00:34 | 005,497,592 | ---- | C] (AVG Technologies) -- C:\Users\Lee & Steph\Desktop\avg_free_stb_all_2011_1321_cnet.exe
[2011/04/10 09:30:52 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/04/10 09:30:30 | 000,000,000 | --SD | C] -- C:\Windows\System32\Microsoft
[2011/04/10 09:29:29 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/10 09:21:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/10 09:15:47 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{1323F1E6-766D-4D5C-9F89-A11DFE5776FE}
[2011/04/09 21:04:24 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\Desktop\fixshell
[2011/04/09 18:32:45 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{3D1DB50A-0A29-4553-B417-69945051DBCA}
[2011/04/07 17:38:27 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\Lee & Steph\Desktop\aswMBR.exe
[2011/04/07 17:38:27 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\TFC.exe
[2011/04/07 17:03:49 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\Okyn
[2011/04/06 18:10:06 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{139499EC-8634-49F4-98A5-0F902EB39F85}
[2011/04/04 16:36:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/04 16:36:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/04 16:36:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/03 14:27:27 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/03 14:27:27 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/03 14:27:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/03 14:27:21 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/03 14:27:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/03 14:23:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HijackThis
[2011/04/03 14:23:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/04/03 14:23:11 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Lee & Steph\Desktop\HJTInstall.exe
[2011/03/31 21:11:13 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Local\{7BE2E80F-61A7-440E-A0D7-0C7917860E14}
[2011/03/31 17:03:31 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\Malwarebytes
[2011/03/31 17:03:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/31 17:02:45 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Lee & Steph\Desktop\mbam-setup-1.50.1.1100.exe
[2011/03/31 16:28:27 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Lee & Steph\Desktop\HiJackThis.exe
[2011/03/30 18:26:21 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair
[2011/03/30 17:16:52 | 000,134,480 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\Windows\System32\drivers\AVGIDSDriver.sys
[2011/03/27 17:14:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/03/23 17:26:28 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/23 17:26:28 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/03/15 17:39:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/03/15 17:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/03/15 17:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/03/15 17:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/03/14 19:22:48 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\AppData\Roaming\gtk-2.0
[2011/03/14 19:22:38 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\.thumbnails
[2011/03/14 19:00:24 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\.gimp-2.6
[2011/03/14 19:00:23 | 000,000,000 | ---D | C] -- C:\Users\Lee & Steph\Documents\gegl-0.0
[2011/03/14 19:00:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP
[2011/03/14 18:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0
[2010/03/24 17:42:46 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Lee & Steph\AppData\Roaming\pcouffin.sys
[2008/07/22 09:01:25 | 000,049,152 | ---- | C] ( ) -- C:\Windows\Interop.IWshRuntimeLibrary.dll

========== Files - Modified Within 30 Days ==========

[2011/04/12 09:10:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/12 09:04:50 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/12 09:04:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\OTL.exe
[2011/04/12 09:00:18 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/12 09:00:18 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/12 09:00:16 | 000,035,465 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/04/11 18:27:28 | 000,008,592 | ---- | M] () -- C:\Users\Lee & Steph\AppData\Local\d3d9caps.dat
[2011/04/11 18:01:01 | 000,677,432 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/11 18:01:01 | 000,142,278 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/11 17:35:51 | 000,000,974 | ---- | M] () -- C:\Users\Lee & Steph\Desktop\AVG PC Tuneup 2011.lnk
[2011/04/11 17:30:38 | 007,592,248 | ---- | M] (AVG ) -- C:\Users\Lee & Steph\Desktop\avg_pct_stf_all_2011_24_c5.exe
[2011/04/11 17:00:06 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/11 16:58:48 | 012,502,472 | ---- | M] (Microsoft Corporation) -- C:\Users\Lee & Steph\Desktop\windows-kb890830-v3.17.exe
[2011/04/11 12:33:34 | 425,225,958 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/11 10:40:06 | 000,122,236 | ---- | M] () -- C:\Windows\System32\null0.47444498077582653.exe
[2011/04/11 10:40:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\null0.4357516266332162.exe
[2011/04/11 09:54:05 | 112,156,645 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/10 15:37:03 | 000,649,963 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavifw.avm
[2011/04/10 15:36:12 | 000,001,300 | -HS- | M] () -- C:\Users\Lee & Steph\AppData\Local\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/10 15:36:12 | 000,001,300 | -HS- | M] () -- C:\ProgramData\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/10 15:36:07 | 000,001,308 | ---- | M] () -- C:\Users\Lee & Steph\AppData\Roaming\853A.054
[2011/04/10 15:28:30 | 000,000,834 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/10 12:56:32 | 005,497,592 | ---- | M] (AVG Technologies) -- C:\Users\Lee & Steph\Desktop\avg_free_stb_all_2011_1321_cnet.exe
[2011/04/10 09:30:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/09 20:59:42 | 000,026,176 | ---- | M] () -- C:\Users\Lee & Steph\Desktop\fixshell.zip
[2011/04/09 20:37:57 | 000,011,048 | -HS- | M] () -- C:\Users\Lee & Steph\AppData\Local\545f402g3t77n8y03jgnenvv20
[2011/04/09 20:37:57 | 000,011,048 | -HS- | M] () -- C:\ProgramData\545f402g3t77n8y03jgnenvv20
[2011/04/09 19:56:38 | 001,006,778 | ---- | M] () -- C:\Users\Lee & Steph\Desktop\rkill.com
[2011/04/09 19:55:50 | 000,001,134 | ---- | M] () -- C:\Users\Lee & Steph\Desktop\FixNCR.reg
[2011/04/09 08:37:58 | 004,317,112 | R--- | M] () -- C:\Users\Lee & Steph\Desktop\ComboFix.exe
[2011/04/07 17:51:37 | 000,001,984 | -HS- | M] () -- C:\Users\Lee & Steph\AppData\Local\325cq8r6ceko405fg
[2011/04/07 17:51:37 | 000,001,984 | -HS- | M] () -- C:\ProgramData\325cq8r6ceko405fg
[2011/04/07 17:48:21 | 000,000,512 | ---- | M] () -- C:\Users\Lee & Steph\Documents\MBR.dat
[2011/04/07 17:18:42 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\Lee & Steph\Desktop\aswMBR.exe
[2011/04/07 17:18:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lee & Steph\Desktop\TFC.exe
[2011/04/03 14:23:20 | 000,001,878 | ---- | M] () -- C:\Users\Lee & Steph\Desktop\HijackThis.lnk
[2011/04/03 14:18:03 | 000,011,828 | -HS- | M] () -- C:\Users\Lee & Steph\AppData\Local\241s311368gdrya16d3481o43nc8ucw704
[2011/04/03 14:18:03 | 000,011,828 | -HS- | M] () -- C:\ProgramData\241s311368gdrya16d3481o43nc8ucw704
[2011/04/03 14:12:08 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Lee & Steph\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/03 14:10:28 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Lee & Steph\Desktop\HJTInstall.exe
[2011/03/31 21:16:09 | 000,012,050 | -HS- | M] () -- C:\Users\Lee & Steph\AppData\Local\7a3d8u8784tdd04w7i4a1pj
[2011/03/31 21:16:09 | 000,012,050 | -HS- | M] () -- C:\ProgramData\7a3d8u8784tdd04w7i4a1pj
[2011/03/31 16:28:30 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Lee & Steph\Desktop\HiJackThis.exe
[2011/03/30 19:08:25 | 000,000,144 | ---- | M] () -- C:\ProgramData\~43835144r
[2011/03/30 19:08:25 | 000,000,112 | ---- | M] () -- C:\ProgramData\~43835144
[2011/03/30 18:26:05 | 000,000,336 | ---- | M] () -- C:\ProgramData\43835144
[2011/03/30 18:01:00 | 000,035,465 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/03/30 17:16:52 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\Windows\System32\drivers\AVGIDSDriver.sys
[2011/03/26 17:23:56 | 000,004,724 | ---- | M] () -- C:\Users\Lee & Steph\.recently-used.xbel
[2011/03/26 11:02:17 | 000,001,975 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/03/15 17:39:10 | 000,001,668 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/03/14 19:00:16 | 000,000,904 | ---- | M] () -- C:\Users\Public\Desktop\GIMP 2.lnk

========== Files Created - No Company Name ==========

[2011/04/11 17:35:51 | 000,000,974 | ---- | C] () -- C:\Users\Lee & Steph\Desktop\AVG PC Tuneup 2011.lnk
[2011/04/11 10:40:00 | 000,122,236 | ---- | C] () -- C:\Windows\System32\null0.47444498077582653.exe
[2011/04/11 10:40:00 | 000,000,000 | ---- | C] () -- C:\Windows\System32\null0.4357516266332162.exe
[2011/04/11 09:54:05 | 112,156,645 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/10 15:37:03 | 000,649,963 | ---- | C] () -- C:\Windows\System32\drivers\AVG\iavifw.avm
[2011/04/10 15:36:12 | 000,001,300 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/10 15:36:12 | 000,001,300 | -HS- | C] () -- C:\ProgramData\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/10 15:35:22 | 000,001,308 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\853A.054
[2011/04/10 15:28:30 | 000,000,834 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/09 21:03:50 | 000,026,176 | ---- | C] () -- C:\Users\Lee & Steph\Desktop\fixshell.zip
[2011/04/09 20:05:39 | 000,001,134 | ---- | C] () -- C:\Users\Lee & Steph\Desktop\FixNCR.reg
[2011/04/09 18:39:45 | 000,011,048 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\545f402g3t77n8y03jgnenvv20
[2011/04/09 18:39:45 | 000,011,048 | -HS- | C] () -- C:\ProgramData\545f402g3t77n8y03jgnenvv20
[2011/04/09 09:00:51 | 004,317,112 | R--- | C] () -- C:\Users\Lee & Steph\Desktop\ComboFix.exe
[2011/04/07 17:51:08 | 000,001,984 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\325cq8r6ceko405fg
[2011/04/07 17:51:08 | 000,001,984 | -HS- | C] () -- C:\ProgramData\325cq8r6ceko405fg
[2011/04/07 17:47:43 | 000,000,512 | ---- | C] () -- C:\Users\Lee & Steph\Documents\MBR.dat
[2011/04/03 14:27:27 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/03 14:27:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/03 14:27:27 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/03 14:27:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/03 14:27:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/03 14:23:20 | 000,001,878 | ---- | C] () -- C:\Users\Lee & Steph\Desktop\HijackThis.lnk
[2011/04/02 19:37:59 | 000,011,828 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\241s311368gdrya16d3481o43nc8ucw704
[2011/04/02 19:37:59 | 000,011,828 | -HS- | C] () -- C:\ProgramData\241s311368gdrya16d3481o43nc8ucw704
[2011/03/31 21:14:04 | 000,012,050 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\7a3d8u8784tdd04w7i4a1pj
[2011/03/31 21:14:04 | 000,012,050 | -HS- | C] () -- C:\ProgramData\7a3d8u8784tdd04w7i4a1pj
[2011/03/31 16:52:50 | 001,006,778 | ---- | C] () -- C:\Users\Lee & Steph\Desktop\rkill.com
[2011/03/30 18:26:46 | 000,000,144 | ---- | C] () -- C:\ProgramData\~43835144r
[2011/03/30 18:26:46 | 000,000,112 | ---- | C] () -- C:\ProgramData\~43835144
[2011/03/30 18:26:05 | 000,000,336 | ---- | C] () -- C:\ProgramData\43835144
[2011/03/26 17:23:56 | 000,004,724 | ---- | C] () -- C:\Users\Lee & Steph\.recently-used.xbel
[2011/03/15 17:39:10 | 000,001,668 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/03/14 19:00:16 | 000,000,904 | ---- | C] () -- C:\Users\Public\Desktop\GIMP 2.lnk
[2010/10/06 18:14:13 | 000,000,120 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Local\Qqixunoses.dat
[2010/10/06 18:14:13 | 000,000,000 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Local\Xkokomobun.bin
[2010/04/21 16:17:59 | 000,012,622 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\4L05Y3527I
[2010/04/21 16:17:59 | 000,012,622 | -HS- | C] () -- C:\ProgramData\4L05Y3527I
[2010/04/17 11:30:26 | 000,035,465 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/04/17 11:30:24 | 000,035,465 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/04/01 11:29:27 | 000,010,616 | -HS- | C] () -- C:\Users\Lee & Steph\AppData\Local\0S70
[2010/04/01 11:29:27 | 000,010,616 | -HS- | C] () -- C:\ProgramData\0S70
[2010/03/24 17:42:46 | 000,087,608 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\inst.exe
[2010/03/24 17:42:46 | 000,007,887 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\pcouffin.cat
[2010/03/24 17:42:46 | 000,001,144 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\pcouffin.inf
[2010/03/21 15:44:42 | 000,000,107 | ---- | C] () -- C:\Windows\IfoEdit.INI
[2010/01/30 18:09:19 | 000,000,023 | ---- | C] () -- C:\Windows\System32\PCSuiteConfigFile.ini
[2010/01/30 18:09:19 | 000,000,000 | ---- | C] () -- C:\Windows\System32\PCSuiteShareFile.ini
[2010/01/30 18:09:19 | 000,000,000 | ---- | C] () -- C:\Windows\System32\PCSuiteParamFile.ini
[2010/01/28 18:03:39 | 000,000,000 | ---- | C] () -- C:\Windows\JCMKR32.INI
[2010/01/19 17:30:53 | 000,124,516 | ---- | C] () -- C:\Windows\System32\mlfcache.dat
[2009/12/08 21:24:24 | 000,000,031 | ---- | C] () -- C:\Windows\UKCpInfo.sys
[2009/10/20 18:30:34 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/20 18:30:34 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/10/17 17:00:02 | 000,000,783 | ---- | C] () -- C:\Windows\NTIWVEDT.INI
[2009/09/02 20:40:25 | 000,001,038 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\filterclsid.dat
[2009/09/02 19:29:57 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
[2009/09/02 19:17:07 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/05/27 10:48:43 | 000,000,235 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\devices.xml
[2009/05/27 10:48:43 | 000,000,012 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\settings.xml
[2009/05/27 10:25:09 | 000,016,622 | ---- | C] () -- C:\Windows\hpomdl01.dat
[2009/05/26 13:17:12 | 000,000,268 | R--- | C] () -- C:\ProgramData\Importer
[2009/05/26 13:17:12 | 000,000,268 | R--- | C] () -- C:\Users\Lee & Steph\AppData\Roaming\Image Capture
[2009/05/26 13:17:12 | 000,000,020 | ---- | C] () -- C:\ProgramData\PKP_DLdu.DAT
[2009/05/05 18:14:56 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/05/04 10:49:06 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/05/03 09:38:46 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/05/02 21:39:18 | 000,141,312 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/02 20:10:35 | 000,651,264 | ---- | C] () -- C:\Windows\System32\libeay32.dll
[2009/05/02 20:10:35 | 000,192,512 | R--- | C] () -- C:\Windows\System32\AegisI5.exe
[2009/05/02 20:10:35 | 000,149,392 | ---- | C] () -- C:\Windows\System32\drivers\ar5523.bin
[2009/05/02 20:10:35 | 000,147,456 | ---- | C] () -- C:\Windows\System32\ssleay32.dll
[2009/05/02 19:38:20 | 000,008,592 | ---- | C] () -- C:\Users\Lee & Steph\AppData\Local\d3d9caps.dat
[2008/04/30 19:33:11 | 000,001,024 | R--- | C] () -- C:\Windows\System32\NTIOFM4.dll
[2008/04/30 19:33:11 | 000,001,024 | R--- | C] () -- C:\Windows\System32\NTIBUN5.dll
[2008/04/30 19:03:09 | 000,487,424 | ---- | C] () -- C:\Windows\System32\INT15.dll
[2008/04/30 18:53:50 | 000,001,694 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/04/30 18:53:50 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008/04/30 18:53:50 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2008/04/30 18:41:55 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2007/02/03 08:59:04 | 000,050,127 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,298,040 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,677,432 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,142,278 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/11 08:38:13 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2006/10/11 08:38:12 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2003/04/05 13:33:26 | 000,020,475 | ---- | C] () -- C:\Windows\hpoins01.dat
[2001/12/27 00:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:FB1B13D8

< End of report >
stephuk
 
Posts: 44
Joined: Thu Mar 31, 2011 3:44 pm
Top
PreviousNext
Topic locked

Return to Archived Logs

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

phpBB SEO
Advertisements by Advertisement Management
cron