1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"Scanner" Virus

Discussion in 'Virus & Other Malware Removal' started by whowhodilly, Dec 24, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. whowhodilly

    whowhodilly Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    14
    Tonight I started receiving a bunch of popups saying I am low on memory and a damaged hard drive cluster has been detected and my RAM memory usage is high. Soon after I get a popup with a program called scanner (shown in the screen shot) which then tells me i need to defrag. After i get the program closed I start getting a bunch more popups with numbers and if I start closing them eventually my computer will just restart. I was tempted to just wipe my hard drive and reinstall my operating system since I can not seem to get rid of it but it would take me a while to back up all the files i need to save to I was going to see if anyone has a solution to this problem.

    Any help is appreciated....here are some screen shots along with a hijackthis log

    [​IMG]
    [​IMG]


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:14:05 AM, on 12/24/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16700)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Users\Marc\AppData\Local\Temp\tSfkTNduxrPpGPr.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Users\Marc\AppData\Local\Temp\Adobelm_Cleanup.0001
    C:\Users\Marc\AppData\Local\Temp\Adobelm_Cleanup.0001
    C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Marc\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    O4 - HKCU\..\Run: [tSfkTNduxrPpGPr.exe] C:\Users\Marc\AppData\Local\Temp\tSfkTNduxrPpGPr.exe
    O4 - HKCU\..\Run: [660289] C:\Users\Marc\AppData\Local\Temp\660289.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7513 bytes
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya whowhodilly

    I'm kevinf80 and I will be helping with any malware issues you may have with your system.
    • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
    • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
    • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
    • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
    • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
    • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
    • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

    Please proceed as follows :-

    Step 1

    Download [​IMG] TFC to your desktop, from either of the following links
    Link 1
    Link 2
    • Make sure any open work is saved. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click "Yes" to reboot.
    TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

    Step 2

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Step3

    Download [​IMG]OTL from any of the following links and save to your Desktop:

    Link 1
    Link 2
    Link 3

    • Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
    • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
    • Under the Custom Scan box paste this in
      Code:
            netsvcs
            drivers32
            %SYSTEMDRIVE%\*.*
            %systemroot%\*. /mp /s
            CREATERESTOREPOINT
            %systemroot%\System32\config\*.sav
            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
      
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply
    Copy and paste OTL Txt and ExtrasTxt in your reply.

    What i`d like in your reply :-

    • Log fromMalwarebytes
    • OTL.Txt
    • Extras.Txt

    Kevin
     
  3. whowhodilly

    whowhodilly Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    14
    From what I can see it looks like all that may have fixed it. Here are the logs from everything that you asked.

    Malwarebytes Log


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5389

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/24/2010 9:29:31 AM
    mbam-log-2010-12-24 (09-29-31).txt

    Scan type: Quick scan
    Objects scanned: 150285
    Time elapsed: 2 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    OTL:

    OTL logfile created on: 12/24/2010 9:35:40 AM - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Marc\Downloads
    64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 70.00% Memory free
    8.00 Gb Paging File | 7.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 596.07 Gb Total Space | 437.75 Gb Free Space | 73.44% Space Free | Partition Type: NTFS

    Computer Name: WHOWHODILLY | User Name: Marc | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/12/24 09:32:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Marc\Downloads\OTL.exe
    PRC - [2010/11/17 19:43:23 | 000,403,240 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    PRC - [2010/11/16 20:04:27 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
    PRC - [2010/11/10 19:08:04 | 000,724,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    PRC - [2010/11/10 19:08:02 | 006,127,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    PRC - [2010/10/22 04:57:54 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/12/24 09:32:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Marc\Downloads\OTL.exe
    MOD - [2010/08/20 22:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Windows\SysNative\GameMon.des -- (npggsvc)
    SRV:64bit: - [2009/11/24 20:17:16 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2010/11/17 19:43:23 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2010/11/10 19:08:02 | 006,127,184 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe -- (avgwd)
    SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/01/06 09:13:00 | 003,478,288 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
    SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\lgx64modem.sys -- (USBModem)
    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\lgx64diag.sys -- (UsbDiag)
    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\lgx64bus.sys -- (usbbus)
    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\npptNT2.sys -- (NPPTNT2)
    DRV:64bit: - [2010/11/09 22:20:56 | 000,382,032 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
    DRV:64bit: - [2010/09/13 15:28:00 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AVGIDSEH.sys -- (AVGIDSEH)
    DRV:64bit: - [2010/09/07 03:48:56 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
    DRV:64bit: - [2010/09/07 03:48:52 | 000,305,232 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
    DRV:64bit: - [2010/09/07 03:48:50 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
    DRV:64bit: - [2010/08/19 20:42:38 | 000,157,264 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV:64bit: - [2010/08/19 20:42:38 | 000,035,920 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV:64bit: - [2010/04/19 19:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2009/11/24 20:52:14 | 006,174,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
    DRV:64bit: - [2009/09/30 07:34:30 | 000,121,872 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV:64bit: - [2009/08/20 09:05:06 | 000,239,616 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
    DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV:64bit: - [2009/05/04 09:30:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
    DRV:64bit: - [2009/04/03 06:39:58 | 000,034,872 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
    DRV - [2005/01/02 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 07 C1 1E 3D C5 3F CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG10\Firefox\ [2010/12/24 01:40:10 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O4 - HKCU..\Run: [660289] C:\Users\Marc\AppData\Local\Temp\660289.exe File not found
    O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
    O4 - HKCU..\Run: [tSfkTNduxrPpGPr.exe] C:\Users\Marc\AppData\Local\Temp\tSfkTNduxrPpGPr.exe File not found
    O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13 - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
    O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgchsva.exe /sync) - C:\Program Files (x86)\AVG\AVG10\avgchsva.exe (AVG Technologies CZ, s.r.o.)
    O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart) - C:\Program Files (x86)\AVG\AVG10\avgrsa.exe (AVG Technologies CZ, s.r.o.)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: vidc.tscc - C:\Windows\SysWow64\tsccvid.dll (TechSmith Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/12/24 09:26:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    [2010/12/24 01:42:52 | 000,000,000 | ---D | C] -- C:\Users\Marc\AppData\Roaming\AVG10
    [2010/12/24 01:40:49 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
    [2010/12/24 01:40:40 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\AVG
    [2010/12/24 01:40:05 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
    [2010/12/24 01:40:05 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\AVG
    [2010/12/24 01:39:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
    [2010/12/23 23:57:51 | 000,000,000 | ---D | C] -- C:\Users\Marc\AppData\Roaming\Malwarebytes
    [2010/12/23 23:57:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2010/12/23 23:57:44 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2010/12/23 23:57:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2010/12/23 23:50:02 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2010/12/22 09:47:15 | 000,000,000 | ---D | C] -- C:\Mom
    [2010/12/17 10:58:22 | 001,169,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskschd.dll
    [2010/12/17 10:58:22 | 000,464,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskeng.exe
    [2010/12/17 10:58:21 | 000,524,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmicmiplugin.dll
    [2010/12/17 10:58:21 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskschd.dll
    [2010/12/17 10:58:21 | 000,473,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskcomp.dll
    [2010/12/17 10:58:21 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskcomp.dll
    [2010/12/17 10:58:21 | 000,285,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\schtasks.exe
    [2010/12/17 10:58:21 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\schtasks.exe
    [2010/12/17 10:58:20 | 000,367,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
    [2010/12/17 10:58:20 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
    [2010/12/17 10:58:20 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
    [2010/12/17 10:58:20 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
    [2010/12/17 10:58:18 | 000,395,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\webio.dll
    [2010/12/17 10:58:18 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\webio.dll
    [2010/12/17 10:58:16 | 000,112,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\consent.exe
    [2010/12/17 10:58:02 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
    [2010/12/17 10:58:02 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
    [2010/12/17 10:58:01 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
    [2010/12/17 10:58:01 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
    [2010/12/17 10:58:01 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
    [2010/12/17 10:58:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
    [2010/12/17 10:58:01 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
    [2010/12/17 10:58:01 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
    [2010/12/17 10:58:01 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
    [2010/12/17 10:58:01 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
    [2010/12/17 10:58:00 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
    [2010/12/17 10:58:00 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
    [2010/12/17 10:57:59 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
    [2010/12/17 10:57:59 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec

    ========== Files - Modified Within 30 Days ==========

    [2010/12/24 09:32:43 | 102,550,651 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2010/12/24 09:31:51 | 000,016,080 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/12/24 09:31:51 | 000,016,080 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/12/24 09:25:01 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2914084419-1581005053-3587552183-1000UA.job
    [2010/12/24 09:24:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/12/24 09:24:32 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
    [2010/12/24 01:40:43 | 000,000,953 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
    [2010/12/24 01:40:40 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
    [2010/12/24 01:40:40 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
    [2010/12/23 23:38:49 | 000,000,967 | ---- | M] () -- C:\Users\Marc\Desktop\Scanner.lnk
    [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    [2010/12/20 18:08:40 | 000,024,152 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2010/12/18 20:07:47 | 000,285,880 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2010/12/17 11:25:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2914084419-1581005053-3587552183-1000Core.job
    [2010/12/17 10:57:55 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2010/12/17 10:57:55 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2010/12/17 10:57:55 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2010/12/04 21:12:37 | 000,017,408 | ---- | M] () -- C:\Users\Marc\Documents\mel final report.odt
    [2010/11/30 19:10:56 | 000,012,800 | ---- | M] () -- C:\Users\Marc\Documents\waressay2.doc
    [2010/11/28 16:09:48 | 000,009,728 | ---- | M] () -- C:\Users\Marc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== Files Created - No Company Name ==========

    [2010/12/24 09:32:43 | 102,550,651 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2010/12/24 01:40:43 | 000,000,953 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
    [2010/12/24 01:40:40 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
    [2010/12/24 01:40:40 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
    [2010/12/23 23:38:49 | 000,000,967 | ---- | C] () -- C:\Users\Marc\Desktop\Scanner.lnk
    [2010/12/04 20:23:42 | 000,017,408 | ---- | C] () -- C:\Users\Marc\Documents\mel final report.odt
    [2010/11/30 19:10:56 | 000,012,800 | ---- | C] () -- C:\Users\Marc\Documents\waressay2.doc
    [2010/07/28 20:44:39 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\CommonDL.dll
    [2010/07/28 20:44:39 | 000,002,413 | ---- | C] () -- C:\Windows\SysWow64\lgAxconfig.ini
    [2010/02/19 14:46:27 | 000,009,728 | ---- | C] () -- C:\Users\Marc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
    [2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

    ========== LOP Check ==========

    [2010/12/24 01:42:52 | 000,000,000 | ---D | M] -- C:\Users\Marc\AppData\Roaming\AVG10
    [2010/01/26 15:25:54 | 000,000,000 | -H-D | M] -- C:\Users\Marc\AppData\Roaming\ijjigame
    [2010/10/05 19:30:54 | 000,000,000 | ---D | M] -- C:\Users\Marc\AppData\Roaming\OpenCandy
    [2010/02/08 22:03:14 | 000,000,000 | ---D | M] -- C:\Users\Marc\AppData\Roaming\OpenOffice.org
    [2010/12/12 20:05:24 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/12/24 09:24:32 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
    [2006/12/01 23:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
    [2010/12/24 09:24:32 | 4293,386,240 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

    < End of report >

    Extras:
    OTL Extras logfile created on: 12/24/2010 9:35:40 AM - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Marc\Downloads
    64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 70.00% Memory free
    8.00 Gb Paging File | 7.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 596.07 Gb Total Space | 437.75 Gb Free Space | 73.44% Space Free | Partition Type: NTFS

    Computer Name: WHOWHODILLY | User Name: Marc | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\system32\ieframe.DLL (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
    .url [@ = InternetShortcut] -- C:\Windows\system32\ieframe.DLL (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %* File not found
    cmdfile [open] -- "%1" %* File not found
    comfile [open] -- "%1" %* File not found
    exefile [open] -- "%1" %* File not found
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %* File not found
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1" File not found
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S File not found
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{19BDBFE9-0B6A-37F2-80F6-48AFD1EA582D}" = ATI AVIVO64 Codecs
    "{24BEFDE1-A699-4139-B61B-B1102FDE7279}" = AVG 2011
    "{33EB1061-ABF1-4470-A540-32E97A610536}" = Apple Mobile Device Support
    "{41BF0DE4-5BAE-4B88-AFD3-86A30B222186}" = Bonjour
    "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    "{5F02C14D-A630-4771-8409-0BA89FCCA8D6}" = iTunes
    "{6245BC35-F4BE-1995-BB2E-7847D758504E}" = ATI Problem Report Wizard
    "{8DA5428C-3D35-317C-2FBA-485AAC49E9C0}" = ccc-utility64
    "{CCC50A42-892B-AF23-6188-6E8D2FDF34E3}" = ATI Catalyst Install Manager
    "{E4C703FE-7F5C-475D-9458-8E2FD7110790}" = AVG 2011
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "AVG" = AVG 2011
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "WinRAR archiver" = WinRAR archiver

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam(TM)
    "{0BDE949A-3CF5-3852-B4F7-92EAE4F25F73}" = CCC Help English
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{45350494-82B7-3E53-85B7-79A1AD9AE080}" = Catalyst Control Center Graphics Light
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{525E7F71-67C1-806E-69D0-892CC3CE2F8E}" = Catalyst Control Center Graphics Full Existing
    "{537306C2-CDAC-F606-5D46-D5727F58FAD3}" = Catalyst Control Center Graphics Previews Vista
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
    "{82809116-D1EE-443C-AE31-F19E709DDF7A}" = AMD USB Filter Driver
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{87BB78C4-F36D-4D93-A7C7-F80F18219848}" = AMD DnD V1.0.19
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows Vista and Later
    "{88DDBE5E-8AC0-F463-AC50-E56FAA2E3CEB}" = Catalyst Control Center Graphics Previews Common
    "{897B3B21-8691-26F5-97E8-A9955C20BB20}" = Catalyst Control Center HydraVision Full
    "{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
    "{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
    "{9580813D-94B1-4C28-9426-A441E2BB29A5}" = Counter-Strike: Source
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A842C34B-2083-6947-BC0E-5654BDBADCDA}" = Catalyst Control Center Graphics Full New
    "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{B3DAF54F-DB25-4586-9EF1-96D24BB14088}" = Windows Movie Maker 2.6
    "{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
    "{BA3B34EB-3F4B-0E19-0916-971C1AD3F0AD}" = Catalyst Control Center InstallProxy
    "{CB166F48-6219-2DFD-8800-191BE6F5923A}" = ccc-core-static
    "{D7410A39-66CA-C554-CB1D-EB53A6B8A289}" = HydraVision
    "{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
    "{E0B71631-6AA8-C596-A485-8480E92DD745}" = Catalyst Control Center Core Implementation
    "{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
    "{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
    "{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
    "{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "AviSynth" = AviSynth 2.5
    "CCleaner" = CCleaner
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
    "Steam App 220" = Half-Life 2
    "Steam App 380" = Half-Life 2: Episode One
    "Steam App 42700" = Call of Duty: Black Ops
    "Steam App 42710" = Call of Duty: Black Ops - Multiplayer
    "Uninstall_is1" = Uninstall 1.0.0.1

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/24/2010 12:17:03 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 25115256

    Error - 12/24/2010 12:17:19 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 12/24/2010 12:17:19 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 25130856

    Error - 12/24/2010 12:17:19 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 25130856

    Error - 12/24/2010 12:17:35 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 12/24/2010 12:17:35 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 25146456

    Error - 12/24/2010 12:17:35 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 25146456

    Error - 12/24/2010 12:17:50 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 12/24/2010 12:17:50 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 25162056

    Error - 12/24/2010 12:17:50 PM | Computer Name = Whowhodilly | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 25162056

    [ Media Center Events ]
    Error - 2/20/2010 1:31:21 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 10:31:21 PM - Error connecting to the internet. 10:31:21 PM - Unable
    to contact server..

    Error - 2/20/2010 1:31:27 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 10:31:26 PM - Error connecting to the internet. 10:31:26 PM - Unable
    to contact server..

    Error - 2/20/2010 2:31:32 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 11:31:32 PM - Error connecting to the internet. 11:31:32 PM - Unable
    to contact server..

    Error - 2/20/2010 2:31:37 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 11:31:37 PM - Error connecting to the internet. 11:31:37 PM - Unable
    to contact server..

    Error - 2/20/2010 3:31:42 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 12:31:42 AM - Error connecting to the internet. 12:31:42 AM - Unable
    to contact server..

    Error - 2/20/2010 3:31:48 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 12:31:47 AM - Error connecting to the internet. 12:31:47 AM - Unable
    to contact server..

    Error - 2/20/2010 4:31:52 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 1:31:52 AM - Error connecting to the internet. 1:31:52 AM - Unable
    to contact server..

    Error - 2/20/2010 4:31:58 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 1:31:57 AM - Error connecting to the internet. 1:31:57 AM - Unable
    to contact server..

    Error - 2/20/2010 6:41:11 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 3:41:11 AM - Error connecting to the internet. 3:41:11 AM - Unable
    to contact server..

    Error - 2/20/2010 6:41:16 AM | Computer Name = Whowhodilly | Source = MCUpdate | ID = 0
    Description = 3:41:16 AM - Error connecting to the internet. 3:41:16 AM - Unable
    to contact server..

    [ System Events ]
    Error - 10/26/2010 8:49:02 PM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7022
    Description = The Windows Update service hung on starting.

    Error - 10/27/2010 12:51:57 AM | Computer Name = Whowhodilly | Source = DCOM | ID = 10010
    Description =

    Error - 10/27/2010 12:51:57 AM | Computer Name = Whowhodilly | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80080005: Update for Windows 7 for x64-based Systems (KB2388210).

    Error - 11/7/2010 12:18:45 AM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7009
    Description = A timeout was reached (30000 milliseconds) while waiting for the Steam
    Client Service service to connect.

    Error - 11/7/2010 12:18:45 AM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7000
    Description = The Steam Client Service service failed to start due to the following
    error: %%1053

    Error - 11/17/2010 10:44:06 PM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7009
    Description = A timeout was reached (30000 milliseconds) while waiting for the Steam
    Client Service service to connect.

    Error - 11/17/2010 10:44:06 PM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7000
    Description = The Steam Client Service service failed to start due to the following
    error: %%1053

    Error - 12/2/2010 3:13:31 PM | Computer Name = Whowhodilly | Source = NetBT | ID = 4321
    Description = The name "WORKGROUP :1d" could not be registered on the interface
    with IP address 192.168.1.106. The computer with the IP address 192.168.1.107 did
    not allow the name to be claimed by this computer.

    Error - 12/24/2010 12:19:10 PM | Computer Name = Whowhodilly | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 9:18:13 AM on ?12/?24/?2010 was unexpected.

    Error - 12/24/2010 12:22:43 PM | Computer Name = Whowhodilly | Source = Service Control Manager | ID = 7031
    Description = The Apple Mobile Device service terminated unexpectedly. It has done
    this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
    Restart the service.


    < End of report >
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya whowhodilly,

    Dont see a great deal wrong with the logs, the malware was running from Temp folders and TFC cleaned them out, as follows please :-

    Step 1

    Re-Run [​IMG] by double left click, Vista and Widows 7 users right click and select Run as Administrator.
    • Under the [​IMG] box at the bottom, paste in the following

      Code:
      :OTL
      O4 - HKCU..\Run: [660289] C:\Users\Marc\AppData\Local\Temp\660289.exe File not found
      O4 - HKCU..\Run: [tSfkTNduxrPpGPr.exe] C:\Users\Marc\AppData\Local\Temp\tSfkTNduxrPpGPr.exe File not found
      
      :Services
      
      :Reg
      
      :Files
      ipconfig /flushdns /c
      
      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [EMPTYFLASH]
      [CREATERESTOREPOINT]
      
    • Then click [​IMG] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log it produces in your next reply.

    Step 2

    From Uninstall a program via the control panel uninstall the following

    Java(TM) 6 Update 16

    Step 3

    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
    For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
    The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.

    • Go to Sun Java
    • Select Windows 7/XP/Vista/2000/2003/2008 If using 64 bit OS Select Information about the 64-bit Java plug-in and follow prompts
    • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
    • Reboot your computer

    Step 4

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

    Please go to the link below to update.

    Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it.


    Post the log from OTL fix, Let me know of any remaining issues,

    Kevin
     
  5. whowhodilly

    whowhodilly Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    14
    Quick question..before I posted asking for help I ran ccleaner. You said TFC cleared my temp folders and thats where the malware was likely running from. Should't ccleaner have solved this also?

    Anyways here is the new OTL Log


    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\660289 deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tSfkTNduxrPpGPr.exe deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Marc\Downloads\cmd.bat deleted successfully.
    C:\Users\Marc\Downloads\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Marc
    ->Temp folder emptied: 144147 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 24792446 bytes
    ->Flash cache emptied: 606 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 24.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Marc
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.18.0 log created on 12242010_111431

    Files\Folders moved on Reboot...
    C:\Users\Marc\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya whowhodilly

    I`m not sure if CCleaner looks at Temp folders running from AppData, This is where the Malware was running from - C:\Users\Marc\AppData\Local\Temp AppData is "Hidden" I know for sure that TFC empties any temp folders in that Directory. Does that answer your question.

    • Re-open [​IMG] to run it. (Vista and Win 7 users, right click on OTL and "Run as administrator")
    • Click on the [​IMG] button.
    • Click Yes to begin the cleanup process and remove tools, including this application
    • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

    Let me know if you have any remaining issues,

    Kevin.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/970350

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice