Appear to be infected eith expiro.x

Solved
By luddite
Nov 13, 2011
  1. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    OK, I uploaded both files from my XP here: http://www.filedropper.com/temp_9
    This is zipped file containing wuauclt.exe and explorer.exe files.

    Unzip the file and paste both files to root C:\ directory.
    I need to see if they're in right location so....

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      explorer.exe
      wuauclt.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  2. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Here we go with the SystemLook file

    SystemLook 30.07.11 by jpshortstuff
    Log created at 09:08 on 19/11/2011 by Willy
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe"
    C:\explorer.exe --a---- 1033728 bytes [10:42 14/04/2008] [14:05 19/11/2011] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [11:11 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA
    C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [21:23 13/11/2011] [12:41 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA
    C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [16:16 25/04/2008] [12:56 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA

    Searching for "wuauclt.exe"
    C:\wuauclt.exe --a---- 53472 bytes [00:24 07/08/2009] [14:05 19/11/2011] 62BB79160F86CD962F312C68C6239BFD
    C:\WINDOWS\ERDNT\cache\wuauclt.exe --a---- 53472 bytes [21:23 13/11/2011] [21:49 05/05/2010] 62BB79160F86CD962F312C68C6239BFD
    C:\WINDOWS\system32\wuauclt.exe --a---- 53472 bytes [21:27 25/04/2008] [21:49 05/05/2010] 62BB79160F86CD962F312C68C6239BFD
    C:\WINDOWS\system32\dllcache\wuauclt.exe --a--c- 47104 bytes [21:27 25/04/2008] [12:58 15/11/2011] 15F9199144AEFC4062FE2FBE1DC8DFAD

    -= EOF =-
  3. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\explorer.exe | C:\WINDOWS\explorer.exe
    C:\explorer.exe | C:\WINDOWS\ERDNT\cache\explorer.exe
    C:\explorer.exe | C:\WINDOWS\system32\dllcache\explorer.exe
    C:\wuauclt.exe | C:\WINDOWS\system32\wuauclt.exe
    C:\wuauclt.exe | C:\WINDOWS\ERDNT\cache\wuauclt.exe
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  4. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Here is the latest combo fix log.

    ComboFix 11-11-17.03 - Willy 11/20/2011 8:47.4.2 - x86
    Running from: c:\documents and settings\Willy\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Willy\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .
    ADS - explorer.exe: deleted 26 bytes in 1 streams.
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\explorer.exe
    c:\windows\CSC\d6
    C:\wuauclt.exe
    .
    .
    --------------- FCopy ---------------
    .
    c:\explorer.exe --> c:\WINDOWS\explorer.exe
    c:\explorer.exe --> c:\WINDOWS\ERDNT\cache\explorer.exe
    c:\explorer.exe --> c:\WINDOWS\system32\dllcache\explorer.exe
    c:\wuauclt.exe --> c:\WINDOWS\system32\wuauclt.exe
    c:\wuauclt.exe --> c:\WINDOWS\ERDNT\cache\wuauclt.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-15 12:49 . 2011-11-15 12:49 30208 ----a-w- c:\windows\system32\asr_fmt.exe.kav
    2011-11-15 03:49 . 2011-11-15 10:56 133208 ----a-w- c:\windows\system32\drivers\06344987.sys
    2011-11-14 04:07 . 2011-11-14 04:07 -------- d-----w- c:\program files\ESET
    2011-11-14 01:17 . 2011-11-18 05:37 -------- d-----w- C:\ff73cd1785e82edb873a9ba1864eec01
    2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\Willy\Application Data\Malwarebytes
    2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-13 01:48 . 2011-07-11 05:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
    2011-11-13 01:48 . 2011-07-11 05:14 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-11-13 01:48 . 2011-07-11 05:14 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-11-13 01:48 . 2011-10-04 11:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-11-13 01:48 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-11-13 01:48 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2011-11-13 01:48 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-11-13 01:48 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-11-13 01:38 . 2011-11-15 02:59 -------- d-----w- c:\program files\CCleaner
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-19 14:05 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2011-11-19 14:05 . 2008-04-25 16:16 1033728 ----a-w- c:\windows\explorer.exe
    2011-11-15 13:00 . 2006-10-15 04:44 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-11-15 12:55 . 2010-05-05 02:38 146432 ----a-w- c:\windows\system32\WudfHost.exe
    2011-11-15 12:55 . 2009-10-09 19:56 14848 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-11-15 12:55 . 2009-10-09 19:56 225280 ----a-w- c:\windows\system32\wsmanhttpconfig.exe
    2011-11-15 12:54 . 2010-05-05 02:38 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
    2011-11-15 12:54 . 2010-05-05 02:38 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
    2011-11-15 12:54 . 2009-10-19 18:06 223232 ----a-w- c:\windows\system32\wksprt.exe
    2011-11-15 12:54 . 2009-10-09 19:56 22528 ----a-w- c:\windows\system32\winrshost.exe
    2011-11-15 12:54 . 2009-10-09 21:22 69632 ----a-w- c:\windows\system32\winrs.exe
    2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\wdfmgr.exe
    2011-11-15 12:54 . 2008-04-25 16:16 28672 ----a-w- c:\windows\system32\verclsid.exe
    2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\uwdf.exe
    2011-11-15 12:54 . 2009-10-19 18:06 46080 ----a-w- c:\windows\system32\TSWbPrxy.exe
    2011-11-15 12:53 . 2010-05-05 02:38 184832 ----a-w- c:\windows\system32\searchprotocolhost.exe
    2011-11-15 12:53 . 2010-05-05 02:38 439808 ----a-w- c:\windows\system32\searchindexer.exe
    2011-11-15 12:53 . 2010-05-05 02:38 87552 ----a-w- c:\windows\system32\searchfilterhost.exe
    2011-11-15 12:53 . 2010-09-08 23:52 1503232 ----a-w- c:\windows\system32\ptj.exe
    2011-11-15 12:53 . 2010-03-31 04:10 289280 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-11-15 12:52 . 2010-05-03 16:20 24576 ----a-w- c:\windows\system32\OEM02Srv.exe
    2011-11-15 12:52 . 2010-05-05 05:17 356352 ----a-w- c:\windows\system32\nvudisp.exe
    2011-11-15 12:52 . 2010-05-03 16:20 1339392 ----a-w- c:\windows\system32\nvdspsch.exe
    2011-11-15 12:52 . 2010-05-03 16:20 753664 ----a-w- c:\windows\system32\nvcplui.exe
    2011-11-15 12:52 . 2010-05-03 16:20 442368 ----a-w- c:\windows\system32\nvappbar.exe
    2011-11-15 12:51 . 2008-04-25 16:16 51712 ----a-w- c:\windows\system32\migpwd.exe
    2011-11-15 12:51 . 2010-05-03 16:20 425984 ----a-w- c:\windows\system32\keystone.exe
    2011-11-15 12:51 . 2008-07-30 07:24 612864 ----a-w- c:\windows\system32\icardagt.exe
    2011-11-15 12:50 . 2008-04-25 16:16 15872 ----a-w- c:\windows\system32\expand.exe
    2011-11-15 12:50 . 2010-05-03 16:23 24576 ----a-w- c:\windows\system32\DSRIRREM.EXE
    2011-11-15 12:50 . 2010-05-05 02:37 249856 ----a-w- c:\windows\system32\drmupgds.exe
    2011-11-15 12:50 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\cliconfg.exe
    2011-11-15 12:49 . 2010-05-04 22:28 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-11-15 12:23 . 2010-06-06 21:59 86016 ----a-w- c:\windows\unvise32qt.exe
    2011-11-15 12:23 . 2010-05-05 05:16 405504 ----a-w- c:\windows\stsystra.exe
    2011-11-15 12:23 . 2010-05-03 16:20 77824 ----a-w- c:\windows\setpwr32.exe
    2011-11-15 12:22 . 2010-05-03 16:20 28672 ----a-w- c:\windows\OEM02Cfg.exe
    2011-11-15 12:22 . 2010-05-03 16:20 90112 ----a-w- c:\windows\CtDrvIns.exe
    2011-11-15 11:21 . 2008-04-25 16:16 11776 ----a-w- c:\windows\system32\regsvr32.exe
    2011-11-15 11:11 . 2008-04-25 16:16 124928 ----a-w- c:\windows\system32\net1.exe
    2011-11-15 11:11 . 2008-04-25 16:16 39424 ----a-w- c:\windows\system32\grpconv.exe
    2011-11-15 03:13 . 2008-04-25 16:16 146432 ------w- c:\windows\regedit.exe
    2011-11-15 03:13 . 2008-04-25 16:16 69120 ----a-w- c:\windows\system32\notepad.exe
    2011-11-15 03:13 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\cmd.exe
    2011-11-15 03:13 . 2008-04-25 16:16 420864 ----a-w- c:\windows\system32\ntvdm.exe
    2011-11-15 03:13 . 2008-04-25 16:16 514560 ----a-w- c:\windows\system32\logonui.exe
    2011-11-15 03:12 . 2008-04-25 21:26 62976 ----a-w- c:\windows\system32\rdpclip.exe
    2011-11-15 03:12 . 2008-04-25 16:16 135168 ----a-w- c:\windows\system32\cscript.exe
    2011-11-15 02:26 . 2010-05-03 16:20 36864 ----a-w- c:\windows\OEM02Mon.exe
    2011-11-15 02:26 . 2010-05-03 16:20 1626112 ----a-w- c:\windows\system32\nwiz.exe
    2011-11-15 02:26 . 2008-04-25 16:16 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-11-15 02:26 . 2008-04-25 16:16 45568 ----a-w- c:\windows\system32\drwtsn32.exe
    2011-10-18 23:04 . 2011-08-10 14:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-11-15 . 7C562E4506C257CE1A730084D62DE857 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
    [-] 2011-11-15 . 7C562E4506C257CE1A730084D62DE857 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
    [-] 2011-11-14 04:19 . !HASH: COULD NOT OPEN FILE !!!!! . 161280 . . [------] . . c:\windows\system32\wscntfy.exe
    .
    [-] 2011-11-15 . 1778EDDF5B6221F97D4F52A393311401 . 632832 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-18_05.39.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-04-25 21:27 . 2011-11-19 14:05 53472 c:\windows\system32\dllcache\wuauclt.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SansaDispatch"="c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-11-15 1024000]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-05 8491008]
    "nwiz"="nwiz.exe" [2011-11-15 1626112]
    "NVHotkey"="nvHotkey.dll" [2007-11-06 81920]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2011-11-15 36864]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-11-15 242176]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2011-11-15 823296]
    "Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2011-11-15 770560]
    "EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
    "AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    desktop.ini~CL29UPQL [2010-5-4 84]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    desktop.ini~29G9CGMH [2010-5-4 84]
    .
    c:\documents and settings\Willy\Start Menu\Programs\Startup\
    desktop.ini~NFDCDVNA [2010-5-4 84]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
    _uninst_86641713.lnk - c:\documents and settings\Willy\Local Settings\temp\_uninst_86641713.bat [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [N/A]
    desktop.ini~QAQP9CP6 [2010-5-4 84]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    desktop.ini~H762R46B [2010-5-4 84]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
    R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
    S0 06344987;06344987;c:\windows\system32\DRIVERS\06344987.sys [2011-11-15 133208]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
    S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
    S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2010-05-04 23:40]
    .
    2011-11-13 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-25 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-20 08:55
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    SansaDispatch = c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1316)
    c:\windows\system32\relog_ap.dll
    .
    - - - - - - - > 'explorer.exe'(3124)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\AVG\AVG2012\avgrsx.exe
    c:\program files\AVG\AVG2012\avgcsrvx.exe
    c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe~PGRH68QI
    .
    **************************************************************************
    .
    Completion time: 2011-11-20 08:58:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-20 13:58
    ComboFix2.txt 2011-11-18 05:42
    ComboFix3.txt 2011-11-14 03:26
    ComboFix4.txt 2011-11-13 22:11
    .
    Pre-Run: 334,606,921,728 bytes free
    Post-Run: 334,585,384,960 bytes free
    .
    - - End Of File - - DD9A11BDFD2A459F064B8A07891F79C5
  5. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello

    In other news that I see didn't get into the last post...

    Combo fix still sees AVG running, but I don't see AVG in the uninstall programs.
    When I try to install from the All Programs under start, The computer pop up window says "Problem with shortcut" Do I want to delete this shortcut?

    I take it this is an artifact of being virus infected, but a number of shortcuts on this laptop aren't working now.
  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    No, this is how AVG is stubborn...LOL...but don't worry about it as long as Combofix runs.
    The log looks much better.
    We still seem to have an issue with one more system file, wscntfy.exe.
    Attached is zipped file from my XP.
    Unzip it and paste the file again in C:\ directory.

    Re-run System Look with this code:

    Code:
    :filefind
    wscntfy.exe

    Attached Files:

  7. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    here is the latest System Look file

    SystemLook 30.07.11 by jpshortstuff
    Log created at 20:59 on 20/11/2011 by Willy
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "wscntfy.exe"
    C:\wscntfy.exe --a---- 13824 bytes [01:54 21/11/2011] [01:52 21/11/2011] E9EEB38B858B637F4F8FA3401F325DC5
    C:\Documents and Settings\Willy\Desktop\wscntfy\wscntfy.exe --a---- 13824 bytes [02:33 31/10/2007] [01:52 21/11/2011] E9EEB38B858B637F4F8FA3401F325DC5
    C:\WINDOWS\ERDNT\cache\wscntfy.exe --a---- 13824 bytes [21:23 13/11/2011] [12:41 15/11/2011] 7C562E4506C257CE1A730084D62DE857
    C:\WINDOWS\system32\wscntfy.exe --a---- 161280 bytes [16:16 25/04/2008] [04:19 14/11/2011] (Unable to calculate MD5)
    C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c- 13824 bytes [16:16 25/04/2008] [12:58 15/11/2011] 7C562E4506C257CE1A730084D62DE857

    -= EOF =-
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\wscntfy.exe | C:\WINDOWS\system32\wscntfy.exe
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  9. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Here is the latest combofix file

    ComboFix 11-11-20.02 - Willy 11/20/2011 22:10:52.5.2 - x86
    Running from: c:\documents and settings\Willy\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Willy\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    c:\windows\CSC\d6
    .
    .
    --------------- FCopy ---------------
    .
    c:\wscntfy.exe --> c:\WINDOWS\system32\wscntfy.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-21 01:54 . 2011-11-21 01:52 13824 ------w- C:\wscntfy.exe
    2011-11-15 12:49 . 2011-11-15 12:49 30208 ----a-w- c:\windows\system32\asr_fmt.exe.kav
    2011-11-15 03:49 . 2011-11-15 10:56 133208 ----a-w- c:\windows\system32\drivers\06344987.sys
    2011-11-14 04:07 . 2011-11-14 04:07 -------- d-----w- c:\program files\ESET
    2011-11-14 01:17 . 2011-11-18 05:37 -------- d-----w- C:\ff73cd1785e82edb873a9ba1864eec01
    2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\Willy\Application Data\Malwarebytes
    2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-13 01:48 . 2011-07-11 05:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
    2011-11-13 01:48 . 2011-07-11 05:14 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-11-13 01:48 . 2011-07-11 05:14 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-11-13 01:48 . 2011-10-04 11:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-11-13 01:48 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-11-13 01:48 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2011-11-13 01:48 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-11-13 01:48 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-11-13 01:38 . 2011-11-15 02:59 -------- d-----w- c:\program files\CCleaner
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-19 14:05 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2011-11-19 14:05 . 2008-04-25 16:16 1033728 ----a-w- c:\windows\explorer.exe
    2011-11-15 13:00 . 2006-10-15 04:44 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-11-15 12:55 . 2010-05-05 02:38 146432 ----a-w- c:\windows\system32\WudfHost.exe
    2011-11-15 12:55 . 2009-10-09 19:56 14848 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-11-15 12:55 . 2009-10-09 19:56 225280 ----a-w- c:\windows\system32\wsmanhttpconfig.exe
    2011-11-15 12:54 . 2010-05-05 02:38 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
    2011-11-15 12:54 . 2010-05-05 02:38 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
    2011-11-15 12:54 . 2009-10-19 18:06 223232 ----a-w- c:\windows\system32\wksprt.exe
    2011-11-15 12:54 . 2009-10-09 19:56 22528 ----a-w- c:\windows\system32\winrshost.exe
    2011-11-15 12:54 . 2009-10-09 21:22 69632 ----a-w- c:\windows\system32\winrs.exe
    2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\wdfmgr.exe
    2011-11-15 12:54 . 2008-04-25 16:16 28672 ----a-w- c:\windows\system32\verclsid.exe
    2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\uwdf.exe
    2011-11-15 12:54 . 2009-10-19 18:06 46080 ----a-w- c:\windows\system32\TSWbPrxy.exe
    2011-11-15 12:53 . 2010-05-05 02:38 184832 ----a-w- c:\windows\system32\searchprotocolhost.exe
    2011-11-15 12:53 . 2010-05-05 02:38 439808 ----a-w- c:\windows\system32\searchindexer.exe
    2011-11-15 12:53 . 2010-05-05 02:38 87552 ----a-w- c:\windows\system32\searchfilterhost.exe
    2011-11-15 12:53 . 2010-09-08 23:52 1503232 ----a-w- c:\windows\system32\ptj.exe
    2011-11-15 12:53 . 2010-03-31 04:10 289280 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-11-15 12:52 . 2010-05-03 16:20 24576 ----a-w- c:\windows\system32\OEM02Srv.exe
    2011-11-15 12:52 . 2010-05-05 05:17 356352 ----a-w- c:\windows\system32\nvudisp.exe
    2011-11-15 12:52 . 2010-05-03 16:20 1339392 ----a-w- c:\windows\system32\nvdspsch.exe
    2011-11-15 12:52 . 2010-05-03 16:20 753664 ----a-w- c:\windows\system32\nvcplui.exe
    2011-11-15 12:52 . 2010-05-03 16:20 442368 ----a-w- c:\windows\system32\nvappbar.exe
    2011-11-15 12:51 . 2008-04-25 16:16 51712 ----a-w- c:\windows\system32\migpwd.exe
    2011-11-15 12:51 . 2010-05-03 16:20 425984 ----a-w- c:\windows\system32\keystone.exe
    2011-11-15 12:51 . 2008-07-30 07:24 612864 ----a-w- c:\windows\system32\icardagt.exe
    2011-11-15 12:50 . 2008-04-25 16:16 15872 ----a-w- c:\windows\system32\expand.exe
    2011-11-15 12:50 . 2010-05-03 16:23 24576 ----a-w- c:\windows\system32\DSRIRREM.EXE
    2011-11-15 12:50 . 2010-05-05 02:37 249856 ----a-w- c:\windows\system32\drmupgds.exe
    2011-11-15 12:50 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\cliconfg.exe
    2011-11-15 12:49 . 2010-05-04 22:28 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-11-15 12:23 . 2010-06-06 21:59 86016 ----a-w- c:\windows\unvise32qt.exe
    2011-11-15 12:23 . 2010-05-05 05:16 405504 ----a-w- c:\windows\stsystra.exe
    2011-11-15 12:23 . 2010-05-03 16:20 77824 ----a-w- c:\windows\setpwr32.exe
    2011-11-15 12:22 . 2010-05-03 16:20 28672 ----a-w- c:\windows\OEM02Cfg.exe
    2011-11-15 12:22 . 2010-05-03 16:20 90112 ----a-w- c:\windows\CtDrvIns.exe
    2011-11-15 11:21 . 2008-04-25 16:16 11776 ----a-w- c:\windows\system32\regsvr32.exe
    2011-11-15 11:11 . 2008-04-25 16:16 124928 ----a-w- c:\windows\system32\net1.exe
    2011-11-15 11:11 . 2008-04-25 16:16 39424 ----a-w- c:\windows\system32\grpconv.exe
    2011-11-15 03:13 . 2008-04-25 16:16 146432 ------w- c:\windows\regedit.exe
    2011-11-15 03:13 . 2008-04-25 16:16 69120 ----a-w- c:\windows\system32\notepad.exe
    2011-11-15 03:13 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\cmd.exe
    2011-11-15 03:13 . 2008-04-25 16:16 420864 ----a-w- c:\windows\system32\ntvdm.exe
    2011-11-15 03:13 . 2008-04-25 16:16 514560 ----a-w- c:\windows\system32\logonui.exe
    2011-11-15 03:12 . 2008-04-25 21:26 62976 ----a-w- c:\windows\system32\rdpclip.exe
    2011-11-15 03:12 . 2008-04-25 16:16 135168 ----a-w- c:\windows\system32\cscript.exe
    2011-11-15 02:26 . 2010-05-03 16:20 36864 ----a-w- c:\windows\OEM02Mon.exe
    2011-11-15 02:26 . 2010-05-03 16:20 1626112 ----a-w- c:\windows\system32\nwiz.exe
    2011-11-15 02:26 . 2008-04-25 16:16 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-11-15 02:26 . 2008-04-25 16:16 45568 ----a-w- c:\windows\system32\drwtsn32.exe
    2011-10-18 23:04 . 2011-08-10 14:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-11-15 . 1778EDDF5B6221F97D4F52A393311401 . 632832 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-18_05.39.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-04-25 21:27 . 2011-11-19 14:05 53472 c:\windows\system32\dllcache\wuauclt.exe
    + 2008-04-25 16:16 . 2010-05-05 02:33 13824 c:\windows\system32\dllcache\wscntfy.exe
    - 2008-04-25 16:16 . 2011-11-15 12:58 13824 c:\windows\system32\dllcache\wscntfy.exe
    + 2008-04-25 16:16 . 2011-11-19 14:05 1033728 c:\windows\system32\dllcache\explorer.exe
    - 2008-04-25 16:16 . 2011-11-15 12:56 1033728 c:\windows\system32\dllcache\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SansaDispatch"="c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-11-15 1024000]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-05 8491008]
    "nwiz"="nwiz.exe" [2011-11-15 1626112]
    "NVHotkey"="nvHotkey.dll" [2007-11-06 81920]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2011-11-15 36864]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-11-15 242176]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2011-11-15 823296]
    "Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2011-11-15 770560]
    "EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
    "AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    desktop.ini~CL29UPQL [2010-5-4 84]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    desktop.ini~29G9CGMH [2010-5-4 84]
    .
    c:\documents and settings\Willy\Start Menu\Programs\Startup\
    desktop.ini~NFDCDVNA [2010-5-4 84]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
    _uninst_86641713.lnk - c:\documents and settings\Willy\Local Settings\temp\_uninst_86641713.bat [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [N/A]
    desktop.ini~QAQP9CP6 [2010-5-4 84]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    desktop.ini~H762R46B [2010-5-4 84]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
    R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
    S0 06344987;06344987;c:\windows\system32\DRIVERS\06344987.sys [2011-11-15 133208]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
    S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
    S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2010-05-04 23:40]
    .
    2011-11-13 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-25 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 68.87.73.246 68.87.71.230
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-20 22:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    SansaDispatch = c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1316)
    c:\windows\system32\relog_ap.dll
    .
    - - - - - - - > 'explorer.exe'(3632)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\AVG\AVG2012\avgrsx.exe
    c:\program files\AVG\AVG2012\avgcsrvx.exe
    c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
    c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-20 22:20:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-21 03:20
    ComboFix2.txt 2011-11-20 13:58
    ComboFix3.txt 2011-11-18 05:42
    ComboFix4.txt 2011-11-14 03:26
    ComboFix5.txt 2011-11-21 03:10
    .
    Pre-Run: 334,977,912,832 bytes free
    Post-Run: 334,962,180,096 bytes free
    .
    - - End Of File - - AE70287FE176FE7938692E3027B6691A
  10. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I want to check one more file...

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\system32\DRIVERS\06344987.sys
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
  11. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    I am not sure that I did what you requested. I just select all and copied the whole deal.

    VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼

    VirusTotal's website has changed, we need new translations, do you feel like helping the community?
    info@virustotal.com
    Sign in to VT CommunitySafety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
    email
    password
    Keep me logged in
    Sign in Signing in, please wait...
    Login failed, please try again
    Forgot your password? Create an account

    Edit my profile
    View my profile
    Inbox

    Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

    1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name: 06344987.sys
    Submission date: 2011-11-21 03:52:30 (UTC)
    Current status: queued queued analysing finished


    Result: 0/ 41 (0.0%)
    VT Community

    goodware
    Safety score: 100.0%
    Compact Print results Antivirus Version Last Update Result
    AhnLab-V3 2011.11.20.00 2011.11.20 -
    AntiVir 7.11.17.237 2011.11.21 -
    Antiy-AVL 2.0.3.7 2011.11.21 -
    Avast 6.0.1289.0 2011.11.20 -
    AVG 10.0.0.1190 2011.11.20 -
    BitDefender 7.2 2011.11.20 -
    ByteHero 1.0.0.1 2011.11.14 -
    ClamAV 0.97.3.0 2011.11.20 -
    Commtouch 5.3.2.6 2011.11.20 -
    Comodo 10780 2011.11.18 -
    DrWeb 5.0.2.03300 2011.11.21 -
    Emsisoft 5.1.0.11 2011.11.21 -
    eSafe 7.0.17.0 2011.11.20 -
    eTrust-Vet 37.0.9576 2011.11.19 -
    F-Prot 4.6.5.141 2011.11.20 -
    F-Secure 9.0.16440.0 2011.11.21 -
    Fortinet 4.3.370.0 2011.11.21 -
    GData 22 2011.11.21 -
    Ikarus T3.1.1.109.0 2011.11.21 -
    Jiangmin 13.0.900 2011.11.16 -
    K7AntiVirus 9.119.5497 2011.11.19 -
    Kaspersky 9.0.0.837 2011.11.21 -
    McAfee 5.400.0.1158 2011.11.21 -
    McAfee-GW-Edition 2010.1D 2011.11.20 -
    Microsoft 1.7801 2011.11.20 -
    NOD32 6646 2011.11.21 -
    Norman 6.07.13 2011.11.20 -
    nProtect 2011-11-20.01 2011.11.20 -
    Panda 10.0.3.5 2011.11.20 -
    PCTools 8.0.0.5 2011.11.21 -
    Prevx 3.0 2011.11.21 -
    Rising 23.84.04.02 2011.11.18 -
    Sophos 4.71.0 2011.11.20 -
    SUPERAntiSpyware 4.40.0.1006 2011.11.19 -
    Symantec 20111.2.0.82 2011.11.21 -
    TheHacker 6.7.0.1.345 2011.11.21 -
    TrendMicro 9.500.0.1008 2011.11.21 -
    TrendMicro-HouseCall 9.500.0.1008 2011.11.21 -
    VIPRE 11102 2011.11.21 -
    ViRobot 2011.11.21.4784 2011.11.21 -
    VirusBuster 14.1.74.0 2011.11.20 -
    Additional informationShow all
    MD5 : 186b54479d98e48aee0e9ada4b3c4d31
    SHA1 : bbf664068f0613d864b9107ce48a70b5f9171076
    SHA256: a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874
    ssdeep: 1536:mRsWc6M6h7eKmRi66uk1yRjRIRorRe2VCN3CgHx4NqctXos+pk1ilC2DP:mRsXnKv1yRjK
    +FCVTx4McposQk+D
    File size : 133208 bytes
    First seen: 2011-03-18 19:50:19
    Last seen : 2011-11-21 03:52:30
    TrID:
    Win64 Executable Generic (95.5%)
    Generic Win/DOS Executable (2.2%)
    DOS Executable Generic (2.2%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Kaspersky Lab ZAO
    copyright....: (c) 1997-2011 Kaspersky Lab ZAO.
    product......: Kaspersky Anti-Virus
    description..: Kaspersky Unified Driver
    original name: KL1.SYS
    internal name: KL1
    file version.: 6.6.0.10
    comments.....: n/a
    signers......: Kaspersky Lab
    VeriSign Class 3 Code Signing 2009-2 CA
    Class 3 Public Primary Certification Authority
    signing date.: 10:23 04/03/2011
    verified.....: -

    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x36F0
    timedatestamp....: 0x4D70AE22 (Fri Mar 04 09:17:22 2011)
    machinetype......: 0x14c (I386)

    [[ 6 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x1789C, 0x17A00, 6.40, 794a5360eb4e20ccf239c18c6451d366
    .4lulz, 0x19000, 0x500000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
    .data, 0x519000, 0x2F3C, 0x3000, 2.63, 9f754f34e66ff10b7e03246ee06345fe
    INIT, 0x51C000, 0x5B8, 0x600, 5.25, 833bad5a3134fabc3763390213dcc1f8
    .rsrc, 0x51D000, 0x410, 0x600, 2.47, 580c3fbc5f2ab30735cbbaf4a984bb42
    .reloc, 0x51E000, 0x3360, 0x3400, 1.48, 962b9d130a712fd5ee4585bda528e896

    [[ 2 import(s) ]]
    ntoskrnl.exe: _purecall, sprintf, ExFreePool, ExAllocatePoolWithTag, ZwClose, ZwCreateFile, RtlInitUnicodeString, swprintf, ZwReadFile, ZwQueryInformationFile, memcpy, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAppendUnicodeStringToString, RtlFreeUnicodeString, strncmp, KeWaitForSingleObject, ObfDereferenceObject, ObReferenceObjectByHandle, PsCreateSystemThread, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, InitSafeBootMode, RtlEqualUnicodeString, RtlCopyUnicodeString, RtlAppendUnicodeToString, KeReleaseMutex, PsSetLoadImageNotifyRoutine, IoRegisterBootDriverReinitialization, memset, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, _except_handler3, ZwQueryValueKey, RtlPrefixUnicodeString, _stricmp, strchr, IoAllocateIrp, _strnicmp, ZwQuerySystemInformation, IoGetRelatedDeviceObject, KeInitializeSpinLock, InterlockedIncrement, InterlockedDecrement, ZwOpenKey, ZwSetValueKey, ZwEnumerateValueKey, DbgPrint, IofCompleteRequest, KeInitializeMutex, rand, srand, memmove
    HAL.dll: KfAcquireSpinLock, HalGetAdapter, KfReleaseSpinLock

    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 98304
    CompanyName: Kaspersky Lab ZAO
    EntryPoint: 0x36f0
    FileDescription: Kaspersky Unified Driver
    FileFlagsMask: 0x003f
    FileOS: Windows NT 32-bit
    FileSize: 130 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: 6.6.0.10
    FileVersionNumber: 6.6.0.10
    ImageVersion: 0.0
    InitializedDataSize: 27136
    InternalName: KL1
    LanguageCode: English (U.S.)
    LegalCopyright: 1997-2011 Kaspersky Lab ZAO.
    LegalTrademarks: Kaspersky Anti-Virus is registered trademark of Kaspersky Lab ZAO.
    LinkerVersion: 8.0
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 4.0
    ObjectFileType: Executable application
    OriginalFilename: KL1.SYS
    PEType: PE32
    ProductName: Kaspersky Anti-Virus
    ProductVersion: 1.0.0.0
    ProductVersionNumber: 1.0.0.0
    Subsystem: Native
    SubsystemVersion: 4.0
    TimeStamp: 2011:03:04 10:17:22+01:00
    UninitializedDataSize: 5242880



    VT Community

    1
    User:Anonymous

    Reputation:1 credits

    Comment date:2011-09-14 05:56:37 (UTC)
    Kaspersky Unified Driver (Antivirus)
    Tags: Goodware,
    Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
    User:Anonymous
    Reputation:1 credits
    Comment date:2011-09-14 05:56:37 (UTC) Kaspersky Unified Driver (Antivirus) Tags: Goodware, Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
    Loading...


    Prev1Next



    Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?

    You can add basic styles to your comments using the following accepted bbcode tags:

    text -- bold
    text -- italics
    text -- underline
    text -- strikethrough
    Code:
    text
    -- preformatted text

    You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

    Goodware Malware Spam attachment/link
    P2P download Propagating via IM Network worm
    Drive-by-download



    Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.

    Preview commentEdit comment Post comment Posting comment...
    Comment successfully posted







    ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
    VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com- TOS & Privacy Policy
     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I'm back.
    I sent you PM. Did you read it?
  13. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Got your PM.
    The laptop is having problems launching windows media player, AVG 2012,CCleaner and Audacity.
    A popup claims problem with shortcut moved or no longer working properly.
    The desktop icons are changed to a generic icon except Audacity.
    Audacity desktop icon is changed. When I click on the changed audicity icon to start audicity,I am asked only do i want to uninstall audacity and all of its components?

    When I try to start Microsoft Word, a popup box appears saying ther is a problem and I should go to setup and click repair. If i click outside of that popup, Word comes up without problems.
    I can't seem to open any of the XP installed games either (like space cadet pinball).

    Otherwise things seem fine.

    I will run Malwarebytes again and post the log.
  14. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Here is the latest Malwarebytes log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8206

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/21/2011 6:32:42 AM
    mbam-log-2011-11-21 (06-32-42).txt

    Scan type: Quick scan
    Objects scanned: 173052
    Time elapsed: 3 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 91

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{1B16CE61-2406-412F-969E-21BC082F76E8} (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{35B9A4B1-7CA6-4AEC-8762-1B590056C05D} (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{D61A27C0-8F53-11D0-BFA0-00A024151983} (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{8DE06D9A-7FB0-4A94-A7A3-33B5A1BF90D1} (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{87E403C2-6DAA-4C76-A3CD-FB6E344B86B8} (Virus.Expiro) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{204810B3-73B2-11D4-BF42-00B0D0118B56} (Virus.Expiro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\program files\common files\microsoft shared\MSInfo\msinfo32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\iedw.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\netmeeting\conf.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\outlook express\oemig50.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\outlook express\setup50.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\outlook express\wabmig.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\windows media player\migrate.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\windows media player\setup_wm.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\program files\windows nt\dialer.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\makecab.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rexec.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\accwiz.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\diantz.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\dumprep.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\eventtriggers.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\fxssend.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ipsec6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\netsetup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mplay32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ntsd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\packager.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ping6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\proxycfg.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rdsaddin.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rdshost.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rsm.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rsmsink.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rsmui.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rsnotify.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\setupn.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\spiisupd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\stimon.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\sysocmgr.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\tlntsess.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\winchat.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wpabaln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\actmovie.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\asr_fmt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\asr_pfu.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\blastcln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ckcnv.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\clipbrd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ddeshare.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\dpvsetup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\freecell.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\fxsclnt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\fxscover.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ipv6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ipxroute.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\lpq.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\lpr.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mqbkup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mqtgsvc.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mshearts.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ntbackup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\regini.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\routemon.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rsh.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\rtcshare.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\savedump.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\shmgrate.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\skeys.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\sndrec32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\sol.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\syncapp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\tcpsvcs.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\telnet.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\tftp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\tracert6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\upnpcont.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\usrmlnka.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\usrprbda.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\usrshuta.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wpnpinst.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wuauclt1.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\xcopy.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ahui.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mmcperf.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\Com\comrepl.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\oobe\oobebaln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\mofcomp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\unsecapp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\wbemtest.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\winmgmt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\wmiadap.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\wmiprvse.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\scrcons.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wbem\wmic.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\twunk_32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\winhlp32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
    c:\WINDOWS\hh.exe (Virus.Expiro) -> Quarantined and deleted successfully.
  15. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Adobe Flash player would like to update.
    Windows is asking to install security updates in automatic updates.
    I have none neither awaiting your approval to do so.
  16. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    More questions...
    Is it alright to reinstall AVG onto the laptop now?
  17. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Your computer was (maybe it still is) heavily infected.
    Some programs may need to be reinstalled.
    As for not working shortcuts (generic icon) you'll have to create new ones.

    You can install Adobe and Windows updates.

    Keep AVG off for now as it'll interfere with other scans we're about to run.
    Just make sure Windows firewall is on, don't download anything, or open any email attachments and you'll be fine.

    Now I want you to update and re-run MBAM to see if it'll discover anything new.

    Then....

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.

    NOTE. If Kaspersky's log is very big....
    Upload the file(s) here: http://www.filedropper.com/
    Post download link (copy URL: link):
    [​IMG]
  18. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    Windows security update KB981997 and KB952069 refuses to load.

    Here is today's MBAM log. I will run Kaspersky again per instructions.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8211

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/21/2011 6:40:03 PM
    mbam-log-2011-11-21 (18-40-03).txt

    Scan type: Quick scan
    Objects scanned: 172944
    Time elapsed: 4 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  19. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    We'll worry about that update later.
  20. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

  21. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    Hello
    I forgot to mention that the Kaspersky scan stopped with a BSOD.
    the screen mentioned a stop:0X000000F4 (0X00000003, OX86915B28, OX86915C9C, OX8O5D29B4)
    I hard rebooted and continued the scan.
  22. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Very good.

    Now.....How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  23. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Go ahead with my last reply.
  24. luddite

    luddite Newcomer, in training Topic Starter Posts: 82

    The computer is still as it was in reply#63 (13 Hours ago). I noticed that i don't have quicktime player or Picture Project (Nikon photo magement program) either. Just more damage from the virus I guess. i will run OTL now.
  25. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I reply to that in my #67.

    Go ahead with OTL.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.