Solved Appear to be infected eith expiro.x

[Broni]

OK, I uploaded both files from my XP here: http://www.filedropper.com/temp_9
This is zipped file containing wuauclt.exe and explorer.exe files.

Unzip the file and paste both files to root C:\ directory.
I need to see if they're in right location so....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  explorer.exe
  wuauclt.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[luddite]

Hello
Here we go with the SystemLook file

SystemLook 30.07.11 by jpshortstuff
Log created at 09:08 on 19/11/2011 by Willy
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\explorer.exe --a---- 1033728 bytes [10:42 14/04/2008] [14:05 19/11/2011] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [11:11 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [21:23 13/11/2011] [12:41 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [16:16 25/04/2008] [12:56 15/11/2011] A84DD07217CEB7E1560E82D0781DC0BA

Searching for "wuauclt.exe"
C:\wuauclt.exe --a---- 53472 bytes [00:24 07/08/2009] [14:05 19/11/2011] 62BB79160F86CD962F312C68C6239BFD
C:\WINDOWS\ERDNT\cache\wuauclt.exe --a---- 53472 bytes [21:23 13/11/2011] [21:49 05/05/2010] 62BB79160F86CD962F312C68C6239BFD
C:\WINDOWS\system32\wuauclt.exe --a---- 53472 bytes [21:27 25/04/2008] [21:49 05/05/2010] 62BB79160F86CD962F312C68C6239BFD
C:\WINDOWS\system32\dllcache\wuauclt.exe --a--c- 47104 bytes [21:27 25/04/2008] [12:58 15/11/2011] 15F9199144AEFC4062FE2FBE1DC8DFAD

-= EOF =-

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box
• Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\explorer.exe | C:\WINDOWS\explorer.exe
C:\explorer.exe | C:\WINDOWS\ERDNT\cache\explorer.exe
C:\explorer.exe | C:\WINDOWS\system32\dllcache\explorer.exe
C:\wuauclt.exe | C:\WINDOWS\system32\wuauclt.exe
C:\wuauclt.exe | C:\WINDOWS\ERDNT\cache\wuauclt.exe

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[luddite]

Here is the latest combo fix log.

ComboFix 11-11-17.03 - Willy 11/20/2011 8:47.4.2 - x86
Running from: c:\documents and settings\Willy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Willy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
ADS - explorer.exe: deleted 26 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\explorer.exe
c:\windows\CSC\d6
C:\wuauclt.exe
.
.
--------------- FCopy ---------------
.
c:\explorer.exe --> c:\WINDOWS\explorer.exe
c:\explorer.exe --> c:\WINDOWS\ERDNT\cache\explorer.exe
c:\explorer.exe --> c:\WINDOWS\system32\dllcache\explorer.exe
c:\wuauclt.exe --> c:\WINDOWS\system32\wuauclt.exe
c:\wuauclt.exe --> c:\WINDOWS\ERDNT\cache\wuauclt.exe
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-15 12:49 . 2011-11-15 12:49 30208 ----a-w- c:\windows\system32\asr_fmt.exe.kav
2011-11-15 03:49 . 2011-11-15 10:56 133208 ----a-w- c:\windows\system32\drivers\06344987.sys
2011-11-14 04:07 . 2011-11-14 04:07 -------- d-----w- c:\program files\ESET
2011-11-14 01:17 . 2011-11-18 05:37 -------- d-----w- C:\ff73cd1785e82edb873a9ba1864eec01
2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\Willy\Application Data\Malwarebytes
2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-13 01:48 . 2011-07-11 05:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2011-11-13 01:48 . 2011-07-11 05:14 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-11-13 01:48 . 2011-07-11 05:14 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-11-13 01:48 . 2011-10-04 11:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-13 01:48 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-11-13 01:48 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-11-13 01:48 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-11-13 01:48 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-11-13 01:38 . 2011-11-15 02:59 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-19 14:05 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-11-19 14:05 . 2008-04-25 16:16 1033728 ----a-w- c:\windows\explorer.exe
2011-11-15 13:00 . 2006-10-15 04:44 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-11-15 12:55 . 2010-05-05 02:38 146432 ----a-w- c:\windows\system32\WudfHost.exe
2011-11-15 12:55 . 2009-10-09 19:56 14848 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-11-15 12:55 . 2009-10-09 19:56 225280 ----a-w- c:\windows\system32\wsmanhttpconfig.exe
2011-11-15 12:54 . 2010-05-05 02:38 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
2011-11-15 12:54 . 2010-05-05 02:38 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
2011-11-15 12:54 . 2009-10-19 18:06 223232 ----a-w- c:\windows\system32\wksprt.exe
2011-11-15 12:54 . 2009-10-09 19:56 22528 ----a-w- c:\windows\system32\winrshost.exe
2011-11-15 12:54 . 2009-10-09 21:22 69632 ----a-w- c:\windows\system32\winrs.exe
2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\wdfmgr.exe
2011-11-15 12:54 . 2008-04-25 16:16 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\uwdf.exe
2011-11-15 12:54 . 2009-10-19 18:06 46080 ----a-w- c:\windows\system32\TSWbPrxy.exe
2011-11-15 12:53 . 2010-05-05 02:38 184832 ----a-w- c:\windows\system32\searchprotocolhost.exe
2011-11-15 12:53 . 2010-05-05 02:38 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-11-15 12:53 . 2010-05-05 02:38 87552 ----a-w- c:\windows\system32\searchfilterhost.exe
2011-11-15 12:53 . 2010-09-08 23:52 1503232 ----a-w- c:\windows\system32\ptj.exe
2011-11-15 12:53 . 2010-03-31 04:10 289280 ----a-w- c:\windows\system32\PresentationHost.exe
2011-11-15 12:52 . 2010-05-03 16:20 24576 ----a-w- c:\windows\system32\OEM02Srv.exe
2011-11-15 12:52 . 2010-05-05 05:17 356352 ----a-w- c:\windows\system32\nvudisp.exe
2011-11-15 12:52 . 2010-05-03 16:20 1339392 ----a-w- c:\windows\system32\nvdspsch.exe
2011-11-15 12:52 . 2010-05-03 16:20 753664 ----a-w- c:\windows\system32\nvcplui.exe
2011-11-15 12:52 . 2010-05-03 16:20 442368 ----a-w- c:\windows\system32\nvappbar.exe
2011-11-15 12:51 . 2008-04-25 16:16 51712 ----a-w- c:\windows\system32\migpwd.exe
2011-11-15 12:51 . 2010-05-03 16:20 425984 ----a-w- c:\windows\system32\keystone.exe
2011-11-15 12:51 . 2008-07-30 07:24 612864 ----a-w- c:\windows\system32\icardagt.exe
2011-11-15 12:50 . 2008-04-25 16:16 15872 ----a-w- c:\windows\system32\expand.exe
2011-11-15 12:50 . 2010-05-03 16:23 24576 ----a-w- c:\windows\system32\DSRIRREM.EXE
2011-11-15 12:50 . 2010-05-05 02:37 249856 ----a-w- c:\windows\system32\drmupgds.exe
2011-11-15 12:50 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\cliconfg.exe
2011-11-15 12:49 . 2010-05-04 22:28 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-11-15 12:23 . 2010-06-06 21:59 86016 ----a-w- c:\windows\unvise32qt.exe
2011-11-15 12:23 . 2010-05-05 05:16 405504 ----a-w- c:\windows\stsystra.exe
2011-11-15 12:23 . 2010-05-03 16:20 77824 ----a-w- c:\windows\setpwr32.exe
2011-11-15 12:22 . 2010-05-03 16:20 28672 ----a-w- c:\windows\OEM02Cfg.exe
2011-11-15 12:22 . 2010-05-03 16:20 90112 ----a-w- c:\windows\CtDrvIns.exe
2011-11-15 11:21 . 2008-04-25 16:16 11776 ----a-w- c:\windows\system32\regsvr32.exe
2011-11-15 11:11 . 2008-04-25 16:16 124928 ----a-w- c:\windows\system32\net1.exe
2011-11-15 11:11 . 2008-04-25 16:16 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-11-15 03:13 . 2008-04-25 16:16 146432 ------w- c:\windows\regedit.exe
2011-11-15 03:13 . 2008-04-25 16:16 69120 ----a-w- c:\windows\system32\notepad.exe
2011-11-15 03:13 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\cmd.exe
2011-11-15 03:13 . 2008-04-25 16:16 420864 ----a-w- c:\windows\system32\ntvdm.exe
2011-11-15 03:13 . 2008-04-25 16:16 514560 ----a-w- c:\windows\system32\logonui.exe
2011-11-15 03:12 . 2008-04-25 21:26 62976 ----a-w- c:\windows\system32\rdpclip.exe
2011-11-15 03:12 . 2008-04-25 16:16 135168 ----a-w- c:\windows\system32\cscript.exe
2011-11-15 02:26 . 2010-05-03 16:20 36864 ----a-w- c:\windows\OEM02Mon.exe
2011-11-15 02:26 . 2010-05-03 16:20 1626112 ----a-w- c:\windows\system32\nwiz.exe
2011-11-15 02:26 . 2008-04-25 16:16 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-15 02:26 . 2008-04-25 16:16 45568 ----a-w- c:\windows\system32\drwtsn32.exe
2011-10-18 23:04 . 2011-08-10 14:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-11-15 . 7C562E4506C257CE1A730084D62DE857 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2011-11-15 . 7C562E4506C257CE1A730084D62DE857 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2011-11-14 04:19 . !HASH: COULD NOT OPEN FILE !!!!! . 161280 . . [------] . . c:\windows\system32\wscntfy.exe
.
[-] 2011-11-15 . 1778EDDF5B6221F97D4F52A393311401 . 632832 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-11-18_05.39.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-25 21:27 . 2011-11-19 14:05 53472 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-11-15 1024000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-05 8491008]
"nwiz"="nwiz.exe" [2011-11-15 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-06 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2011-11-15 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-11-15 242176]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2011-11-15 823296]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2011-11-15 770560]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
desktop.ini~CL29UPQL [2010-5-4 84]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
desktop.ini~29G9CGMH [2010-5-4 84]
.
c:\documents and settings\Willy\Start Menu\Programs\Startup\
desktop.ini~NFDCDVNA [2010-5-4 84]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
_uninst_86641713.lnk - c:\documents and settings\Willy\Local Settings\temp\_uninst_86641713.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [N/A]
desktop.ini~QAQP9CP6 [2010-5-4 84]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
desktop.ini~H762R46B [2010-5-4 84]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
S0 06344987;06344987;c:\windows\system32\DRIVERS\06344987.sys [2011-11-15 133208]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2010-05-04 23:40]
.
2011-11-13 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-25 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-20 08:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1316)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe~PGRH68QI
.
**************************************************************************
.
Completion time: 2011-11-20 08:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 13:58
ComboFix2.txt 2011-11-18 05:42
ComboFix3.txt 2011-11-14 03:26
ComboFix4.txt 2011-11-13 22:11
.
Pre-Run: 334,606,921,728 bytes free
Post-Run: 334,585,384,960 bytes free
.
- - End Of File - - DD9A11BDFD2A459F064B8A07891F79C5

 

[luddite]

Hello

In other news that I see didn't get into the last post...

Combo fix still sees AVG running, but I don't see AVG in the uninstall programs.
When I try to install from the All Programs under start, The computer pop up window says "Problem with shortcut" Do I want to delete this shortcut?

I take it this is an artifact of being virus infected, but a number of shortcuts on this laptop aren't working now.

 

[Broni]

No, this is how AVG is stubborn...LOL...but don't worry about it as long as Combofix runs.
The log looks much better.
We still seem to have an issue with one more system file, wscntfy.exe.
Attached is zipped file from my XP.
Unzip it and paste the file again in C:\ directory.

Re-run System Look with this code:

:filefind
wscntfy.exe

 

[luddite]

Hello
here is the latest System Look file

SystemLook 30.07.11 by jpshortstuff
Log created at 20:59 on 20/11/2011 by Willy
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
C:\wscntfy.exe --a---- 13824 bytes [01:54 21/11/2011] [01:52 21/11/2011] E9EEB38B858B637F4F8FA3401F325DC5
C:\Documents and Settings\Willy\Desktop\wscntfy\wscntfy.exe --a---- 13824 bytes [02:33 31/10/2007] [01:52 21/11/2011] E9EEB38B858B637F4F8FA3401F325DC5
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a---- 13824 bytes [21:23 13/11/2011] [12:41 15/11/2011] 7C562E4506C257CE1A730084D62DE857
C:\WINDOWS\system32\wscntfy.exe --a---- 161280 bytes [16:16 25/04/2008] [04:19 14/11/2011] (Unable to calculate MD5)
C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c- 13824 bytes [16:16 25/04/2008] [12:58 15/11/2011] 7C562E4506C257CE1A730084D62DE857

-= EOF =-

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box
• Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\wscntfy.exe | C:\WINDOWS\system32\wscntfy.exe

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[luddite]

Hello
Here is the latest combofix file

ComboFix 11-11-20.02 - Willy 11/20/2011 22:10:52.5.2 - x86
Running from: c:\documents and settings\Willy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Willy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
c:\windows\CSC\d6
.
.
--------------- FCopy ---------------
.
c:\wscntfy.exe --> c:\WINDOWS\system32\wscntfy.exe
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 01:54 . 2011-11-21 01:52 13824 ------w- C:\wscntfy.exe
2011-11-15 12:49 . 2011-11-15 12:49 30208 ----a-w- c:\windows\system32\asr_fmt.exe.kav
2011-11-15 03:49 . 2011-11-15 10:56 133208 ----a-w- c:\windows\system32\drivers\06344987.sys
2011-11-14 04:07 . 2011-11-14 04:07 -------- d-----w- c:\program files\ESET
2011-11-14 01:17 . 2011-11-18 05:37 -------- d-----w- C:\ff73cd1785e82edb873a9ba1864eec01
2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\Willy\Application Data\Malwarebytes
2011-11-13 13:28 . 2011-11-13 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-13 01:48 . 2011-07-11 05:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2011-11-13 01:48 . 2011-07-11 05:14 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-11-13 01:48 . 2011-07-11 05:14 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-11-13 01:48 . 2011-10-04 11:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-13 01:48 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-11-13 01:48 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-11-13 01:48 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-11-13 01:48 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-11-13 01:38 . 2011-11-15 02:59 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-19 14:05 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-11-19 14:05 . 2008-04-25 16:16 1033728 ----a-w- c:\windows\explorer.exe
2011-11-15 13:00 . 2006-10-15 04:44 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-11-15 12:55 . 2010-05-05 02:38 146432 ----a-w- c:\windows\system32\WudfHost.exe
2011-11-15 12:55 . 2009-10-09 19:56 14848 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-11-15 12:55 . 2009-10-09 19:56 225280 ----a-w- c:\windows\system32\wsmanhttpconfig.exe
2011-11-15 12:54 . 2010-05-05 02:38 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
2011-11-15 12:54 . 2010-05-05 02:38 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
2011-11-15 12:54 . 2009-10-19 18:06 223232 ----a-w- c:\windows\system32\wksprt.exe
2011-11-15 12:54 . 2009-10-09 19:56 22528 ----a-w- c:\windows\system32\winrshost.exe
2011-11-15 12:54 . 2009-10-09 21:22 69632 ----a-w- c:\windows\system32\winrs.exe
2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\wdfmgr.exe
2011-11-15 12:54 . 2008-04-25 16:16 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-11-15 12:54 . 2010-05-05 02:38 8704 ----a-w- c:\windows\system32\uwdf.exe
2011-11-15 12:54 . 2009-10-19 18:06 46080 ----a-w- c:\windows\system32\TSWbPrxy.exe
2011-11-15 12:53 . 2010-05-05 02:38 184832 ----a-w- c:\windows\system32\searchprotocolhost.exe
2011-11-15 12:53 . 2010-05-05 02:38 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-11-15 12:53 . 2010-05-05 02:38 87552 ----a-w- c:\windows\system32\searchfilterhost.exe
2011-11-15 12:53 . 2010-09-08 23:52 1503232 ----a-w- c:\windows\system32\ptj.exe
2011-11-15 12:53 . 2010-03-31 04:10 289280 ----a-w- c:\windows\system32\PresentationHost.exe
2011-11-15 12:52 . 2010-05-03 16:20 24576 ----a-w- c:\windows\system32\OEM02Srv.exe
2011-11-15 12:52 . 2010-05-05 05:17 356352 ----a-w- c:\windows\system32\nvudisp.exe
2011-11-15 12:52 . 2010-05-03 16:20 1339392 ----a-w- c:\windows\system32\nvdspsch.exe
2011-11-15 12:52 . 2010-05-03 16:20 753664 ----a-w- c:\windows\system32\nvcplui.exe
2011-11-15 12:52 . 2010-05-03 16:20 442368 ----a-w- c:\windows\system32\nvappbar.exe
2011-11-15 12:51 . 2008-04-25 16:16 51712 ----a-w- c:\windows\system32\migpwd.exe
2011-11-15 12:51 . 2010-05-03 16:20 425984 ----a-w- c:\windows\system32\keystone.exe
2011-11-15 12:51 . 2008-07-30 07:24 612864 ----a-w- c:\windows\system32\icardagt.exe
2011-11-15 12:50 . 2008-04-25 16:16 15872 ----a-w- c:\windows\system32\expand.exe
2011-11-15 12:50 . 2010-05-03 16:23 24576 ----a-w- c:\windows\system32\DSRIRREM.EXE
2011-11-15 12:50 . 2010-05-05 02:37 249856 ----a-w- c:\windows\system32\drmupgds.exe
2011-11-15 12:50 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\cliconfg.exe
2011-11-15 12:49 . 2010-05-04 22:28 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-11-15 12:23 . 2010-06-06 21:59 86016 ----a-w- c:\windows\unvise32qt.exe
2011-11-15 12:23 . 2010-05-05 05:16 405504 ----a-w- c:\windows\stsystra.exe
2011-11-15 12:23 . 2010-05-03 16:20 77824 ----a-w- c:\windows\setpwr32.exe
2011-11-15 12:22 . 2010-05-03 16:20 28672 ----a-w- c:\windows\OEM02Cfg.exe
2011-11-15 12:22 . 2010-05-03 16:20 90112 ----a-w- c:\windows\CtDrvIns.exe
2011-11-15 11:21 . 2008-04-25 16:16 11776 ----a-w- c:\windows\system32\regsvr32.exe
2011-11-15 11:11 . 2008-04-25 16:16 124928 ----a-w- c:\windows\system32\net1.exe
2011-11-15 11:11 . 2008-04-25 16:16 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-11-15 03:13 . 2008-04-25 16:16 146432 ------w- c:\windows\regedit.exe
2011-11-15 03:13 . 2008-04-25 16:16 69120 ----a-w- c:\windows\system32\notepad.exe
2011-11-15 03:13 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\cmd.exe
2011-11-15 03:13 . 2008-04-25 16:16 420864 ----a-w- c:\windows\system32\ntvdm.exe
2011-11-15 03:13 . 2008-04-25 16:16 514560 ----a-w- c:\windows\system32\logonui.exe
2011-11-15 03:12 . 2008-04-25 21:26 62976 ----a-w- c:\windows\system32\rdpclip.exe
2011-11-15 03:12 . 2008-04-25 16:16 135168 ----a-w- c:\windows\system32\cscript.exe
2011-11-15 02:26 . 2010-05-03 16:20 36864 ----a-w- c:\windows\OEM02Mon.exe
2011-11-15 02:26 . 2010-05-03 16:20 1626112 ----a-w- c:\windows\system32\nwiz.exe
2011-11-15 02:26 . 2008-04-25 16:16 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-15 02:26 . 2008-04-25 16:16 45568 ----a-w- c:\windows\system32\drwtsn32.exe
2011-10-18 23:04 . 2011-08-10 14:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-11-15 . 1778EDDF5B6221F97D4F52A393311401 . 632832 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-11-18_05.39.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-25 21:27 . 2011-11-19 14:05 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-25 16:16 . 2010-05-05 02:33 13824 c:\windows\system32\dllcache\wscntfy.exe
- 2008-04-25 16:16 . 2011-11-15 12:58 13824 c:\windows\system32\dllcache\wscntfy.exe
+ 2008-04-25 16:16 . 2011-11-19 14:05 1033728 c:\windows\system32\dllcache\explorer.exe
- 2008-04-25 16:16 . 2011-11-15 12:56 1033728 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-11-15 1024000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-05 8491008]
"nwiz"="nwiz.exe" [2011-11-15 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-06 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2011-11-15 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-11-15 242176]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2011-11-15 823296]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2011-11-15 770560]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
desktop.ini~CL29UPQL [2010-5-4 84]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
desktop.ini~29G9CGMH [2010-5-4 84]
.
c:\documents and settings\Willy\Start Menu\Programs\Startup\
desktop.ini~NFDCDVNA [2010-5-4 84]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
_uninst_86641713.lnk - c:\documents and settings\Willy\Local Settings\temp\_uninst_86641713.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [N/A]
desktop.ini~QAQP9CP6 [2010-5-4 84]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
desktop.ini~H762R46B [2010-5-4 84]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
S0 06344987;06344987;c:\windows\system32\DRIVERS\06344987.sys [2011-11-15 133208]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2010-05-04 23:40]
.
2011-11-13 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-25 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 68.87.73.246 68.87.71.230
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-20 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Willy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1316)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
.
**************************************************************************
.
Completion time: 2011-11-20 22:20:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 03:20
ComboFix2.txt 2011-11-20 13:58
ComboFix3.txt 2011-11-18 05:42
ComboFix4.txt 2011-11-14 03:26
ComboFix5.txt 2011-11-21 03:10
.
Pre-Run: 334,977,912,832 bytes free
Post-Run: 334,962,180,096 bytes free
.
- - End Of File - - AE70287FE176FE7938692E3027B6691A

 

[Broni]

I want to check one more file...

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\system32\DRIVERS\06344987.sys
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[luddite]

Hello
I am not sure that I did what you requested. I just select all and copied the whole deal.

VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼

VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT CommunitySafety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in
Sign in Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account

Edit my profile
View my profile
Inbox

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: 06344987.sys
Submission date: 2011-11-21 03:52:30 (UTC)
Current status: queued queued analysing finished


Result: 0/ 41 (0.0%)
VT Community

goodware
Safety score: 100.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.11.20.00 2011.11.20 -
AntiVir 7.11.17.237 2011.11.21 -
Antiy-AVL 2.0.3.7 2011.11.21 -
Avast 6.0.1289.0 2011.11.20 -
AVG 10.0.0.1190 2011.11.20 -
BitDefender 7.2 2011.11.20 -
ByteHero 1.0.0.1 2011.11.14 -
ClamAV 0.97.3.0 2011.11.20 -
Commtouch 5.3.2.6 2011.11.20 -
Comodo 10780 2011.11.18 -
DrWeb 5.0.2.03300 2011.11.21 -
Emsisoft 5.1.0.11 2011.11.21 -
eSafe 7.0.17.0 2011.11.20 -
eTrust-Vet 37.0.9576 2011.11.19 -
F-Prot 4.6.5.141 2011.11.20 -
F-Secure 9.0.16440.0 2011.11.21 -
Fortinet 4.3.370.0 2011.11.21 -
GData 22 2011.11.21 -
Ikarus T3.1.1.109.0 2011.11.21 -
Jiangmin 13.0.900 2011.11.16 -
K7AntiVirus 9.119.5497 2011.11.19 -
Kaspersky 9.0.0.837 2011.11.21 -
McAfee 5.400.0.1158 2011.11.21 -
McAfee-GW-Edition 2010.1D 2011.11.20 -
Microsoft 1.7801 2011.11.20 -
NOD32 6646 2011.11.21 -
Norman 6.07.13 2011.11.20 -
nProtect 2011-11-20.01 2011.11.20 -
Panda 10.0.3.5 2011.11.20 -
PCTools 8.0.0.5 2011.11.21 -
Prevx 3.0 2011.11.21 -
Rising 23.84.04.02 2011.11.18 -
Sophos 4.71.0 2011.11.20 -
SUPERAntiSpyware 4.40.0.1006 2011.11.19 -
Symantec 20111.2.0.82 2011.11.21 -
TheHacker 6.7.0.1.345 2011.11.21 -
TrendMicro 9.500.0.1008 2011.11.21 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.21 -
VIPRE 11102 2011.11.21 -
ViRobot 2011.11.21.4784 2011.11.21 -
VirusBuster 14.1.74.0 2011.11.20 -
Additional informationShow all
MD5 : 186b54479d98e48aee0e9ada4b3c4d31
SHA1 : bbf664068f0613d864b9107ce48a70b5f9171076
SHA256: a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874
ssdeep: 1536:mRsWc6M6h7eKmRi66uk1yRjRIRorRe2VCN3CgHx4NqctXos+pk1ilC2DP:mRsXnKv1yRjK
+FCVTx4McposQk+D
File size : 133208 bytes
First seen: 2011-03-18 19:50:19
Last seen : 2011-11-21 03:52:30
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Kaspersky Lab ZAO
copyright....: (c) 1997-2011 Kaspersky Lab ZAO.
product......: Kaspersky Anti-Virus
description..: Kaspersky Unified Driver
original name: KL1.SYS
internal name: KL1
file version.: 6.6.0.10
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 10:23 04/03/2011
verified.....: -

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x36F0
timedatestamp....: 0x4D70AE22 (Fri Mar 04 09:17:22 2011)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1789C, 0x17A00, 6.40, 794a5360eb4e20ccf239c18c6451d366
.4lulz, 0x19000, 0x500000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.data, 0x519000, 0x2F3C, 0x3000, 2.63, 9f754f34e66ff10b7e03246ee06345fe
INIT, 0x51C000, 0x5B8, 0x600, 5.25, 833bad5a3134fabc3763390213dcc1f8
.rsrc, 0x51D000, 0x410, 0x600, 2.47, 580c3fbc5f2ab30735cbbaf4a984bb42
.reloc, 0x51E000, 0x3360, 0x3400, 1.48, 962b9d130a712fd5ee4585bda528e896

[[ 2 import(s) ]]
ntoskrnl.exe: _purecall, sprintf, ExFreePool, ExAllocatePoolWithTag, ZwClose, ZwCreateFile, RtlInitUnicodeString, swprintf, ZwReadFile, ZwQueryInformationFile, memcpy, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAppendUnicodeStringToString, RtlFreeUnicodeString, strncmp, KeWaitForSingleObject, ObfDereferenceObject, ObReferenceObjectByHandle, PsCreateSystemThread, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, InitSafeBootMode, RtlEqualUnicodeString, RtlCopyUnicodeString, RtlAppendUnicodeToString, KeReleaseMutex, PsSetLoadImageNotifyRoutine, IoRegisterBootDriverReinitialization, memset, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, _except_handler3, ZwQueryValueKey, RtlPrefixUnicodeString, _stricmp, strchr, IoAllocateIrp, _strnicmp, ZwQuerySystemInformation, IoGetRelatedDeviceObject, KeInitializeSpinLock, InterlockedIncrement, InterlockedDecrement, ZwOpenKey, ZwSetValueKey, ZwEnumerateValueKey, DbgPrint, IofCompleteRequest, KeInitializeMutex, rand, srand, memmove
HAL.dll: KfAcquireSpinLock, HalGetAdapter, KfReleaseSpinLock

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 98304
CompanyName: Kaspersky Lab ZAO
EntryPoint: 0x36f0
FileDescription: Kaspersky Unified Driver
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 130 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.6.0.10
FileVersionNumber: 6.6.0.10
ImageVersion: 0.0
InitializedDataSize: 27136
InternalName: KL1
LanguageCode: English (U.S.)
LegalCopyright: 1997-2011 Kaspersky Lab ZAO.
LegalTrademarks: Kaspersky Anti-Virus is registered trademark of Kaspersky Lab ZAO.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename: KL1.SYS
PEType: PE32
ProductName: Kaspersky Anti-Virus
ProductVersion: 1.0.0.0
ProductVersionNumber: 1.0.0.0
Subsystem: Native
SubsystemVersion: 4.0
TimeStamp: 2011:03:04 10:17:22+01:00
UninitializedDataSize: 5242880



VT Community

1
User:Anonymous

Reputation:1 credits

Comment date:2011-09-14 05:56:37 (UTC)
Kaspersky Unified Driver (Antivirus)
Tags: Goodware,
Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
User:Anonymous
Reputation:1 credits
Comment date:2011-09-14 05:56:37 (UTC) Kaspersky Unified Driver (Antivirus) Tags: Goodware, Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
Loading...


Prev1Next



Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?

You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
text -- strikethrough

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware Malware Spam attachment/link
P2P download Propagating via IM Network worm
Drive-by-download



Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.

Preview commentEdit comment Post comment Posting comment...
Comment successfully posted







ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com- TOS & Privacy Policy

 

[Broni]

I'm back.
I sent you PM. Did you read it?

 

[luddite]

Hello
Got your PM.
The laptop is having problems launching windows media player, AVG 2012,CCleaner and Audacity.
A popup claims problem with shortcut moved or no longer working properly.
The desktop icons are changed to a generic icon except Audacity.
Audacity desktop icon is changed. When I click on the changed audicity icon to start audicity,I am asked only do i want to uninstall audacity and all of its components?

When I try to start Microsoft Word, a popup box appears saying ther is a problem and I should go to setup and click repair. If i click outside of that popup, Word comes up without problems.
I can't seem to open any of the XP installed games either (like space cadet pinball).

Otherwise things seem fine.

I will run Malwarebytes again and post the log.

 

[luddite]

Hello
Here is the latest Malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8206

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/21/2011 6:32:42 AM
mbam-log-2011-11-21 (06-32-42).txt

Scan type: Quick scan
Objects scanned: 173052
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 91

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1B16CE61-2406-412F-969E-21BC082F76E8} (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{35B9A4B1-7CA6-4AEC-8762-1B590056C05D} (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{D61A27C0-8F53-11D0-BFA0-00A024151983} (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8DE06D9A-7FB0-4A94-A7A3-33B5A1BF90D1} (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{87E403C2-6DAA-4C76-A3CD-FB6E344B86B8} (Virus.Expiro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{204810B3-73B2-11D4-BF42-00B0D0118B56} (Virus.Expiro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\microsoft shared\MSInfo\msinfo32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\internet explorer\iedw.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\netmeeting\conf.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\outlook express\oemig50.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\outlook express\setup50.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\outlook express\wabmig.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\windows media player\migrate.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\windows media player\setup_wm.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\program files\windows nt\dialer.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\makecab.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rexec.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\accwiz.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\diantz.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dumprep.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\eventtriggers.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fxssend.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ipsec6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\netsetup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mplay32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ntsd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\packager.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ping6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\proxycfg.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rdsaddin.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rdshost.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rsm.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rsmsink.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rsmui.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rsnotify.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\setupn.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\spiisupd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\stimon.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysocmgr.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tlntsess.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winchat.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wpabaln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\actmovie.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\asr_fmt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\asr_pfu.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\blastcln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ckcnv.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\clipbrd.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ddeshare.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dpvsetup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\freecell.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fxsclnt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fxscover.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ipv6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ipxroute.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lpq.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lpr.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mqbkup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mqtgsvc.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mshearts.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ntbackup.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\regini.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\routemon.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rsh.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rtcshare.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\savedump.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\shmgrate.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\skeys.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sndrec32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sol.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\syncapp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tcpsvcs.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\telnet.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tftp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tracert6.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\upnpcont.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\usrmlnka.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\usrprbda.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\usrshuta.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wpnpinst.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wuauclt1.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xcopy.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ahui.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmcperf.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\Com\comrepl.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\oobe\oobebaln.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\mofcomp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\unsecapp.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\wbemtest.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\winmgmt.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\wmiadap.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\wmiprvse.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\scrcons.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\wmic.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\twunk_32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\winhlp32.exe (Virus.Expiro) -> Quarantined and deleted successfully.
c:\WINDOWS\hh.exe (Virus.Expiro) -> Quarantined and deleted successfully.

 

[luddite]

Hello
Adobe Flash player would like to update.
Windows is asking to install security updates in automatic updates.
I have none neither awaiting your approval to do so.

 

[luddite]

Hello
More questions...
Is it alright to reinstall AVG onto the laptop now?

 

[Broni]

Your computer was (maybe it still is) heavily infected.
Some programs may need to be reinstalled.
As for not working shortcuts (generic icon) you'll have to create new ones.

You can install Adobe and Windows updates.

Keep AVG off for now as it'll interfere with other scans we're about to run.
Just make sure Windows firewall is on, don't download anything, or open any email attachments and you'll be fine.

Now I want you to update and re-run MBAM to see if it'll discover anything new.

Then....

Please click HERE to download Kaspersky Virus Removal Tool.

• Double click on the file you just downloaded and let it install.
• It will install to your desktop (be patient; it may take a while).
• Accept license agreement and click "Start" button.
• Click on Settings button
  
  • In Scan scope leave pre-checked items as they're and also checkmark My Computer
  • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
• Click on Automatic Scan tab and then click on Start scanning button.
• Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
• When the scan is done NO log will be produced.
• Click on Report button
  
  then on Automatic Scan report tab.
• Right click anywhere within right pane, click Select All then right click again and click Copy.
• This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
• You can save this on the desktop.
• Post the contents of the document in your next reply.

NOTE. If Kaspersky's log is very big....
Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):

 

[luddite]

Hello
Windows security update KB981997 and KB952069 refuses to load.

Here is today's MBAM log. I will run Kaspersky again per instructions.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8211

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/21/2011 6:40:03 PM
mbam-log-2011-11-21 (18-40-03).txt

Scan type: Quick scan
Objects scanned: 172944
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

We'll worry about that update later.

 

[luddite]

Hello
Here is the Kaspersky file. I hope I copied it correctly.
http://www.filedropper.com/kp21

 

[luddite]

Hello
I forgot to mention that the Kaspersky scan stopped with a BSOD.
the screen mentioned a stop:0X000000F4 (0X00000003, OX86915B28, OX86915C9C, OX8O5D29B4)
I hard rebooted and continued the scan.

 

[Broni]

Very good.

Now.....How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Broni]

Go ahead with my last reply.

 

[luddite]

The computer is still as it was in reply#63 (13 Hours ago). I noticed that i don't have quicktime player or Picture Project (Nikon photo magement program) either. Just more damage from the virus I guess. i will run OTL now.

 

[Broni]

I reply to that in my #67.

Go ahead with OTL.