Solved Search-results.com hijack

J

Jimmy99

Posts: 38   +0
Hello,

I hope I've got this right...(apologies if not - please just tell me what to correct): my pc has been hijacked by the search-results.com trojan/virus/malware.

The symptoms are: I cannot install any other search engine than search-results.com; all searches go there if not specifically directed elsewhere.

We've got myself, missus and 2 kids using the pc.

I have followed the instructions in the UPDATED 5-step Viruses/Spyware/Malware Preliminary Removal Instructions posting here -

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Here are the logs requested in that thread.

mbam log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8393

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

18/12/2011 14:26:23
mbam-log-2011-12-18 (14-26-23).txt

Scan type: Quick scan
Objects scanned: 241616
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-18 15:10:43
Windows 6.1.7601 Service Pack 1 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-2 WDC_WD10EARS-00Y5B1 rev.80.00A80
Running: djvcu76b.exe; Driver: C:\Users\LOVELY~1\AppData\Local\Temp\fxdirfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


DDS Logs

Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 04/10/2010 17:38:52
System Uptime: 18/12/2011 06:03:30 (8 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EG41MF-US2H
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.66GHz | Socket 775 | 1573/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 393.698 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 448.712 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SD Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B&0#
Manufacturer: Generic
Name: F:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B&0#
Service: WUDFRd
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: NETGEAR WN121T Wireless USB 2.0 Adapter
Device ID: USB\VID_0846&PID_7100\5&21E739F&0&5
Manufacturer: Marvell
Name: NETGEAR WN121T Wireless USB 2.0 Adapter #6
PNP Device ID: USB\VID_0846&PID_7100\5&21E739F&0&5
Service: MRV6X32U
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SM Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B&2#
Manufacturer: Generic
Name: H:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B&2#
Service: WUDFRd
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 6500 E709n
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 6500 E709n
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B&1#
Manufacturer: Generic
Name: G:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B&1#
Service: WUDFRd
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Officejet 6500 E709n
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Officejet 6500 E709n
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB MS Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B&3#
Manufacturer: Generic
Name: I:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B&3#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP97: 12/11/2011 03:00:43 - Windows Update
RP99: 13/11/2011 12:44:48 - Installed Rapport
RP100: 02/12/2011 13:54:02 - Scheduled Checkpoint
RP101: 09/12/2011 21:46:08 - Scheduled Checkpoint
RP102: 15/12/2011 03:01:39 - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
6500_E709_BasicWeb
6500_E709_Help_BasicWeb
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Astaro SSL VPN Client 1.7
AVG 2012
Bonjour
bpd_scan
BPDSoftware_Ini
BufferChm
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Earth
Google Update Helper
HP Officejet 6500 E709 Series
iCloud
iLivid
iTunes
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Monitor Webcam Driver (1.01.02.0804)
Mozilla Thunderbird (3.1.4)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
NVIDIA Display Control Panel
NVIDIA Drivers
Picasa 3
PVSonyDll
QuickTime
Rapport
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Skype Toolbars
Skype™ 5.1
Toolbox
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
VLC media player 0.9.9
WebReg
Windows iLivid Toolbar
Windows Live ID Sign-in Assistant
WinRAR 4.00 (32-bit)
WinX Free DVD Ripper 4.5.11
.
==== Event Viewer Messages From Past Week ========
.
15/12/2011 03:00:24, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
14/12/2011 20:19:08, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Swithin-PC\Fuppin SID (S-1-5-21-2094982589-3593926033-3433730535-1004) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
14/12/2011 17:47:22, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.4 with the system having network hardware address 28-6A-BA-DE-28-F3. Network operations on this system may be disrupted as a result.
13/12/2011 16:32:30, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk6\DR7.
13/12/2011 16:32:17, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
12/12/2011 20:21:05, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Swithin-PC\Lovely Wiffle SID (S-1-5-21-2094982589-3593926033-3433730535-1005) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Lovely Wiffle at 14:48:22 on 2011-12-18
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2046.442 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/406
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi3c8a~1\datamngr\toolbar\searchqudtx.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\wi3c8a~1\datamngr\BROWSE~1.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi3c8a~1\datamngr\toolbar\searchqudtx.dll
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [openvpn-gui] c:\program files\astaro\astaro ssl vpn client\bin\openvpn-gui.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DATAMNGR] c:\progra~1\wi3c8a~1\datamngr\DATAMN~1.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1F3F7F69-89E8-47FD-A589-43C16F89DF64} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{730377BB-A24F-46A3-B036-20151F8BB84F} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{83577039-801F-4B4B-9448-FEA856FF38F9} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A4A40A6A-5902-4EA2-A618-0C6415EE6F98} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C11992E8-F779-4E20-91BC-1FF3127ED1BC} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C6FDA310-9773-43B6-B06E-A520D1E62CD7} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D14C0527-984E-49C9-8A90-215D25C78BFF} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\wi3c8a~1\datamngr\datamngr.dll c:\progra~1\wi3c8a~1\datamngr\IEBHO.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-18 366152]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-18 22216]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2009-6-10 1311232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-8 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-8 136176]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\drivers\MRVW24B.sys [2008-3-19 310016]
S3 OA002Afx;Provides a software interface to control audio effects of OA002 camera.;c:\windows\system32\drivers\OA002Afx.sys [2007-6-8 148056]
S3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\drivers\OA002Ufd.sys [2008-6-3 144672]
S3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\drivers\OA002Vid.sys [2008-8-1 268672]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-1-7 375808]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-6 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
.
=============== Created Last 30 ================
.
2011-12-18 14:12:19 -------- d-----w- c:\users\lovely wiffle\appdata\roaming\Malwarebytes
2011-12-18 14:12:08 -------- d-----w- c:\programdata\Malwarebytes
2011-12-18 14:12:05 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 14:12:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-18 13:13:59 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-17 07:34:18 -------- d-----w- c:\program files\iPod
2011-12-17 07:34:17 -------- d-----w- c:\program files\iTunes
2011-12-14 18:24:04 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 18:23:54 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 18:22:14 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 18:22:10 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 18:22:04 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 18:22:04 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 19:53:47 -------- dc-h--w- c:\programdata\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2011-12-13 19:53:37 -------- d-----w- c:\program files\iLivid
2011-12-13 19:52:49 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-12-13 19:52:31 -------- d-----w- c:\users\lovely wiffle\appdata\local\PackageAware
2011-12-06 19:23:51 158056 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10139.bin
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-01 21:39:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-11-07 21:28:38 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-24 14:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 14:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-09 11:26:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 19:15:53 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-10-07 06:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 06:21:28 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 14:49:04.31 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=========================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Ok - run combofix

Firstly - Broni: thank you for your help. We're really grateful. We are pretty stuffed here right now!

So - before I post the logs I'm sorry. I misread the instructions - and did not uninstall AVG. I thought I had stopped it - but apparently not. However, while it did object to various combofix files as it ran, at each stage it appeared to ask what I should do and I instructed to continue. I hope this hasn't screwed it up...

Please let me know what I need to do next.

Here is the log.

ComboFix 11-12-18.01 - Lovely Wiffle 18/12/2011 20:52:16.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2046.894 [GMT 0:00]
Running from: c:\users\Fuppin\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Fuppin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{294E4DDC-2F12-41F7-973F-7CA48616C7E5}.xps
c:\users\Fuppin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{68B5DD66-2041-4191-B936-86813B45C017}.xps
c:\users\Fuppin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AB7B793F-27DA-40E3-88A3-9DD44711F114}.xps
c:\users\Fuppin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C31823A5-480A-4ADB-BB7D-7D910FA3A8EB}.xps
c:\users\Fuppin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F5F6E0BC-6866-4AB0-9A55-9E6051F949F6}.xps
c:\users\Fuppin\Documents\~WRL3656.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-18 21:03 . 2011-12-18 21:03 -------- d-----w- c:\users\Swithin\AppData\Local\temp
2011-12-18 21:02 . 2011-12-18 21:04 -------- d-----w- c:\users\Lovely Wiffle\AppData\Local\temp
2011-12-18 21:02 . 2011-12-18 21:02 -------- d-----w- c:\users\Fynnj\AppData\Local\temp
2011-12-18 21:02 . 2011-12-18 21:02 -------- d-----w- c:\users\Fuppin\AppData\Local\temp
2011-12-18 21:02 . 2011-12-18 21:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-18 21:02 . 2011-12-18 21:02 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-12-18 14:12 . 2011-12-18 14:12 -------- d-----w- c:\users\Lovely Wiffle\AppData\Roaming\Malwarebytes
2011-12-18 14:12 . 2011-12-18 14:12 -------- d-----w- c:\programdata\Malwarebytes
2011-12-18 14:12 . 2011-12-18 14:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-18 14:12 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 13:13 . 2011-12-18 13:13 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-17 07:34 . 2011-12-17 07:34 -------- d-----w- c:\program files\iPod
2011-12-17 07:34 . 2011-12-17 07:35 -------- d-----w- c:\program files\iTunes
2011-12-15 03:05 . 2011-11-03 23:16 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-12-14 18:24 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 18:23 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 18:22 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 18:22 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 18:22 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 18:22 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 19:53 . 2011-12-13 19:53 -------- d-----w- c:\users\Fuppin\AppData\Local\Ilivid Player
2011-12-13 19:53 . 2011-12-13 19:53 -------- dc-h--w- c:\programdata\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2011-12-13 19:53 . 2011-12-13 19:53 -------- d-----w- c:\program files\iLivid
2011-12-13 19:52 . 2011-12-13 19:52 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-12-13 19:52 . 2011-12-13 19:52 -------- d-----w- c:\users\Lovely Wiffle\AppData\Local\PackageAware
2011-12-13 19:22 . 2011-12-13 19:22 -------- d-----w- c:\users\Fuppin\PDFReader
2011-12-06 19:23 . 2011-12-06 19:23 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-12-01 21:39 . 2011-12-01 21:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-11-26 12:26 . 2011-11-27 10:17 -------- d-----w- c:\users\Fuppin\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-07 21:28 . 2011-11-07 21:28 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-10-24 14:29 . 2011-10-24 14:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 14:29 . 2011-10-24 14:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-09 11:26 . 2011-08-11 16:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 20:07 . 2011-10-07 20:07 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-10-07 20:07 . 2011-10-07 20:07 161792 ----a-w- c:\windows\system32\msls31.dll
2011-10-07 20:07 . 2011-10-07 20:07 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-10-07 20:07 . 2011-10-07 20:07 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-10-07 20:07 . 2011-10-07 20:07 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-10-07 20:07 . 2011-10-07 20:07 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-10-07 20:07 . 2011-10-07 20:07 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-10-07 20:07 . 2011-10-07 20:07 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-10-07 20:07 . 2011-10-07 20:07 367104 ----a-w- c:\windows\system32\html.iec
2011-10-07 20:07 . 2011-10-07 20:07 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-10-07 20:07 . 2011-10-07 20:07 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-10-07 20:07 . 2011-10-07 20:07 152064 ----a-w- c:\windows\system32\wextract.exe
2011-10-07 20:07 . 2011-10-07 20:07 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-10-07 20:07 . 2011-10-07 20:07 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-10-07 20:07 . 2011-10-07 20:07 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-10-07 20:07 . 2011-10-07 20:07 11776 ----a-w- c:\windows\system32\mshta.exe
2011-10-07 20:07 . 2011-10-07 20:07 101888 ----a-w- c:\windows\system32\admparse.dll
2011-10-07 19:15 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-10-07 06:23 . 2011-10-07 06:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 06:21 . 2011-10-04 06:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-29 16:03 . 2011-11-08 20:17 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"openvpn-gui"="c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe" [2010-08-11 265216]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WI3C8A~1\Datamngr\datamngr.dll c:\progra~1\WI3C8A~1\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 136176]
R3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\DRIVERS\MRVW24B.sys [2008-03-19 310016]
R3 OA002Afx;Provides a software interface to control audio effects of OA002 camera.;c:\windows\system32\Drivers\OA002Afx.sys [2007-06-08 148056]
R3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\DRIVERS\OA002Ufd.sys [2008-06-03 144672]
R3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\DRIVERS\OA002Vid.sys [2008-08-01 268672]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys [2010-01-07 375808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-05 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Swithin\Desktop\RealTemp_360\WinRing0.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-11-07 56208]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-11-07 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-11-07 164112]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-11-07 931640]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2009-07-13 1311232]
S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [2011-08-07 21520]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 77622951
*NewlyCreated* - ASWMBR
*NewlyCreated* - FXDIRFOW
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - RAPPORTIASO
*Deregistered* - 77622951
*Deregistered* - aswMBR
*Deregistered* - fxdirfow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 18:10]
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 18:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchqu.com/406
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,40,b0,e3,16,3d,ca,4d,b9,97,75,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,40,b0,e3,16,3d,ca,4d,b9,97,75,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-18 21:08:23
ComboFix-quarantined-files.txt 2011-12-18 21:08
ComboFix2.txt 2010-03-03 09:54
.
Pre-Run: 426,208,395,264 bytes free
Post-Run: 432,247,132,160 bytes free
.
- - End Of File - - 1FFFBC47AB51AC87A6496C9BA9FA35DE
 
Also...

Broni: I realised as well that all of this was performed under a non-admin user.

If I need to reperform, please let me know

Jimmy
 
aswMBR log

Broni,

I couldn't find the one I ran yesterday so have rerun this morning. Output is below.

I've got to go travelling till Weds now - but thank you for your help: really appreciated. I will pick this up again on Weds pm when I get back.

Here is the log.

Cheers


Jimmy


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-19 06:47:05
-----------------------------
06:47:05.114 OS Version: Windows 6.1.7601 Service Pack 1
06:47:05.114 Number of processors: 4 586 0xF07
06:47:05.114 ComputerName: SWITHIN-PC UserName: Swithin
06:47:35.110 Initialize success
06:47:40.227 AVAST engine defs: 11121801
06:49:40.088 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
06:49:40.088 Disk 0 Vendor: WDC_WD10EARS-00Y5B1 80.00A80 Size: 953869MB BusType: 3
06:49:40.088 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-2
06:49:40.088 Disk 1 Vendor: WDC_WD10EARS-00Y5B1 80.00A80 Size: 953869MB BusType: 3
06:49:42.131 Disk 1 MBR read successfully
06:49:42.131 Disk 1 MBR scan
06:49:42.131 Disk 1 Windows 7 default MBR code
06:49:42.131 Disk 1 scanning sectors +1953523712
06:49:42.178 Disk 1 scanning C:\Windows\system32\drivers
06:49:52.880 Service scanning
06:49:55.548 Modules scanning
06:50:02.131 Disk 1 trace - called modules:
06:50:02.162 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
06:50:02.178 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x85ad6030]
06:50:02.178 3 CLASSPNP.SYS[88fab59e] -> nt!IofCallDriver -> [0x855f8918]
06:50:02.178 5 ACPI.sys[88cbd3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-2[0x855e8030]
06:50:04.533 AVAST engine scan C:\Windows
06:50:09.634 AVAST engine scan C:\Windows\system32
06:52:35.073 AVAST engine scan C:\Windows\system32\drivers
06:52:50.595 AVAST engine scan C:\Users\Swithin
07:25:31.581 AVAST engine scan C:\ProgramData
07:26:44.840 Scan finished successfully
07:27:14.917 Disk 1 MBR has been saved successfully to "C:\Users\Swithin\Documents\My Documents\MBR.dat"
07:27:14.917 The log file has been saved successfully to "C:\Users\Swithin\Documents\My Documents\aswMBR.txt"
 
All looks good.

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Thanks -

OK - I'll do this tonight and post back as requested. Many thanks.

Is there anything I can check to see if the pc is now clean? I'm pretty nervous about checking email, buying anything etc with it now... Should I be?
 
OTL Done

Broni,

OTL is done - many thanks. Here is the log.

Do you mind telling me what these processes have done?

Many thanks,

Jimmy


OTL logfile created on: 12/21/2011 8:08:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Swithin\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.90 Gb Available Physical Memory | 45.24% Memory free
4.00 Gb Paging File | 2.45 Gb Available in Paging File | 61.32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 401.83 Gb Free Space | 43.14% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 448.71 Gb Free Space | 48.17% Space Free | Partition Type: NTFS

Computer Name: SWITHIN-PC | User Name: Swithin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/21 08:02:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Swithin\Downloads\OTL.exe
PRC - [2011/12/06 10:17:56 | 001,694,608 | ---- | M] (Bandoo Media, inc) -- C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
PRC - [2011/12/03 01:22:12 | 002,415,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/07 21:28:26 | 001,652,536 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2011/11/07 21:28:26 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/10/10 06:23:34 | 000,973,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/10/09 11:26:20 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe
PRC - [2011/09/08 19:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/15 05:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/07/21 23:07:38 | 000,718,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 12:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/08/11 14:23:54 | 000,265,216 | ---- | M] () -- C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/30 20:57:06 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2011/08/07 14:51:10 | 000,516,368 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/08/11 14:23:54 | 000,265,216 | ---- | M] () -- C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe


========== Win32 Services (SafeList) ==========

SRV - [2011/11/07 21:28:26 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/10/05 17:40:21 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/08/11 14:23:54 | 000,039,936 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/12/15 16:57:01 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/11/07 21:28:40 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2011/11/07 21:28:38 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2011/11/07 21:28:38 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:28 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 05:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/08 05:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 00:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 00:14:14 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 00:14:12 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 00:14:12 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 09:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/08/11 14:23:50 | 000,034,384 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/07/10 04:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/01/07 02:20:22 | 000,375,808 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTL8187.sys -- (RTL8187)
DRV - [2009/09/28 08:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 22:54:15 | 001,311,232 | ---- | M] (NXP Semiconductors) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Ph3xIB32.sys -- (Ph3xIB32)
DRV - [2009/07/13 22:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/08/01 00:01:00 | 000,268,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OA002Vid.sys -- (OA002Vid)
DRV - [2008/06/03 16:30:24 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OA002Ufd.sys -- (OA002Ufd)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/03/19 06:10:54 | 000,310,016 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MRVW24B.sys -- (MRV6X32U) Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x)
DRV - [2007/06/08 00:00:02 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OA002Afx.sys -- (OA002Afx)
DRV - [2004/08/13 08:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE 7C DC B6 45 65 CB 01 [binary data]
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/12/13 16:40:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/12/01 21:39:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\avgthb@avg.com: C:\Program Files\AVG\AVG2012\Thunderbird\ [2011/12/13 16:39:57 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/12/18 21:04:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [openvpn-gui] C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe ()
O4 - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F3F7F69-89E8-47FD-A589-43C16F89DF64}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{730377BB-A24F-46A3-B036-20151F8BB84F}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{83577039-801F-4B4B-9448-FEA856FF38F9}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A4A40A6A-5902-4EA2-A618-0C6415EE6F98}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C11992E8-F779-4E20-91BC-1FF3127ED1BC}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6FDA310-9773-43B6-B06E-A520D1E62CD7}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D14C0527-984E-49C9-8A90-215D25C78BFF}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\WI3C8A~1\Datamngr\datamngr.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~1\WI3C8A~1\Datamngr\IEBHO.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\Shell - "" = AutoRun
O33 - MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/18 21:08:29 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/18 21:08:25 | 000,000,000 | ---D | C] -- C:\Users\Swithin\AppData\Local\temp
[2011/12/18 20:46:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/18 20:46:37 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/18 20:46:37 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/18 20:46:25 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/18 14:12:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/18 14:12:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/18 14:12:05 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/18 14:12:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/18 13:13:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/12/17 07:35:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/12/17 07:34:18 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/12/17 07:34:17 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/12/15 03:05:07 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/12/15 03:05:06 | 001,798,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/12/15 03:05:06 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/12/15 03:05:05 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/12/15 03:05:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/12/15 03:05:03 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/12/14 18:24:04 | 002,342,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/12/14 18:23:54 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011/12/14 18:22:14 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/12/14 18:22:10 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2011/12/14 18:22:04 | 003,967,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/12/14 18:22:04 | 003,912,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/12/13 19:53:47 | 000,000,000 | -H-D | C] -- C:\ProgramData\{B49A644A-1076-4A3D-B124-DAA7862F2318}
[2011/12/13 19:53:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iLivid
[2011/12/13 19:53:37 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2011/12/13 19:52:49 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011/12/01 21:39:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/11/26 15:05:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3

========== Files - Modified Within 30 Days ==========

[2011/12/21 08:09:26 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/21 08:00:03 | 084,711,103 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/12/21 07:59:30 | 000,347,502 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2011/12/21 07:56:47 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/21 07:56:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/19 07:59:45 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/19 07:59:45 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/19 07:51:42 | 370,936,782 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/19 07:51:42 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/18 21:04:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/12/18 14:12:09 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/17 07:35:58 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/12/15 03:28:22 | 000,406,968 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/13 19:53:45 | 000,000,913 | ---- | M] () -- C:\Users\Public\Desktop\iLivid Download Manager.lnk
[2011/12/13 16:40:16 | 000,000,935 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
[2011/12/12 21:06:14 | 000,628,024 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/12 21:06:14 | 000,110,208 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/12 20:01:44 | 000,001,105 | ---- | M] () -- C:\Users\Swithin\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2011/12/01 21:39:17 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2011/11/26 15:14:46 | 000,001,092 | ---- | M] () -- C:\Users\Swithin\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
[2011/11/26 15:14:46 | 000,001,068 | ---- | M] () -- C:\Users\Public\Desktop\Picasa 3.lnk
[2011/11/24 04:25:27 | 002,342,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

========== Files Created - No Company Name ==========

[2011/12/18 20:46:38 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/18 20:46:38 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/18 20:46:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/18 20:46:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/18 20:46:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/18 14:12:09 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/17 07:35:58 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/12/13 19:53:45 | 000,000,913 | ---- | C] () -- C:\Users\Public\Desktop\iLivid Download Manager.lnk
[2011/12/01 21:39:17 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2011/11/26 15:14:46 | 000,001,092 | ---- | C] () -- C:\Users\Swithin\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
[2011/11/26 15:14:46 | 000,001,068 | ---- | C] () -- C:\Users\Public\Desktop\Picasa 3.lnk
[2011/02/15 19:22:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/16 18:35:22 | 000,007,623 | ---- | C] () -- C:\Users\Swithin\AppData\Local\Resmon.ResmonCfg
[2010/10/06 22:23:16 | 000,188,627 | ---- | C] () -- C:\Windows\hpwins23.dat
[2010/10/06 22:23:16 | 000,001,501 | ---- | C] () -- C:\Windows\hpwmdl23.dat
[2009/07/14 04:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:33:53 | 000,406,968 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 02:05:48 | 000,628,024 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 02:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 02:05:48 | 000,110,208 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 02:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 02:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 02:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 23:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2004/08/13 08:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys

< End of report >
 
OTL Extras file

Broni - sorry: there was this one too.

I've been through every user and have managed to remove all references to searchqu.com as search engine. In one instance that was only possible by installing another search provider in the list: doing this somehow enabled the remove button again. Hoping it is now clean!

Many thanks,


Jimmy



OTL Extras logfile created on: 12/21/2011 8:08:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Swithin\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.90 Gb Available Physical Memory | 45.24% Memory free
4.00 Gb Paging File | 2.45 Gb Available in Paging File | 61.32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 401.83 Gb Free Space | 43.14% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 448.71 Gb Free Space | 48.17% Space Free | Partition Type: NTFS

Computer Name: SWITHIN-PC | User Name: Swithin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{097CDB1E-07C9-40F1-9972-F0F9F3A287E4}" = Network
"{0E52A52C-E120-461C-AA1B-21B045BEE842}" = bpd_scan
"{11968F04-71FB-4C8C-B4D8-14FA4171EE36}" = 6500_E709_Help_BasicWeb
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4C8C6D37-CA3C-4EF6-A1E5-0D188E7B6021}" = HP Officejet 6500 E709 Series
"{4E74D41C-5864-4561-9F6B-069372513A0B}" = AVG 2012
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
"{86196C81-759C-4F74-8DFF-36F9F50FEEAC}" = 6500_E709_BasicWeb
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"{FAD96046-769E-4A4B-949B-8D29D885EFD6}" = BPDSoftware_Ini
"{FDB5E0F3-86EA-4379-8A2F-1BC2436543E9}" = iCloud
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Astaro SSL VPN Client" = Astaro SSL VPN Client 1.7
"AVG" = AVG 2012
"Creative OA002" = Monitor Webcam Driver (1.01.02.0804)
"iLivid" = iLivid
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Thunderbird (3.1.4)" = Mozilla Thunderbird (3.1.4)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"Picasa 3" = Picasa 3
"Rapport_msi" = Rapport
"VLC media player" = VLC media player 0.9.9
"Windows Searchqu Toolbar" = Windows iLivid Toolbar
"WinRAR archiver" = WinRAR 4.00 (32-bit)
"WinX Free DVD Ripper_is1" = WinX Free DVD Ripper 4.5.11

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/18/2011 2:38:53 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/18/2011 2:38:53 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13697

Error - 12/18/2011 2:38:53 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 13697

Error - 12/18/2011 4:23:29 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/18/2011 4:23:29 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6289711

Error - 12/18/2011 4:23:29 PM | Computer Name = SWITHIN-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6289711

Error - 12/18/2011 4:35:17 PM | Computer Name = Swithin-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 12/19/2011 2:30:26 AM | Computer Name = Swithin-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/19/2011 2:30:26 AM | Computer Name = Swithin-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 30631249

Error - 12/19/2011 2:30:26 AM | Computer Name = Swithin-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 30631249

[ System Events ]
Error - 12/1/2011 5:31:34 PM | Computer Name = Swithin-PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 12/1/2011 5:32:34 PM | Computer Name = Swithin-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Apple Mobile Device service,
but this action failed with the following error: %%1056

Error - 12/12/2011 4:21:05 PM | Computer Name = Swithin-PC | Source = DCOM | ID = 10016
Description =

Error - 12/13/2011 12:32:17 PM | Computer Name = Swithin-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the lmhosts service.

Error - 12/13/2011 12:32:19 PM | Computer Name = Swithin-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk6\DR7.

Error - 12/13/2011 12:32:30 PM | Computer Name = Swithin-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk6\DR7.

Error - 12/13/2011 12:32:30 PM | Computer Name = Swithin-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk6\DR7.

Error - 12/14/2011 1:47:22 PM | Computer Name = Swithin-PC | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.0.4
with the system having network hardware address 28-6A-BA-DE-28-F3. Network operations
on this system may be disrupted as a result.

Error - 12/14/2011 4:19:08 PM | Computer Name = Swithin-PC | Source = DCOM | ID = 10016
Description =

Error - 12/14/2011 11:00:24 PM | Computer Name = Swithin-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the eventlog service.


< End of report >
 
Well, we've been running different scanning tools in order to clean your computer.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
IE - HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\Shell - "" = AutoRun
O33 - MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

============================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
First one - rerun of OTL with script - I'll do the next piece now.


All processes killed
========== OTL ==========
HKU\S-1-5-21-2094982589-3593926033-3433730535-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8519a49a-30fd-11e0-ac2e-1c6f65529952}\ not found.
File "J:\WD SmartWare.exe" autoplay=true not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Fuppin
->Temp folder emptied: 157634 bytes
->Temporary Internet Files folder emptied: 260906086 bytes
->Flash cache emptied: 28650 bytes

User: Fynnj
->Temp folder emptied: 149272 bytes
->Temporary Internet Files folder emptied: 202477064 bytes
->Flash cache emptied: 92659 bytes

User: Guest
->Temp folder emptied: 1448 bytes
->Temporary Internet Files folder emptied: 71937501 bytes
->Flash cache emptied: 1596 bytes

User: Lovely Wiffle
->Temp folder emptied: 150024 bytes
->Temporary Internet Files folder emptied: 288947547 bytes
->Flash cache emptied: 9056 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Swithin
->Temp folder emptied: 51093115 bytes
->Temporary Internet Files folder emptied: 394830552 bytes
->Flash cache emptied: 10929 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 23398 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,212.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Fuppin
->Flash cache emptied: 0 bytes

User: Fynnj
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: Lovely Wiffle
->Flash cache emptied: 0 bytes

User: Public

User: Swithin
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12222011_204537

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Here's the next one - from securitycheck.exe


Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2012
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Mozilla Thunderbird (3.1.4) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````
 
Broni - ESET is still running (has been going for some time now). Unfortunately my pc goes to sleep if I don't sit near it and I am travelling from tomorrow. I'll try to get it finished tonight if I can. Bear with me.

Many thanks,

Jimmy
 
OK - finally done!

Here's the output

(Any more to do?)


C:\Users\Fuppin\Downloads\PDFReaderSetup.exe Win32/InstallCore.Gen application deleted - quarantined
C:\Users\Fuppin\PDFReader\Uninstall\Uninstall.exe Win32/InstallCore.Gen application deleted - quarantined
C:\Users\Swithin\Documents\My Documents - backup\My Music\Azureus\VMware Workstation v6.rar probably a variant of Win32/Agent.CAKSVUJ trojan deleted - quarantined
E:\Backup\Documents and Settings\Swith\My Documents - backup\My Music\Azureus\VMware Workstation v6.rar probably a variant of Win32/Agent.CAKSVUJ trojan deleted - quarantined
 
You may as well.

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
OK - just seen your last post. That's going to take some doing. I'm away to bed now - and back in a week. I'll turn off and then follow these steps when I get back.

Many thanks for your help Broni. Really appreciate it.

Happy christmas/holidays

Jimmy.
 
OK - here's the OTL log from first run.



All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Fuppin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Fynnj
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Lovely Wiffle
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Swithin
->Temp folder emptied: 183565 bytes
->Temporary Internet Files folder emptied: 35673225 bytes
->Flash cache emptied: 1092 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11515 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Fuppin
->Flash cache emptied: 0 bytes

User: Fynnj
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: Lovely Wiffle
->Flash cache emptied: 0 bytes

User: Public

User: Swithin
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 12232011_230631

Files\Folders moved on Reboot...
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Swithin\AppData\Local\Trusteer\Rapport\user\logs\koan.3260.log moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Swithin\AppData\Local\Trusteer\Rapport\user\logs\koan.4816.log moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Swithin\AppData\Local\Trusteer\Rapport\user\logs\koan.7932.log moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IH3GMT3K\emily[3].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IH3GMT3K\evolution-christmas-and-the-atonement[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EN87FEHN\google_co_uk[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EN87FEHN\hub.1324331373[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EN87FEHN\tweet_button.1324331373[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C6KF6Z76\showthread[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8U4WXO49\iframe3[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8U4WXO49\iframe3[2].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8U4WXO49\iframe3[3].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\57UWQSDG\22620-2[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\57UWQSDG\22622-15[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\57UWQSDG\26799-15[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\57UWQSDG\like[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\20WQD111\afr[1].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\20WQD111\afr[2].htm moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Swithin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
2K
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
3K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
3K
adidaman27
A

Latest posts

Back