Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my explorer.exe is infected with Trojan.Bamital aka TR/Patched.Gen


  • This topic is locked This topic is locked
18 replies to this topic

#1 keiran0

keiran0

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 03 January 2011 - 09:09 AM

Hi,

I've searched around to see if another thread could answer my question, however, there seems to be many similar threads each giving slightly different advice so hopefully someone can help me with what to do in my specific case.

Previously Avira detected an infection in explorer.exe (TR/Patched.Gen) and I moved the file to quarantine as advised. I restarted my PC to find that when I logged in windows no longer worked and I was just presented with a black screen, task manager ect still worked. I then did a system restore to get windows running again and now I'm back to square one with the explorer.exe still infected.

I've tried a few different antivirus tools (Norton says the explorer.exe is infected with Trojan.Bamital, I assume this is the same infection with a different name) and most say I have around 50 infections including wininit.exe also being infeccted with TR/Patched.Gen.

I can delete most of the files without problem I assume, so my question is how do I clean the infected files that are essential for windows to run?

Any help would be really appreciated. Thanks in advance for replies

^
Above was my original post, I was then instructed to follow some steps in preparation: Defogger, DDS logs ect which I am now going to add to this post. However, when trying to run GMER.exe I have three times gone to blue-screen with the message 'physical memory dump' followed by my computer restarting. I will attempt again and if successful I will attach the results in a reply, although I don't hold out much hope. If someone could help me without the GMER part that would be great.

Thank again.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Keiran at 13:32:18.74 on 03-Jan-11
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.1878 [GMT 0:00]

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
"C:\Users\Keiran\AppData\Roaming\svchost.exe"
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Keiran\Desktop\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Users\Keiran\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\yxmydhndrqkhwoffh.exe\qkhwoffh.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {0347C33E-8762-4905-BF09-768834316C61} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [{211EC2B6-BCFC-82F6-DB61-449F149535D3}] c:\users\keiran\appdata\roaming\ezxuyt\otge.exe
uRun: [svchost] c:\users\keiran\appdata\roaming\svchost.exe
uRun: [{6E926FBE-DFBC-B7BE-461A-21ACB602E6FF}] c:\users\keiran\appdata\roaming\qequso\qiaqm.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\users\keiran\appdata\roaming\microsoft\windows\start menu\programs\startup\qkhwoffh.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: disableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli psqlpwd
Hosts: 74.208.10.249 gs.apple.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\keiran\appdata\roaming\mozilla\firefox\profiles\5b3wdcum.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\keiran\appdata\roaming\mozilla\firefox\profiles\5b3wdcum.default\extensions\firesheep@codebutler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\keiran\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com

============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-10-12 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-19 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-19 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-19 61960]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-6-25 43040]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-17 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-7-25 29736]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-9-29 11264]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-19 1343400]

=============== Created Last 30 ================

2011-01-02 09:49:46 -------- d-sh--w- C:\found.004
2011-01-01 23:43:43 -------- d-----w- c:\program files\ESET
2011-01-01 23:08:56 -------- d-----w- c:\program files\common files\Symantec Shared
2011-01-01 23:06:03 -------- d-----w- c:\progra~2\Symantec
2011-01-01 23:05:52 -------- d-----w- c:\program files\Norton Security Scan
2011-01-01 23:05:41 -------- d-----w- c:\progra~2\Norton
2011-01-01 23:05:29 -------- d-----w- c:\program files\NortonInstaller
2011-01-01 23:05:29 -------- d-----w- c:\progra~2\NortonInstaller
2010-12-30 14:04:46 -------- d-----w- c:\progra~2\Alwil Software
2010-12-30 13:57:16 -------- d-----w- c:\progra~2\MFAData
2010-12-19 21:59:31 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-19 21:59:15 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-19 21:59:05 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-12-19 21:59:05 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-19 21:48:29 -------- d-----w- c:\users\keiran\appdata\roaming\Avira
2010-12-19 21:45:51 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-19 21:45:50 -------- d-----w- c:\program files\Avira
2010-12-19 21:45:50 -------- d-----w- c:\progra~2\Avira
2010-12-18 19:31:04 -------- d-----w- c:\program files\win
2010-12-17 18:40:39 -------- d-----w- c:\program files\windows
2010-12-17 12:03:54 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4d1d71d5-84b1-4b30-841d-76479e2c034a}\mpengine.dll
2010-12-17 11:56:37 184320 ----a-w- c:\users\keiran\appdata\roaming\svchost.exe
2010-12-17 11:56:33 -------- d-----w- c:\program files\yXmYDHnDrqkhwoffh.exe
2010-12-14 23:05:15 -------- d-sh--w- C:\found.003
2010-12-13 17:27:27 -------- d-----w- c:\windows\pss
2010-12-10 17:30:12 -------- d-----w- c:\users\keiran\appdata\roaming\Qequso
2010-12-10 00:06:57 -------- d-----w- c:\users\keiran\appdata\roaming\Gucut
2010-12-07 23:13:43 -------- d-----w- c:\program files\WinPcap

==================== Find3M ====================

2010-11-19 23:25:58 214816 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-19 23:25:58 214816 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll
2010-10-14 01:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 01:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll

============= FINISH: 13:33:58.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 03 January 2011 - 09:15 AM

Hello keiran0 ,

Posted Image

Don't worry about gmer. It isn't compatible with your system.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to keiran.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 03 January 2011 - 10:47 AM

Here is the log ComboFix gave me:


ComboFix 11-01-02.04 - Keiran 03-Jan-11 15:02:06.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.2248 [GMT 0:00]
Running from: c:\users\Keiran\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\yXmYDHnDrqkhwoffh.exe
c:\program files\yXmYDHnDrqkhwoffh.exe\qkhwoffh.exe
c:\users\Keiran\AppData\Roaming\Ezxuyt
c:\users\Keiran\AppData\Roaming\Ezxuyt\otge.exe
c:\users\Keiran\AppData\Roaming\inst.exe
c:\users\Keiran\AppData\Roaming\Qequso
c:\users\Keiran\AppData\Roaming\Qequso\qiaqm.exe
c:\users\Keiran\AppData\Roaming\svchost.exe
c:\windows\7Loader.TAG
c:\windows\system32\kb.dll

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-03 15:20 . 2011-01-03 15:20 -------- d-----w- c:\program files\oOayDcKXҷYqkhwoffh.exe
2011-01-03 14:58 . 2011-01-03 14:59 -------- d-----w- C:\32788R22FWJFW
2011-01-02 09:49 . 2011-01-02 09:49 -------- d-----w- C:\found.004
2011-01-01 23:43 . 2011-01-01 23:43 -------- d-----w- c:\program files\ESET
2011-01-01 23:08 . 2011-01-01 23:30 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-01-01 23:06 . 2011-01-01 23:06 -------- d-----w- c:\programdata\Symantec
2011-01-01 23:05 . 2011-01-02 09:59 -------- d-----w- c:\program files\Norton Security Scan
2011-01-01 23:05 . 2011-01-01 23:05 -------- d-----w- c:\programdata\Norton
2011-01-01 23:05 . 2011-01-01 23:05 -------- d-----w- c:\program files\NortonInstaller
2010-12-30 14:04 . 2010-12-30 14:04 -------- d-----w- c:\programdata\Alwil Software
2010-12-30 14:04 . 2010-12-30 14:04 -------- d-----w- c:\program files\Alwil Software
2010-12-30 13:57 . 2011-01-03 21:22 -------- d-----w- c:\programdata\MFAData
2010-12-19 21:59 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-19 21:59 . 2010-11-16 17:45 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-19 21:59 . 2010-11-16 17:45 104448 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-19 21:59 . 2010-11-16 17:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-19 21:59 . 2011-01-03 22:35 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-19 21:59 . 2010-05-15 16:30 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-12-19 21:48 . 2010-12-19 21:48 -------- d-----w- c:\users\Keiran\AppData\Roaming\Avira
2010-12-19 21:45 . 2010-12-29 10:36 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-19 21:45 . 2010-11-30 18:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-19 21:45 . 2010-12-19 21:45 -------- d-----w- c:\programdata\Avira
2010-12-19 21:45 . 2010-12-19 21:45 -------- d-----w- c:\program files\Avira
2010-12-18 19:31 . 2011-01-03 22:35 -------- d-----w- c:\program files\win
2010-12-17 18:40 . 2011-01-03 22:35 -------- d-----w- c:\program files\windows
2010-12-17 12:03 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D1D71D5-84B1-4B30-841D-76479E2C034A}\mpengine.dll
2010-12-14 23:05 . 2010-12-14 23:05 -------- d-----w- C:\found.003
2010-12-10 00:06 . 2010-12-10 00:06 -------- d-----w- c:\users\Keiran\AppData\Roaming\Gucut
2010-12-07 23:13 . 2010-12-07 23:13 -------- d-----w- c:\program files\WinPcap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-19 23:25 . 2010-03-06 10:35 214816 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-19 23:25 . 2010-03-06 10:34 214816 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-19 23:23 . 2010-03-06 10:35 138328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-19 10:41 . 2009-11-05 11:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 01:36 . 2010-10-14 01:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 01:36 . 2010-10-14 01:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-12 23:11 . 2010-10-12 23:11 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]

c:\users\Keiran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
qkhwoffh.exe [2010-12-17 57262]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"disableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\oOayDcKXҷYqkhwoffh.exe\qkhwoffh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-05 23:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Keiran^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Keiran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-11-30 18:13 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-21 19:30 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-15 21:13 136176 ----atw- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-20 17:30 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 01:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 17:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-25 14:59 13543968 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-25 14:59 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-06-05 22:40 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 09:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-06-27 03:42 6295552 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-29 10:22 638976 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminatorUpdate]
2010-10-12 23:11 3037696 ----a-w- c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-04 04:13 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-06 10:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-20 23:36 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-19 18432]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-10-12 142592]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-30 135336]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-25 43040]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000Core.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000UA.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{C7F1702A-6DC6-4C12-8835-735924C16383}.job
- c:\windows\system32\msfeedssync.exe [2010-12-17 05:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Keiran\AppData\Roaming\Mozilla\Firefox\Profiles\5b3wdcum.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{211EC2B6-BCFC-82F6-DB61-449F149535D3} - c:\users\Keiran\AppData\Roaming\Ezxuyt\otge.exe
HKCU-Run-{6E926FBE-DFBC-B7BE-461A-21ACB602E6FF} - c:\users\Keiran\AppData\Roaming\Qequso\qiaqm.exe
MSConfigStartUp-THGuard - c:\program files\TrojanHunter 5.2\THGuard.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(152)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-03 15:41:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-03 15:41

Pre-Run: 90,889,617,408 bytes free
Post-Run: 90,457,587,712 bytes free

- - End Of File - - 73AB8B04039C5DB41DDEFEC32820BFEB



Am I right in thinking this just fixed all the problems?

If so THANK YOU!

Will run a virus scan now too :)

#4 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 03 January 2011 - 12:15 PM

As I said in my first post I used system restore to get windows working again after Avira deleted explorer.exe. Well now I have desktop items that link to nowhere and I have things in 'add or remove programs' that just cause errors when I try and uninstall them, usually along the lines of 'File C:\Program Files\Activision\....... does not exist. Cannot uninstall.'

These are all things that have been restored to the computer by the system restore, yet it seems that the actual programs have not been restored only the shortcuts ect., how do I get rid of all these things from add/remove programs?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 03 January 2011 - 01:29 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\program files\oOayDcKXҷYqkhwoffh.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 04 January 2011 - 07:14 AM

Hi,

I think I deleted that folder yesterday as I was having a clear out. The folder was empty and the strange name caused me to think it may have been something to do with a virus. I will create a new folder, rename it back to how it was and then follow your instructions. Hopefully this is good enough to make it work, I will post my results back.

My previous question I fixed anyway.

Thanks again for your continuing help.

#7 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 04 January 2011 - 08:00 AM

Ok I did as instructed but didn't do as I said and create the new folder, I decided against it because you didn't ask me to and I thought better not guess what you're saying and just do what you're saying, if that makes sense.

Anyway the following is the log, whilst running combofix I kept getting alerts that PEV.exe is corrupt and I must run checkdisk, any ideas what thats about? Should I run chkdsk now? - I'll wait for your reply before I do anything.


ComboFix 11-01-02.04 - Keiran 04-Jan-11 12:49:08.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.2233 [GMT 0:00]
Running from: c:\users\Keiran\Desktop\ComboFix.exe
Command switches used :: c:\users\Keiran\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2011-01-04 12:54 . 2011-01-04 12:54 -------- d-----w- c:\users\k2\AppData\Local\temp
2011-01-04 12:54 . 2011-01-04 12:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-03 21:19 . 2011-01-03 21:19 -------- d-----w- c:\users\Keiran\AppData\Local\VS Revo Group
2011-01-03 21:19 . 2009-12-30 11:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-01-03 21:19 . 2011-01-03 21:19 -------- d-----w- c:\program files\VS Revo Group
2011-01-03 16:21 . 2011-01-03 16:21 -------- d-----w- c:\users\Keiran\AppData\Roaming\Avira
2011-01-03 16:12 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 16:12 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-03 16:12 . 2011-01-03 16:12 -------- d-----w- c:\programdata\Avira
2011-01-03 16:12 . 2011-01-03 16:12 -------- d-----w- c:\program files\Avira
2011-01-02 09:49 . 2011-01-04 00:35 -------- d-----w- C:\found.004
2011-01-01 23:43 . 2011-01-01 23:43 -------- d-----w- c:\program files\ESET
2011-01-01 23:08 . 2011-01-01 23:30 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-01-01 23:06 . 2011-01-01 23:06 -------- d-----w- c:\programdata\Symantec
2011-01-01 23:05 . 2011-01-02 09:59 -------- d-----w- c:\program files\Norton Security Scan
2011-01-01 23:05 . 2011-01-01 23:05 -------- d-----w- c:\programdata\Norton
2011-01-01 23:05 . 2011-01-01 23:05 -------- d-----w- c:\program files\NortonInstaller
2010-12-30 14:04 . 2010-12-30 14:04 -------- d-----w- c:\programdata\Alwil Software
2010-12-30 14:04 . 2010-12-30 14:04 -------- d-----w- c:\program files\Alwil Software
2010-12-30 13:57 . 2011-01-03 21:22 -------- d-----w- c:\programdata\MFAData
2010-12-19 21:59 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-19 21:59 . 2010-11-16 17:45 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-19 21:59 . 2010-11-16 17:45 104448 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-19 21:59 . 2010-11-16 17:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-19 21:59 . 2011-01-03 22:35 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-19 21:59 . 2010-05-15 16:30 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-12-18 19:31 . 2011-01-03 18:59 -------- d-----w- c:\program files\win
2010-12-17 18:40 . 2011-01-03 18:59 -------- d-----w- c:\program files\windows
2010-12-17 12:03 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D1D71D5-84B1-4B30-841D-76479E2C034A}\mpengine.dll
2010-12-14 23:05 . 2011-01-04 00:35 -------- d-----w- C:\found.003
2010-12-10 00:06 . 2010-12-10 00:06 -------- d-----w- c:\users\Keiran\AppData\Roaming\Gucut
2010-12-07 23:13 . 2010-12-07 23:13 -------- d-----w- c:\program files\WinPcap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-19 23:25 . 2010-03-06 10:35 214816 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-19 23:25 . 2010-03-06 10:34 214816 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-19 23:23 . 2010-03-06 10:35 138328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-19 10:41 . 2009-11-05 11:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 01:36 . 2010-10-14 01:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 01:36 . 2010-10-14 01:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-20 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"disableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-05 23:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Keiran^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Keiran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-12-13 08:39 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-21 19:30 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-15 21:13 136176 ----atw- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-20 17:30 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 01:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-25 14:59 13543968 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-25 14:59 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-06-05 22:40 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 09:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-06-27 03:42 6295552 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-29 10:22 638976 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-04 04:13 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-06 10:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-20 23:36 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-19 18432]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-25 43040]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000Core.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000UA.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-04 c:\windows\Tasks\User_Feed_Synchronization-{C7F1702A-6DC6-4C12-8835-735924C16383}.job
- c:\windows\system32\msfeedssync.exe [2010-12-17 05:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Keiran\AppData\Roaming\Mozilla\Firefox\Profiles\5b3wdcum.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LWS - c:\program files\Logitech\LWS\Webcam Software\LWS.exe
MSConfigStartUp-SpywareTerminatorUpdate - c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-04 12:56:02
ComboFix-quarantined-files.txt 2011-01-04 12:56
ComboFix2.txt 2011-01-03 15:42

Pre-Run: 136,742,899,712 bytes free
Post-Run: 136,458,113,024 bytes free

- - End Of File - - 6AF9C159A2602B5972D16202A0144638

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 04 January 2011 - 08:22 AM

Good morning :)

Have all these been uninstalled?

ESET
Symantec Shared
Symantec
Norton Security Scan
Alwil Software

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 04 January 2011 - 08:26 AM

Good afternoon from London :)

Yes they are all now uninstalled, as far as I am aware anyway.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 04 January 2011 - 03:20 PM

Good evening London :)

How is it running today?

Well, they're all still showing in your logs, so that's why I asked. They could be causing part of your problems.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\program files\ESET
c:\program files\Common Files\Symantec Shared
c:\programdata\Symantec
c:\program files\Norton Security Scan
c:\programdata\Norton
c:\program files\NortonInstaller
c:\programdata\Alwil Software
c:\program files\Alwil Software
c:\programdata\MFAData


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 04 January 2011 - 08:06 PM

Its running MILES better. Thank you so much, I actually managed to study for a while today. I will do as you instructed and post the results shortly.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 04 January 2011 - 08:22 PM

You're most welcome. :) Post when you're ready.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 04 January 2011 - 08:32 PM

I still get the message that pev.exe and pev.cfxxe are corrupt and I should run Chkdsk. Should I do that?





ComboFix 11-01-02.04 - Keiran 05-Jan-11 1:14.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.2299 [GMT 0:00]
Running from: c:\users\Keiran\Desktop\ComboFix.exe
Command switches used :: c:\users\Keiran\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Alwil Software
c:\program files\Alwil Software\Avast5\1033\aswClnTg.htm
c:\program files\Alwil Software\Avast5\1033\aswClnTg.txt
c:\program files\Alwil Software\Avast5\1033\aswInfTg.htm
c:\program files\Alwil Software\Avast5\1033\aswInfTg.txt
c:\program files\Alwil Software\Avast5\1033\Avast5_1033.chm
c:\program files\Alwil Software\Avast5\defs\11010101\acshort.map
c:\program files\Alwil Software\Avast5\defs\11010101\certs.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_el.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_java.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_java.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_js.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_js.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_mx4.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_mx4.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_mx95.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_mx95.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_o7.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_o7.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_ob.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_pe2.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_swf.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_swf.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_tx.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_u.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_w6.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_w6.map
c:\program files\Alwil Software\Avast5\defs\11010101\db_wh.dat
c:\program files\Alwil Software\Avast5\defs\11010101\db_xtn.map
c:\program files\Alwil Software\Avast5\defs\11010101\dllcc.dat
c:\program files\Alwil Software\Avast5\defs\11010101\l_idx.map
c:\program files\Alwil Software\Avast5\defs\11010101\l_nmp.map
c:\program files\Alwil Software\Avast5\defs\11010101\list_d.txt
c:\program files\Alwil Software\Avast5\defs\11010101\list_i.txt
c:\program files\Alwil Software\Avast5\defs\11010101\lshe3.map
c:\program files\Alwil Software\Avast5\defs\11010101\s_idx.map
c:\program files\Alwil Software\Avast5\defs\11010101\s_nmp.map
c:\program files\Alwil Software\Avast5\defs\11010101\Sf.bin
c:\program files\Alwil Software\Avast5\defs\11010101\sl_idx.map
c:\program files\Alwil Software\Avast5\defs\11010101\sl_nmp.map
c:\program files\Alwil Software\Avast5\defs\11010101\whitelist.db
c:\program files\Alwil Software\Avast5\flash\amcharts_key.txt
c:\program files\Alwil Software\Avast5\flash\amline.swf
c:\program files\Alwil Software\Avast5\flash\ammap\ammap.swf
c:\program files\Alwil Software\Avast5\flash\ammap\ammap_key.txt
c:\program files\Alwil Software\Avast5\flash\ammap\ammap_settings_summary.xml
c:\program files\Alwil Software\Avast5\flash\ammap\ammap_settings_tracert.xml
c:\program files\Alwil Software\Avast5\flash\ammap\empty_map.xml
c:\program files\Alwil Software\Avast5\flash\ammap\icons\arrow.swf
c:\program files\Alwil Software\Avast5\flash\ammap\icons\bubble.swf
c:\program files\Alwil Software\Avast5\flash\ammap\icons\cross.swf
c:\program files\Alwil Software\Avast5\flash\ammap\icons\flag.swf
c:\program files\Alwil Software\Avast5\flash\ammap\icons\pin.swf
c:\program files\Alwil Software\Avast5\flash\ammap\icons\zoom_out.swf
c:\program files\Alwil Software\Avast5\flash\ammap\maps\world.swf
c:\program files\Alwil Software\Avast5\Setup\servers.def
c:\program files\Alwil Software\Avast5\Setup\servers.def.lkg
c:\program files\Alwil Software\Avast5\Setup\setiface.ovr
c:\program files\Alwil Software\Avast5\Setup\setup.log
c:\program files\Alwil Software\Avast5\Setup\setup.ovr
c:\program files\Alwil Software\Avast5\Setup\summary.txt
c:\program files\Common Files\Symantec Shared
c:\program files\ESET
c:\program files\ESET\ESET Online Scanner\esets_apiA.dll
c:\program files\ESET\ESET Online Scanner\esets_apiW.dll
c:\program files\ESET\ESET Online Scanner\esets_apiW_a.dll
c:\program files\ESET\ESET Online Scanner\ESETSmartInstaller.exe
c:\program files\ESET\ESET Online Scanner\log.txt
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\http_update.eset.com\update.ver
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\lastupd.ver
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod00EB.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod0757.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod0D8B.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod0F87.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod1299.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod1360.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod1F6B.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod1F7B.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod2526.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod26CF.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod2A27.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod37F0.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod40B0.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod500F.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod581B.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod6EE6.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\nod79B7.nup
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em000_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em001_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em002_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em003_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em004_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em005_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\temp\em006_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\data\updfiles\upd.ver
c:\program files\ESET\ESET Online Scanner\Modules\em000_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em001_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em002_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em003_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em004_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em005_32.dat
c:\program files\ESET\ESET Online Scanner\Modules\em006_32.dat
c:\program files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
c:\program files\ESET\ESET Online Scanner\OnlineCmdLineScannerA.exe
c:\program files\ESET\ESET Online Scanner\OnlineScanner.inf
c:\program files\ESET\ESET Online Scanner\OnlineScanner.ocx
c:\program files\ESET\ESET Online Scanner\OnlineScanner64.ocx
c:\program files\ESET\ESET Online Scanner\OnlineScannerApp.exe
c:\program files\ESET\ESET Online Scanner\OnlineScannerLang.dll
c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
c:\program files\ESET\ESET Online Scanner\unicows.dll
c:\program files\Norton Security Scan
c:\program files\Norton Security Scan\Engine\3.0.0.103\{2A85E335-7417-424d-AD89-31DED1689794}.dat
c:\program files\Norton Security Scan\Engine\3.0.0.103\{71B3DD3A-BC1F-40cc-A74F-C0C30DFCE7D5}.dat
c:\program files\Norton Security Scan\Engine\3.0.0.103\{F8D07955-00ED-4093-88AA-0A0F69AFD83C}.dat
c:\program files\Norton Security Scan\Engine\3.0.0.103\help.htm
c:\program files\Norton Security Scan\Engine\3.0.0.103\ReputationCacheDB.db
c:\program files\NortonInstaller
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\09\01\InstUI.loc
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\extract.dat
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\fallback.dat
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\finalzed.dat
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\install.dat
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\Install.mft
c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\3.0.0.103\layout.dat
c:\programdata\Alwil Software
c:\programdata\Alwil Software\Avast5\aswResp.dat
c:\programdata\Alwil Software\Avast5\chest\00000001
c:\programdata\Alwil Software\Avast5\chest\index.xml
c:\programdata\Alwil Software\Avast5\db1ca5de7ebf43170-4ccca871.dat
c:\programdata\Alwil Software\Avast5\HtmlData\Blocked.htm
c:\programdata\Alwil Software\Avast5\HtmlData\image001.png
c:\programdata\Alwil Software\Avast5\Log.db
c:\programdata\Alwil Software\Avast5\log\AshWebSv.ws
c:\programdata\Alwil Software\Avast5\log\aswAr.log
c:\programdata\Alwil Software\Avast5\log\aswAr1.log
c:\programdata\Alwil Software\Avast5\log\Chest.log
c:\programdata\Alwil Software\Avast5\log\Mail.log
c:\programdata\Alwil Software\Avast5\log\nshield.log
c:\programdata\Alwil Software\Avast5\log\selfdef.log
c:\programdata\Alwil Software\Avast5\log\Setup.log
c:\programdata\Alwil Software\Avast5\log\usntr.log
c:\programdata\Alwil Software\Avast5\report\BehaviorShield.txt
c:\programdata\Alwil Software\Avast5\report\EmailShield.txt
c:\programdata\Alwil Software\Avast5\report\FileSystemShield.txt
c:\programdata\Alwil Software\Avast5\report\IMShield.txt
c:\programdata\Alwil Software\Avast5\report\NetworkShield.txt
c:\programdata\Alwil Software\Avast5\report\P2PShield.txt
c:\programdata\Alwil Software\Avast5\report\WebShield.txt
c:\programdata\Alwil Software\Avast5\sounds\1033\pup_detected.wav
c:\programdata\Alwil Software\Avast5\sounds\1033\scan_completed.wav
c:\programdata\Alwil Software\Avast5\sounds\1033\suspicious_detected.wav
c:\programdata\Alwil Software\Avast5\sounds\1033\threat_detected.wav
c:\programdata\Alwil Software\Avast5\sounds\1033\virus_db_updated.wav
c:\programdata\Alwil Software\Avast5\sounds\1033\welcome.wav
c:\programdata\Alwil Software\Avast5\sounds\fw_question.wav
c:\programdata\Alwil Software\Avast5\sounds\scan_completed.wav
c:\programdata\Alwil Software\Avast5\sounds\threat_detected.wav
c:\programdata\Alwil Software\Avast5\sounds\virus_db_updated.wav
c:\programdata\MFAData
c:\programdata\MFAData\logs\mfa-20101230-135716.log
c:\programdata\MFAData\logs\mfa-20101230-153104.log
c:\programdata\MFAData\logs\msi-20101230-135716.log
c:\programdata\MFAData\logs\msi-20101230-153104.log
c:\programdata\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\programdata\MFAData\mkt\res\ico-blue-bg.gif
c:\programdata\MFAData\mkt\res\OK.png
c:\programdata\MFAData\mkt\res\style.css
c:\programdata\MFAData\mkt\res\Thumbs.db
c:\programdata\MFAData\mkt\res\ui-background.jpg
c:\programdata\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\programdata\MFAData\pack\avg10infoavi.ctf
c:\programdata\MFAData\pack\avg10infooi.ctf
c:\programdata\MFAData\pack\avg10infowin.ctf
c:\programdata\MFAData\pack\bins\f10avgx1191ww.bin
c:\programdata\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\programdata\MFAData\pack\bins\foi10cnet_mis15ni.bin
c:\programdata\MFAData\pack\bins\foi10cnet_mps11fx.bin
c:\programdata\MFAData\pack\cnet_mis.mdf
c:\programdata\MFAData\pack\cnet_mps.mdf
c:\programdata\MFAData\pack\lic.mdf
c:\programdata\Norton
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\Module9000.txt
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\Connections\connections.dat
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\diMaster\eula.dat
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\diMaster\service.dat
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\itbLUReg\{65190544-26C3-43a4-A78A-694964901607}.dat
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\itbLUReg\{6E3396BD-C6A6-4f0f-9254-267F9058FEC4}.dat
c:\programdata\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_3.0.0.103\itbLUReg\{D4F4CC32-7A41-4684-AE57-41E59E9B4503}.dat
c:\programdata\Symantec
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\catalog.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\ERASER.grd
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\ERASER.sig
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\esrdef.bin
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\hh
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\ncsacert.txt
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\scrauth.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tcdefs.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tcscan7.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tcscan8.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tcscan9.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\technote.txt
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tinf.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tinfidx.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tinfl.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tscan1.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\tscan1hd.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\v.grd
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\v.sig
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan1.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan2.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan3.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan4.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan5.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan6.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan7.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan8.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscan9.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\virscant.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\whatsnew.TXT
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\20110101.005\zdone.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\definfo.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\newdefs-trigger\trigger.dat
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\umcat_01.db
c:\programdata\Symantec\Definitions\SymcData\VirusDefs-2.5-E\usage.dat

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 01:22 . 2011-01-05 01:22 -------- d-----w- c:\users\k2\AppData\Local\temp
2011-01-05 01:22 . 2011-01-05 01:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-04 20:03 . 2011-01-04 20:04 -------- d-----w- c:\program files\vShare
2011-01-03 21:19 . 2011-01-03 21:19 -------- d-----w- c:\users\Keiran\AppData\Local\VS Revo Group
2011-01-03 21:19 . 2009-12-30 11:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-01-03 21:19 . 2011-01-03 21:19 -------- d-----w- c:\program files\VS Revo Group
2011-01-03 16:21 . 2011-01-03 16:21 -------- d-----w- c:\users\Keiran\AppData\Roaming\Avira
2011-01-03 16:12 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 16:12 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-03 16:12 . 2011-01-03 16:12 -------- d-----w- c:\programdata\Avira
2011-01-03 16:12 . 2011-01-03 16:12 -------- d-----w- c:\program files\Avira
2011-01-02 09:49 . 2011-01-04 00:35 -------- d-----w- C:\found.004
2011-01-01 23:05 . 2011-01-01 23:05 -------- d-----w- c:\programdata\NortonInstaller
2010-12-19 21:59 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-19 21:59 . 2010-11-16 17:45 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-19 21:59 . 2010-11-16 17:45 104448 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-19 21:59 . 2010-11-16 17:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-19 21:59 . 2011-01-03 22:35 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-19 21:59 . 2010-05-15 16:30 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-12-18 19:31 . 2011-01-03 18:59 -------- d-----w- c:\program files\win
2010-12-17 18:40 . 2011-01-03 18:59 -------- d-----w- c:\program files\windows
2010-12-17 12:03 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D1D71D5-84B1-4B30-841D-76479E2C034A}\mpengine.dll
2010-12-14 23:05 . 2011-01-04 00:35 -------- d-----w- C:\found.003
2010-12-10 00:06 . 2010-12-10 00:06 -------- d-----w- c:\users\Keiran\AppData\Roaming\Gucut
2010-12-07 23:13 . 2010-12-07 23:13 -------- d-----w- c:\program files\WinPcap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-19 23:25 . 2010-03-06 10:35 214816 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-19 23:25 . 2010-03-06 10:34 214816 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-19 23:23 . 2010-03-06 10:35 138328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-19 10:41 . 2009-11-05 11:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 01:36 . 2010-10-14 01:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 01:36 . 2010-10-14 01:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-02-18 14:16 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-20 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"disableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-05 23:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Keiran^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Keiran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-12-13 08:39 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-21 19:30 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-15 21:13 136176 ----atw- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-20 17:30 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 01:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-25 14:59 13543968 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-25 14:59 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-06-05 22:40 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 09:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-06-27 03:42 6295552 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-29 10:22 638976 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-04 04:13 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-06 10:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-20 23:36 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-19 18432]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-25 43040]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-17 16:57]

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000Core.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2458282644-3598780805-1331794024-1000UA.job
- c:\users\Keiran\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 21:13]

2011-01-05 c:\windows\Tasks\User_Feed_Synchronization-{C7F1702A-6DC6-4C12-8835-735924C16383}.job
- c:\windows\system32\msfeedssync.exe [2010-12-17 05:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Keiran\AppData\Roaming\Mozilla\Firefox\Profiles\5b3wdcum.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-05 01:25:38
ComboFix-quarantined-files.txt 2011-01-05 01:25
ComboFix2.txt 2011-01-04 12:56
ComboFix3.txt 2011-01-03 15:42

Pre-Run: 144,605,777,920 bytes free
Post-Run: 144,323,579,904 bytes free

- - End Of File - - A9BD532E2E28FC141A50CB7D1571B123

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:48 PM

Posted 04 January 2011 - 09:27 PM

No, no need to do anything. That is the AntiVirus griping about ComboFix. That's why we ask to have all those at least disabled when ComboFix runs. :)

can you tell me what's in this folder.....if you recognize it? c:\program files\win
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 keiran0

keiran0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 08 January 2011 - 03:40 AM

Hi,

Sorry about the delayed reply I've been quite busy over the last few days :)

The folder C:\program files\win is empty and I don't recognise it to be honest.

Thanks again for your continuing help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users