PC infected

Status
Not open for further replies.
Hello mattl

Thank you for the log.

Kaspersky has identified a number of infected files that we will deal with in the steps below.

It has also identified some infections located in your MicroSoft Outlook e-mail archive. Unfortunatley the scan does not tell us which e-mails are infected, only that they are on your system. For this reason you are advised to access your Outlook e-mail archive and delete all old e-mails from anyone that you don't know, and any with attachments such as jokes or videos.

Information describing how to delete your archive can be found here: http://www.ehow.com/how_5100985_remove-outlook-archive.html


  1. Please download OTM

    • Please download OTM by OldTimer by clicking here.
    • Save the file (called OTM.exe) to your desktop.
    • Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    Code: 
    :Processes 
explorer.exe

:Files
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-13d8d47e 
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-74709dc5 
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.2.vir 
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.3.vir 
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.4.vir 
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.vir 
C:\Websites\BTCCPages download 090306\etcc\2004\index.php 
C:\Websites\BTCCPages download 090306\shop\shopwindow\index.php 
C:\Websites\BTCCPages download 090306\teampsp\news\index.php

:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Start Explorer]
[Reboot]



    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM.
    • Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Please post the OTM log and a new DDS log in your next reply.
 
Hi JonTom,

Have followed the instructions above. OTM and DDS logs below and attached.

Matt

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-13d8d47e moved successfully.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-74709dc5 moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.2.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.3.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.4.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.vir moved successfully.
C:\Websites\BTCCPages download 090306\etcc\2004\index.php moved successfully.
C:\Websites\BTCCPages download 090306\shop\shopwindow\index.php moved successfully.
C:\Websites\BTCCPages download 090306\teampsp\news\index.php moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 110142359 bytes
->Temporary Internet Files folder emptied: 9083769 bytes
->Java cache emptied: 79156254 bytes
->FireFox cache emptied: 47153505 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 166788 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 109915424 bytes

Total Files Cleaned = 339.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 10232010_133325

Files moved on Reboot...
File C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\1008 not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF707D.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7092.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7249.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF72BE.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7E9E.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7EB4.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB20.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB34.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDAE.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE3F.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE6.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE61.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFF63.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFFB3.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\;scat=computersoftware;sscat=othercomputersoftware;art=5100985;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=4;qcseg=D;tile=3;sz=300x250;ord=3558733870069838[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\how_5100985_remove-outlook-archive[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\iframe3[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\info[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\like[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\like[2].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\pngbehavior[1].htc moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\xd_receiver[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FDXEDYD\accounts_hub[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\;scat=computersoftware;sscat=othercomputersoftware;art=5100985;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=4;qcseg=D;tile=4;sz=300x310;ord=3558733870069838[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\sh25[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\showthread[2].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_328.dat moved successfully.

Registry entries deleted on Reboot...

-----


DDS (Ver_10-10-21.02) - NTFSx86
Run by Administrator at 13:42:12.32 on 23/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1282 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 101023-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://agaycam01.dyndns.org:8083/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: c:\windows\system32\APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = SbHpNp scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\yz7gskh7.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-2-7 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-30 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-25 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-2-7 5808]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-25 138680]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-3-30 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-27 540448]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-25 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2010-4-5 73368]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\drivers\mfpec.sys --> c:\windows\system32\drivers\mfpec.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 WUSBVBus;MFP Server Detector;c:\windows\system32\drivers\mfpvbus.sys --> c:\windows\system32\drivers\mfpvbus.sys [?]

=============== Created Last 30 ================

2010-10-23 12:33:25 -------- d-----w- C:\_OTM
2010-10-22 21:36:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-22 21:21:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-22 21:21:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-22 21:06:08 -------- d-----w- c:\program files\Sun
2010-10-22 20:54:53 -------- d-----w- c:\windows\system32\appmgmt
2010-10-22 19:31:33 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-10-22 19:31:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 19:31:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 19:31:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 19:31:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-21 22:19:38 -------- d-----w- C:\cf13849c
2010-10-19 22:25:12 -------- d-sha-r- C:\cmdcons
2010-10-19 22:23:29 -------- d-----w- C:\cf1
2010-10-19 20:20:51 98816 ----a-w- c:\windows\sed.exe
2010-10-19 20:20:51 77312 ----a-w- c:\windows\MBR.exe
2010-10-19 20:20:51 256512 ----a-w- c:\windows\PEV.exe
2010-10-19 20:20:51 161792 ----a-w- c:\windows\SWREG.exe
2010-10-17 21:13:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-17 21:13:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 21:12:58 -------- d-----w- c:\program files\Belkin
2010-10-17 21:12:54 -------- d-----w- c:\program files\TweetDeck
2010-10-15 20:15:58 -------- d-----w- c:\program files\ESET
2010-10-15 19:52:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-15 07:38:31 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:07:44 -------- d-----w- c:\program files\common files\iS3
2010-10-11 20:56:11 -------- d-----w- c:\program files\TweetDeck(2)
2010-10-09 18:23:54 -------- d-----w- c:\docume~1\admini~1\applic~1\Process Hacker 2

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2010-09-10 05:58:08 1210880 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1986560 ----a-w- c:\windows\system32\iertutil(2)(2)(3).dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58:05 11080192 ----a-w- c:\windows\system32\ieframe(2)(2)(3).dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd(3)(2)(3).dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k(2)(2)(2).sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32(2)(2)(2).dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2)(3).dll
2010-07-25 21:14:18 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

============= FINISH: 13:43:47.21 ===============
 
Hello mattl

You log appears to be clean.

Good work :)

Please work through the following steps:


  1. Please Uninstall Combofix

    • Click on "Start" and then on "Run".
    • Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.

  2. Please perform the following cleanup procedure

    • Double click on the OTM.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
    • Once OTM has opened, click on the "CleanUp!" button.
    • Follow any prompts that you receive.

  3. Removal of Tools

    • You no longer need MBRCheck, SystemLook, TDSSKiller, Rootkit Unhooker or Norton Removal Tool. Please delete them from your machine.


    Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.

  4. Finally, please take the time to read through the information provided below:

    Enhance your System Security
    • For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
    • IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
    • Once complete, remember to re-engage your resident security before going online.

    Web Browsers and Browser Security

    Firefox
    • Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here.

    No-Script
    • If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
    • You can download No-Script by clicking here.

    Internet Explorer
    • The newest version of Internet Explorer is available from here.

    SpywareBlaster
    • If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
    • SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
    • You can download SpywareBlaster by clicking here.

    Web of Trust
    • When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
    • Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
    • You can download Web of Trust by clicking here.

    Keep your Software Updated
    • Outdated software can sometimes have vulnerabilities that are exploitable by malware.
    • Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.

    Passwords
    • Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.

    General Reading
    Learn How To Combat Malware
    • Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.
 
Thanks for all your help!

Hi JonTom,

I have followed through your final instructions and all seems to be running smoothly. I think all that is left is for me to thank you for helping me get my pc back!

I hope I don't need your help again, but I am very grateful for what you have done and I won't hesitate to recommend the site to friends.

Thanks again,

Matt
 
Since this problem appears to be resolved this topic is now closed.

If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).

Everyone else please start a new topic.


Best wishes
JonTom
 
Status
Not open for further replies.
Back
Top