Jump to content

Recommended Posts

Hi everyone,

 

I managed to pick up a Vundo infection which AVG found and told me it binned.  I don't believe it...

 

The symptom that made me go looking was stuttering streamed media - just shouldn't happen on a 60meg cable line.

 

I saw multiple winlogon.exe processes running and I figured that just wasn't right so scanned with AVG.  It found some registry keys and an exe which showed up as Vundo.

 

So I killed them.

 

But I suspect there is more going on.  On reconnecting to the internet, sure enough, more winlogon.exe processes, more stuttering streaming.

 

I've scanned with MalwareBytes, nothing.  Symantec's VundoFix, nothing...  I left it in safe mode this morning rerunning the Symantec one, I'm yet to see the results.

 

I'm not too hopeful at the moment...

 

What should I try next?

 

Thanks in advance...

 

Calum

Link to post
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Hi Kevin,

 

Thanks for picking this up, much appreciated.

 

FRST.txt

-------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-01-2014 01
Ran by calumscott (administrator) on CALUMSCOTT-PC on 31-01-2014 19:09:32
Running from C:\Users\calumscott\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) ===================
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4907008 2008-01-17] (Realtek Semiconductor)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [iSUSScheduler] - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-06-10] (InstallShield Software Corporation)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [221184 2006-11-05] (Sonic Solutions)
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-30] (Google)
HKLM\...\Run: [WD Button Manager] - C:\Windows\system32\WDBtnMgr.exe [364544 2008-01-14] (Western Digital Technologies, Inc.)
HKLM\...\Run: [ulead AutoDetector v2] - C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe [90112 2004-11-26] (Ulead Systems, Inc.)
HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2008-10-15] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-12-21] (RealNetworks, Inc.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1983816 2009-07-26] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-03-17] (CANON INC.)
HKLM\...\Run: [iJNetworkScanUtility] - C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [136544 2009-05-19] (CANON INC.)
HKLM\...\Run: [Nikon Message Center 2] - C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe [619008 2010-05-25] (Nikon Corporation)
HKLM\...\Run: [VirtualCloneDrive] - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [85160 2009-06-17] (Elaborate Bytes AG)
HKLM\...\Run: [ATICustomerCare] - "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-26] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [switchBoard] - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Monitor] - C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [106496 2013-11-27] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2486296 2014-01-09] ()
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKCU\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\HOMERunner.exe [202088 2008-05-06] (TomTom)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKCU\...\Run: [Google Update] - C:\Users\calumscott\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-03-18] (Google Inc.)
HKCU\...\Run: [JumiController] - C:\Program Files\Jumi\jumi.exe
HKCU\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
HKCU\...\Run: [Jing] - C:\Program Files\TechSmith\Jing\Jing.exe [2909640 2013-01-07] (TechSmith Corporation)
HKCU\...\Run: [AdobeBridge] - [x]
HKCU\...\Run: [MobileDocuments] - C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
HKCU\...\Run: [GoogleDriveSync] - C:\Program Files\Google\Drive\googledrivesync.exe [20203904 2013-12-06] (Google)
HKCU\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-04-05] (Apple Inc.)
HKCU\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-01-08] (Google Inc.)
HKCU\...\Run: [spotify Web Helper] - C:\Users\calumscott\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1104384 2013-07-22] (Spotify Ltd)
HKCU\...\Run: [Digiarty_Software_AirPlayit] - C:\Program Files\Digiarty\Air_Playit\airplayit.exe [10468672 2012-02-28] ()
MountPoints2: {24f65eab-bdcb-11dc-8999-806e6f6e6963} - E:\SETUP.EXE
MountPoints2: {a5823cf4-c306-11df-84ce-001aa06cc490} - M:\LaunchU3.exe -a
MountPoints2: {e9fdcc21-37e6-11dd-9f9a-001aa06cc490} - K:\InstallTomTomHOME.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\hannah\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-19] (Microsoft Corporation)
HKU\hannah\...\Run: [MsnMsgr] - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [ 2012-03-08] (Microsoft Corporation)
HKU\hannah\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-01-08] (Google Inc.)
AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~2\GOEC62~1.DLL => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-07-30] (Google)
Lsa: [Authentication Packages] msv1_0 C:\Windows\system32\nnnmlLCS
Startup: C:\Users\calumscott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\calumscott\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\calumscott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\calumscott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StickyNotes.exe - Shortcut.lnk
ShortcutTarget: StickyNotes.exe - Shortcut.lnk -> C:\stickynotes\StickyNotes.exe (Author - Igor Vigdorchik)
Startup: C:\Users\hannah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\calumscott\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\hannah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0080108
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0080108
URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - {198B698D-5376-40A9-8A1D-B35F88560161} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=49EAA20A-CE47-404E-9ACB-A6474224CAE2&apn_sauid=EEAB78AD-8ADE-4F0A-B833-599363A57BF9
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=4kAnjxxW9N3T6sS_6bH32mnRpl0?q={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={83B120A5-6C39-495A-B532-7DBC27FFDDB7}&mid=7a3ec6f1927c86d1d343dad67487f4c1-2e0c92fd359e95e0c4d42362ab05658789cc545e〈=en&ds=AVG&pr=fr&d=2012-06-02 17:34:44&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
BHO: No Name - {FC0F02E5-91B4-4890-8A35-A10D4E2B54E9} - C:\Windows\system32\nnnmlLCS.dll No File
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\Users\CALUMS~1\AppData\Local\Temp\IXP000.TMP\InstallerControl.cab
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll (AVG Secure Search)
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll ()
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
 
FireFox:
========
FF ProfilePath: C:\Users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default
FF DefaultSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Google
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll (AVG Technologies)
FF Plugin: @canon.com/EPPEX - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/wpi,version=1.0 - C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll (Microsoft Corp)
FF Plugin: @real.com/nppl3260;version=6.0.12.450 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.448 - c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.448 - c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @facebook.com/FBPlugin,version=1.0.3 - C:\Users\calumscott\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\calumscott\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\calumscott\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\cgpcfg.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\CgpCore.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\confmgr.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctxlogging.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctxmui.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icafile.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icalogon.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\msvcm80.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\msvcp80.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\msvcr80.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npicaN.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\TcpPServ.dll (Citrix Systems, Inc.)
FF SearchPlugin: C:\Users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\googledesktop.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
FF Extension: Ask Toolbar - C:\Users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default\Extensions\toolbar@ask.com [2012-07-08]
FF Extension: Microsoft .NET Framework Assistant - C:\Users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-07-25]
FF Extension: Greasemonkey - C:\Users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2012-08-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - c:\program files\real\realplayer\browserrecord\firefox\ext
FF Extension: RealPlayer Browser Record Plugin - c:\program files\real\realplayer\browserrecord\firefox\ext [2009-12-21]
FF HKLM\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - C:\Program Files\Fiddler2\FiddlerHook [2010-11-25]
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2 [2013-08-14]
 
Chrome: 
=======
CHR DefaultSearchKeyword: google.co.uk
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\calumscott\AppData\Local\Google\Chrome\Application\32.0.1700.102\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\calumscott\AppData\Local\Google\Chrome\Application\32.0.1700.102\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\calumscott\AppData\Local\Google\Chrome\Application\32.0.1700.102\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java Platform SE 6 U26) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (RealPlayer G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility) - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.0.2\\npsitesafety.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (WPI Application Detector) - C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll (Microsoft Corp)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Facebook Plugin) - C:\Users\calumscott\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Drive) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-04]
CHR Extension: (YouTube) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-21]
CHR Extension: (Google Search) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-21]
CHR Extension: (AVG Security Toolbar) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2012-11-09]
CHR Extension: (Google Wallet) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Users\calumscott\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-21]
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\17.3.0.49\avg.crx [2014-01-09]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\CALUMS~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-04]
CHR StartMenuInternet: Google Chrome - C:\Users\calumscott\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
S2 AdobeActiveFileMonitor7.0; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
S2 AERTFilters; C:\Windows\system32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [284672 2011-01-26] (Advanced Micro Devices, Inc.)
S2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [140224 2010-06-17] (Advanced Micro Devices)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-30] (Google)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S2 MySQL; C:\Program Files\MySQL\MySQL Server 5.1\my.ini [8917 2010-07-08] ()
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
S2 NoIPDUCService; C:\Program Files\No-IP\DUC20.exe [1172992 2010-06-01] (Vitalwerks LLC)
S2 vToolbarUpdater17.3.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [1771544 2014-01-09] (AVG Secure Search)
S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [x]
 
==================== Drivers (Whitelisted) ====================
 
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-05] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209176 2013-11-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147768 2013-10-24] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-17] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-10-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-11-11] (AVG Technologies)
S1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
S3 jumi; C:\Windows\System32\DRIVERS\jumi.sys [13112 2010-06-03] (Windows ® Win 7 DDK provider)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 QCDonner; C:\Windows\System32\DRIVERS\LVCD.sys [474304 2004-04-26] (Logitech Inc.)
S3 R300; C:\Windows\System32\DRIVERS\atikmdag.sys [9334784 2012-04-06] (Advanced Micro Devices, Inc.)
S3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [104616 2008-11-04] (MCCI Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0; \??\c:\program files\dell support center\pcdsrvc.pkms [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-31 19:09 - 2014-01-31 19:10 - 00032771 _____ C:\Users\calumscott\Desktop\FRST.txt
2014-01-31 19:09 - 2014-01-31 19:09 - 00000000 ____D C:\FRST
2014-01-31 19:08 - 2014-01-31 19:08 - 01137152 _____ (Farbar) C:\Users\calumscott\Desktop\FRST.exe
2014-01-31 18:46 - 2014-01-31 18:44 - 00688992 ____R (Swearware) C:\Users\calumscott\Desktop\dds.com
2014-01-30 20:35 - 2014-01-31 11:22 - 00030608 _____ C:\Users\calumscott\Desktop\FixVundo.log
2014-01-30 20:33 - 2014-01-30 20:33 - 00173456 _____ (Symantec Corporation) C:\Users\calumscott\Desktop\FixVundo.exe
2014-01-29 21:31 - 2014-01-29 22:16 - 00000135 _____ C:\VundoFix.txt
2014-01-29 21:31 - 2014-01-29 21:31 - 00000000 ____D C:\VundoFix Backups
2014-01-29 21:29 - 2014-01-29 21:29 - 00119808 _____ (Atribune.org) C:\Users\calumscott\Desktop\VundoFix.exe
2014-01-29 18:12 - 2014-01-29 18:12 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Malwarebytes
2014-01-29 18:11 - 2014-01-29 21:19 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-29 18:11 - 2014-01-29 18:11 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-29 18:11 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-29 18:10 - 2014-01-29 18:10 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\calumscott\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-22 13:44 - 2014-01-22 16:18 - 00139355 _____ C:\Users\calumscott\Desktop\Untitled2.xsl
2014-01-01 08:09 - 2014-01-01 08:09 - 00001666 _____ C:\Users\Public\Desktop\iTunes.lnk
2014-01-01 08:08 - 2014-01-01 08:09 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-01-01 08:08 - 2014-01-01 08:09 - 00000000 ____D C:\Program Files\iTunes
2014-01-01 08:08 - 2014-01-01 08:08 - 00000000 ____D C:\Program Files\iPod
 
==================== One Month Modified Files and Folders =======
 
2014-01-31 19:10 - 2014-01-31 19:09 - 00032771 _____ C:\Users\calumscott\Desktop\FRST.txt
2014-01-31 19:09 - 2014-01-31 19:09 - 00000000 ____D C:\FRST
2014-01-31 19:08 - 2014-01-31 19:08 - 01137152 _____ (Farbar) C:\Users\calumscott\Desktop\FRST.exe
2014-01-31 19:00 - 2008-05-06 10:24 - 00001356 _____ C:\Users\calumscott\AppData\Local\d3d9caps.dat
2014-01-31 18:49 - 2006-11-02 10:33 - 00799656 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-31 18:44 - 2014-01-31 18:46 - 00688992 ____R (Swearware) C:\Users\calumscott\Desktop\dds.com
2014-01-31 11:22 - 2014-01-30 20:35 - 00030608 _____ C:\Users\calumscott\Desktop\FixVundo.log
2014-01-31 08:21 - 2008-01-08 09:25 - 01899050 _____ C:\Windows\WindowsUpdate.log
2014-01-31 08:10 - 2008-01-08 09:54 - 00304086 _____ C:\Windows\PFRO.log
2014-01-31 08:02 - 2006-11-02 13:01 - 00032652 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-31 08:02 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-31 08:02 - 2006-11-02 12:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-31 08:02 - 2006-11-02 12:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-31 07:52 - 2012-06-10 18:25 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-31 07:50 - 2010-06-28 18:29 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055991517-2184451199-3759423766-1000UA.job
2014-01-31 07:16 - 2010-02-05 17:00 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-30 20:36 - 2011-09-14 11:39 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Dropbox
2014-01-30 20:33 - 2014-01-30 20:33 - 00173456 _____ (Symantec Corporation) C:\Users\calumscott\Desktop\FixVundo.exe
2014-01-30 20:33 - 2012-05-31 20:31 - 00000000 ____D C:\ProgramData\MFAData
2014-01-30 16:15 - 2010-02-05 17:00 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-30 12:50 - 2010-06-28 18:29 - 00000876 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055991517-2184451199-3759423766-1000Core.job
2014-01-30 11:02 - 2011-03-14 20:41 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2014-01-29 22:16 - 2014-01-29 21:31 - 00000135 _____ C:\VundoFix.txt
2014-01-29 21:31 - 2014-01-29 21:31 - 00000000 ____D C:\VundoFix Backups
2014-01-29 21:29 - 2014-01-29 21:29 - 00119808 _____ (Atribune.org) C:\Users\calumscott\Desktop\VundoFix.exe
2014-01-29 21:19 - 2014-01-29 18:11 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-29 20:43 - 2013-02-27 20:50 - 00000000 ___RD C:\Users\calumscott\Google Drive
2014-01-29 20:39 - 2013-06-03 16:45 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-01-29 18:18 - 2008-02-03 14:50 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-29 18:12 - 2014-01-29 18:12 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Malwarebytes
2014-01-29 18:11 - 2014-01-29 18:11 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-29 18:10 - 2014-01-29 18:10 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\calumscott\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-29 18:02 - 2013-08-18 12:32 - 00000000 ____D C:\Windows\system32\MRT
2014-01-29 17:48 - 2006-11-02 10:24 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-01-29 17:14 - 2010-08-29 10:24 - 00001728 ____H C:\Users\calumscott\Documents\Default.rdp
2014-01-29 06:56 - 2010-06-28 18:31 - 00002114 _____ C:\Users\calumscott\Desktop\Google Chrome.lnk
2014-01-27 20:24 - 2013-01-15 20:21 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Skype
2014-01-27 20:15 - 2013-01-15 20:21 - 00000000 ___RD C:\Program Files\Skype
2014-01-27 20:15 - 2013-01-15 20:21 - 00000000 ____D C:\ProgramData\Skype
2014-01-23 21:44 - 2013-04-23 06:58 - 00000000 ____D C:\Users\calumscott\AppData\Local\BE682F83-66A7-4853-A9C8-178A77CD5BAD.aplzod
2014-01-22 16:18 - 2014-01-22 13:44 - 00139355 _____ C:\Users\calumscott\Desktop\Untitled2.xsl
2014-01-20 18:09 - 2011-09-14 11:40 - 00000981 _____ C:\Users\calumscott\Desktop\Dropbox.lnk
2014-01-20 18:09 - 2011-09-14 11:39 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-01-19 07:32 - 2009-11-01 01:45 - 00231584 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-01-16 20:17 - 2008-02-11 20:23 - 00000000 ____D C:\calum
2014-01-13 20:03 - 2008-03-08 00:15 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\CoreFTP
2014-01-09 10:35 - 2013-09-25 18:11 - 00000000 ____D C:\Program Files\AVG Secure Search
2014-01-01 08:09 - 2014-01-01 08:09 - 00001666 _____ C:\Users\Public\Desktop\iTunes.lnk
2014-01-01 08:09 - 2014-01-01 08:08 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-01-01 08:09 - 2014-01-01 08:08 - 00000000 ____D C:\Program Files\iTunes
2014-01-01 08:08 - 2014-01-01 08:08 - 00000000 ____D C:\Program Files\iPod
2014-01-01 08:08 - 2008-01-20 18:24 - 00000000 ____D C:\Program Files\Common Files\Apple
2014-01-01 07:53 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\system32\LogFiles
2014-01-01 07:36 - 2013-06-18 12:09 - 00000000 ____D C:\Users\calumscott\AppData\Roaming\Spotify
 
Files to move or delete:
====================
C:\ProgramData\PKP_DLds.DAT
C:\ProgramData\PKP_DLdw.DAT
C:\ProgramData\PKP_DLec.DAT
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
 
 
Some content of TEMP:
====================
C:\Users\calumscott\AppData\Local\Temp\APNStub.exe
C:\Users\calumscott\AppData\Local\Temp\avguidx.dll
C:\Users\calumscott\AppData\Local\Temp\CommonInstaller.exe
C:\Users\calumscott\AppData\Local\Temp\comnet.dll
C:\Users\calumscott\AppData\Local\Temp\dmapi.dll
C:\Users\calumscott\AppData\Local\Temp\iGearedHelper.dll
C:\Users\calumscott\AppData\Local\Temp\Installer.exe
C:\Users\calumscott\AppData\Local\Temp\JingSetup.exe
C:\Users\calumscott\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Users\calumscott\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\calumscott\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\calumscott\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\calumscott\AppData\Local\Temp\MSETUP4.EXE
C:\Users\calumscott\AppData\Local\Temp\oi_{29EC1D8C-DF57-41A2-AED4-5E5FEF716F0B}.exe
C:\Users\calumscott\AppData\Local\Temp\oi_{5E483986-43E8-49E0-88B4-F3F60284777C}.exe
C:\Users\calumscott\AppData\Local\Temp\ose00000.exe
C:\Users\calumscott\AppData\Local\Temp\ose00001.exe
C:\Users\calumscott\AppData\Local\Temp\qt-mt337.dll
C:\Users\calumscott\AppData\Local\Temp\SkypeSetup.exe
C:\Users\calumscott\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\calumscott\AppData\Local\Temp\Uninstall.exe
C:\Users\calumscott\AppData\Local\Temp\_is3B89.exe
C:\Users\hannah\AppData\Local\Temp\APNStub.exe
C:\Users\hannah\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\hannah\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\hannah\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\hannah\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\hannah\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\hannah\AppData\Local\Temp\temp0.exe
C:\Users\hannah\AppData\Local\Temp\wlsetup-cvr.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-01-31 09:13
 
==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs in next reply, give update on remaining issues/concerns...

 

Kevin

fixlist.txt

Link to post
Share on other sites

All scans and things complete.  Results attached.

 

As I've been in safe mode I didn't update Malwarebytes, but I'd updated it the day before.  I'm just off to reboot into windows proper and see where we are, I'll scan again if it decides it wants another update...

 

I'll post that log when it completes.

 

Cheers

 

Calum

AdwCleanerS0.txt

Fixlog.txt

JRT.txt

mbam-log-2014-01-31 (20-44-55).txt

Link to post
Share on other sites

Thanks for those logs, good to see a clean sheet from Malwarebytes, still couple of steps to take to complete the investigation:

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Finally,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Thank,

 

Kevin....

Link to post
Share on other sites

Blimey, it does take a while doesn't it!

 

The full scan with an updated Malwarebytes came back clean.  I'll post the ESET results when it finishes, likely be tomorrow I think.

 

I've got task manager's network viewer open and there is something sending traffic roughly every ten seconds, not a lot mind, using less than 0.1% bandwidth.It's certainly not looking like the pattern I saw before though.

 

I'm feeling a bit more positive about this, thank you so much!

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :FilesC:\Documents and Settings\calumscott\AppData\Local\Temp\removalfile.batC:\Documents and Settings\calumscott\AppData\Local\Temp\ICReinstall\cnet_StickyNotes_zip.exeC:\Documents and Settings\calumscott\AppData\Local\Temp\ICReinstall\cnet_TreeSizeFreeSetup_exe.exe    C:\Documents and Settings\calumscott\AppData\Local\Temp\is1615585457\275204275_stp\wajam_validate.exeC:\Documents and Settings\calumscott\Downloads\cnet_TreeSizeFreeSetup_exe.exe    C:\Documents and Settings\calumscott\Downloads\SweetHome3D-4.1-windows-oc.exe    C:\download\cnet_StickyNotes_zip.exe    C:\Users\calumscott\AppData\Local\Temp\removalfile.bat    C:\Users\calumscott\AppData\Local\Temp\ICReinstall\cnet_StickyNotes_zip.exe    C:\Users\calumscott\AppData\Local\Temp\ICReinstall\cnet_TreeSizeFreeSetup_exe.exe    C:\Users\calumscott\AppData\Local\Temp\is1615585457\275204275_stp\wajam_validate.exe    C:\Users\calumscott\Downloads\cnet_TreeSizeFreeSetup_exe.exe    C:\Users\calumscott\Downloads\SweetHome3D-4.1-windows-oc.exeC:\Windows\System32\SCLlmnnn.ini    C:\Windows\System32\SCLlmnnn.ini2    C:\Windows\System32\wtoxeotq.ini:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log..

 

Next,

 

Run Security Checks one more time, Copy and paste that log to your reply. Do not attach it.....

Link to post
Share on other sites

First up - that first link for OTM got blocked (by sophos - I'm doing all the online stuff on another machine and shipping it across to the infected one) as the site is known to be infected with something or other - I didn't note down what it was that it thought it had, sorry...

 

OTM Log:

 

All processes killed
========== FILES ==========
C:\Documents and Settings\calumscott\AppData\Local\Temp\removalfile.bat moved successfully.
C:\Documents and Settings\calumscott\AppData\Local\Temp\ICReinstall\cnet_StickyNotes_zip.exe moved successfully.
C:\Documents and Settings\calumscott\AppData\Local\Temp\ICReinstall\cnet_TreeSizeFreeSetup_exe.exe moved successfully.
C:\Documents and Settings\calumscott\AppData\Local\Temp\is1615585457\275204275_stp\wajam_validate.exe moved successfully.
C:\Documents and Settings\calumscott\Downloads\cnet_TreeSizeFreeSetup_exe.exe moved successfully.
C:\Documents and Settings\calumscott\Downloads\SweetHome3D-4.1-windows-oc.exe moved successfully.
C:\download\cnet_StickyNotes_zip.exe moved successfully.
File/Folder C:\Users\calumscott\AppData\Local\Temp\removalfile.bat not found.
File/Folder C:\Users\calumscott\AppData\Local\Temp\ICReinstall\cnet_StickyNotes_zip.exe not found.
File/Folder C:\Users\calumscott\AppData\Local\Temp\ICReinstall\cnet_TreeSizeFreeSetup_exe.exe not found.
File/Folder C:\Users\calumscott\AppData\Local\Temp\is1615585457\275204275_stp\wajam_validate.exe not found.
File/Folder C:\Users\calumscott\Downloads\cnet_TreeSizeFreeSetup_exe.exe not found.
File/Folder C:\Users\calumscott\Downloads\SweetHome3D-4.1-windows-oc.exe not found.
C:\Windows\System32\SCLlmnnn.ini moved successfully.
C:\Windows\System32\SCLlmnnn.ini2 moved successfully.
C:\Windows\System32\wtoxeotq.ini moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: calumscott
->Temp folder emptied: 14253412858 bytes
->Temporary Internet Files folder emptied: 360534645 bytes
->Java cache emptied: 15752868 bytes
->FireFox cache emptied: 190200723 bytes
->Google Chrome cache emptied: 196111475 bytes
->Flash cache emptied: 73400 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: hannah
->Temp folder emptied: 35192768 bytes
->Temporary Internet Files folder emptied: 232709376 bytes
->Java cache emptied: 9217891 bytes
->Flash cache emptied: 16204 bytes
 
User: Public
 
User: test
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1341727 bytes
%systemroot%\System32 .tmp files removed: 272384 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 841840319 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 16429176 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 13691468 bytes
RecycleBin emptied: 13367914164 bytes
 
Total Files Cleaned = 28,167.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 02022014_082317
 
Files moved on Reboot...
C:\Users\calumscott\AppData\Local\Temp\PDApp.log moved successfully.
 
Registry entries deleted on Reboot...
 

 

 

 

 

 

 

MalwareBytes Log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.01.04
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
calumscott :: CALUMSCOTT-PC [administrator]
 
02/02/2014 08:56:43
mbam-log-2014-02-02 (08-56-43).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 276734
Time elapsed: 20 minute(s), 11 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 

 

 

 

 

 

 

 

Security Check Log:

 

 Results of screen317's Security Check version 0.99.79  
 Windows Vista Service Pack 2 x86 (UAC is disabled!)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Disabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 XML Spy Suite 4.4  
 Malwarebytes Anti-Malware version 1.75.0.1300  
 JavaFX 2.1.1    
 Java 6 Update 26  
 Java 7 Update 11  
 Java SE Runtime Environment 6 
 Java version out of Date! 
 Adobe Flash Player 11.9.900.170  
 Adobe Reader 8 Adobe Reader out of Date! 
 Mozilla Firefox 16.0.1 Firefox out of Date!  
 Google Chrome 32.0.1700.102  
 Google Chrome 32.0.1700.76  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0 % 
````````````````````End of Log`````````````````````` 
 
 
Cheers
 
Calum
Link to post
Share on other sites

Java and Adobe will need to be updated at some point, Also ensure old versions are removed. There are two security systems with AV components, AVG and MSE. one of those will have to be uninstalled.

 

What is the current status since running OTM, is there still issues with winlogon run the following:

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

 

  •  

     

  • Ensure that Combofix is saved directly to the Desktop <--- Very important

     

     

     

  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.

     

     

     

  • Close any open browsers and any other programs you might have running

     

     

     

  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

     

     

     

  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.

     

     

     

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

     

     

     

  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

     

     

 

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*

 

  •  

       

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.

     

       

  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal

     

       

  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

     

     

 

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

Thanks once again Kevin.

 

It takes a little while for that extra winlogon process to kick in, 15 minutes or so.  So I've connected the machine back onto the net and I'll keep an eye on it for a bit.

 

Hopefully those things that ESET found were the problem rather than a rootkit...  They sound particularly nasty...

Link to post
Share on other sites

Ok give me an update when you`ve ran the system for awhile, you will need to sort the security out, TWO AV`s is bad news and can cause major issues for your system...

 

MSE removal - http://www.bleepingcomputer.com/download/microsoft-security-essentials-removal-tool/

 

AVG removal - http://www.avg.com/us-en/utilities

Link to post
Share on other sites

So far so good.  Just that regular 20 second or so tiny network pulse, I'm expecting that to be a keep-alive or something.  I'll run fiddler or something to try to figure it out just for curiosity's sake.

 

I've just streamed about 5 minutes of full screen 1080p video and it was perfect, nice and smooth.

 

So thank you very very much for helping, I'll keep an eye for another hour or so.

 

Any advice on what AV I should be using would be gratefully received.  I'm sure that it wasn't AVG's fault that the original Vundo/whatever got in (I'm entirely sure it was me...) but if it isn't the best of the free offerings out there then I'd rather move to something else.

 

Cheers and thanks again!

 

Calum

Link to post
Share on other sites

Here it is:

 

ComboFix 14-02-01.01 - calumscott 02/02/2014  14:18:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3582.1752 [GMT 0:00]
Running from: c:\users\calumscott\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DSC_1508.NEF.jpg
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
c:\users\calumscott\AppData\Local\assembly\tmp
c:\users\calumscott\g2mdlhlpx.exe
c:\users\hannah\AppData\Local\assembly\tmp
c:\windows\system32\FE05DA0D.dll
c:\windows\system32\FE05F051.dll
c:\windows\system32\FE05F3D5.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-02 to 2014-02-02  )))))))))))))))))))))))))))))))
.
.
2014-02-02 14:31 . 2014-02-02 17:39 -------- d-----w- c:\users\calumscott\AppData\Local\temp
2014-02-02 08:23 . 2014-02-02 08:23 -------- d-----w- C:\_OTM
2014-02-01 16:29 . 2014-02-01 16:29 -------- d-----w- c:\program files\ESET
2014-01-31 20:40 . 2014-01-31 20:40 -------- d-----w- c:\windows\ERUNT
2014-01-31 20:28 . 2014-01-31 20:33 -------- d-----w- C:\AdwCleaner
2014-01-31 19:09 . 2014-01-31 19:51 -------- d-----w- C:\FRST
2014-01-29 21:31 . 2014-01-29 21:31 -------- d-----w- C:\VundoFix Backups
2014-01-29 19:53 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D0AD0DA5-681A-4182-88C2-30E17C142481}\mpengine.dll
2014-01-29 18:12 . 2014-01-29 18:12 -------- d-----w- c:\users\calumscott\AppData\Roaming\Malwarebytes
2014-01-29 18:11 . 2014-01-29 18:11 -------- d-----w- c:\programdata\Malwarebytes
2014-01-29 18:11 . 2013-04-04 14:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-29 18:11 . 2014-01-29 21:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-29 18:02 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-23 16:17 . 2013-10-20 21:32 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{804B0E4C-5E45-454D-9C4B-75BBAA3052D5}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-19 07:32 . 2009-11-01 01:45 231584 ------w- c:\windows\system32\MpSigStub.exe
2013-12-15 11:52 . 2012-06-06 19:36 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-15 11:52 . 2011-06-07 18:24 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-14 22:50 . 2013-12-24 08:38 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42 . 2013-12-24 08:38 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42 . 2013-12-24 08:38 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38 . 2013-12-24 08:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38 . 2013-12-24 08:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35 . 2013-12-24 08:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-11-11 03:26 . 2012-11-08 23:59 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-11-05 21:50 . 2013-11-05 21:50 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-11-04 21:57 . 2013-11-04 21:57 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2008-08-16 16:42 . 2013-04-14 06:41 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2013-04-14 06:41 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2013-04-14 06:41 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2013-04-14 06:41 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2013-04-14 06:41 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2013-04-14 06:41 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2013-04-14 06:41 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2013-04-14 06:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2013-04-14 06:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2013-04-14 06:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2013-04-14 06:41 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2013-04-14 06:41 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2013-04-14 06:41 . 2013-04-14 06:41 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-30 22:08 . 2013-04-14 06:41 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\calumscott\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\calumscott\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\calumscott\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\calumscott\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2013-01-07 2909640]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-12-06 20203904]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-04-05 59720]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-04-05 59720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-08 68856]
"Spotify Web Helper"="c:\users\calumscott\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-22 1104384]
"Digiarty_Software_AirPlayit"="c:\program files\Digiarty\Air_Playit\airplayit.exe" [2012-02-28 10468672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-30 30192]
"WD Button Manager"="WDBtnMgr.exe" [2008-01-14 364544]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-21 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2013-11-27 106496]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-11-07 4956176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3055991517-2184451199-3759423766-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-06 11:52]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:00]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:00]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055991517-2184451199-3759423766-1000Core.job
- c:\users\calumscott\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-28 22:10]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055991517-2184451199-3759423766-1000UA.job
- c:\users\calumscott\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-28 22:10]
.
2012-01-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2014-02-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Edit with &XML Spy - c:\program files\Altova\XML Spy Suite\spy.htm
Trusted Zone: abs-ltd.com\mailhost
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\calumscott\AppData\Roaming\Mozilla\Firefox\Profiles\kf287fvv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - ExtSQL: !HIDDEN! 2009-08-27 17:54; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FC0F02E5-91B4-4890-8A35-A10D4E2B54E9} - c:\windows\system32\nnnmlLCS.dll
HKCU-Run-JumiController - c:\program files\Jumi\jumi.exe
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
HKCU-Run-AVG-Secure-Search-Update_0214c - c:\users\calumscott\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe
HKLM-Run-ATICustomerCare - c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-02 17:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
c:\windows\system32\wbem\Performance\WmiApRpl_new.h 3766 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_22"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_22"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_23"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_23"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_24"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_24"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_25"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_25"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_26"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_26"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_27"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_27"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_28"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_28"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_29"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_29"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_30"
.
[HKEY_USERS\S-1-5-21-3055991517-2184451199-3759423766-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}]
@DACL=(02 0000)
@="Java Plug-in 1.3.1_30"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2014\avgrsx.exe
c:\program files\AVG\AVG2014\avgcsrvx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\astsrv.exe
c:\program files\AVG\AVG2014\avgidsagent.exe
c:\program files\AVG\AVG2014\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\No-IP\DUC20.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\AVG\AVG2014\avgnsx.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\WDBtnMgr.exe
c:\program files\FinePixViewer\QuickDCF.exe
c:\program files\Key Server\Key Server.exe
c:\program files\Microsoft Office\Office\OSA.EXE
c:\windows\ehome\ehmsas.exe
c:\users\calumscott\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
c:\stickynotes\StickyNotes.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Digiarty\Air_Playit\AirPS.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2014-02-02  17:51:23 - machine was rebooted
ComboFix-quarantined-files.txt  2014-02-02 17:51
.
Pre-Run: 139,920,814,080 bytes free
Post-Run: 139,411,804,160 bytes free
.
- - End Of File - - 4C760CEAEDE0963798AE1BF9C6D8D6B0
5C616939100B85E558DA92B899A0FC36
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.