Live Chat & Podcast at 1:00PM Eastern on Sunday!

Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Go to first new post YellowMoxie Redirect
Go to first new post Laptop is slow
Go to first new post Blekko Lavasoft search engine removal
Go to first new post Virus
Go to first new post possable infection request help ( hijack ...
Go to first new post BSOD twice, help?
Go to first new post I've tried everything yet my computer is ...
Go to first new post Unable to use HJT
Go to first new post FBI Virus Removal Help Needed
Go to first new post Slow connection/mouse problems -- malwar ...
Go to first new post IE8 open then closes suddenly
Go to first new post Fubar virus?
Go to first new post windows XP OBJECT DELAY LOAD
Go to first new post "Unable to extract the setup conten ...
Go to first new post Internet Explorer 8.00.6001.18702 unwant ...
Search Search
Search for:
Tech Support Guy Forums > > >

Trojan Dropper virus on services file

(In Progress)
(!)

Reply
FizzyJay's Avatar
Member with 5 posts.
THREAD STARTER
  
Join Date: Jul 2012
11-Jul-2012, 02:16 AM #1
Trojan Dropper virus on services file
I ran my AVG anti-virus software and it told me that the file:
C:\Windows\System32\services.exe
has been infected with Trojan horse Dropper.Generic_c.MMI and that the infected file has been white listed.

Here is my HJT scan file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:43:09 PM, on 10/07/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PLFSetI.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Video Web Camera\traybar.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Users\Thomas\Desktop\a.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...0z1h5a49k1y320
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...0z1h5a49k1y320
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx...0z1h5a49k1y320
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
R3 - URLSearchHook: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: uTorrentControl2 - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
O3 - Toolbar: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "c:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.cantireu.com
O15 - Trusted Zone: *.icanelearn.com
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: *.plateau.com
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/C...pr/prsetup.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\3.0.271\McCHSvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TurboBoost - Intel(R) Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater11.1.0 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13852 bytes

I'm looking for someone to help me please :C
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 8,514 posts.
  
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
11-Jul-2012, 03:13 AM #2
Hello FizzyJay and welcome to TSG,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.

Please proceed as follows :-


Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste sfc /scannow > then enter. Type exit when its finished and re-boot your PC.

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2
  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin
FizzyJay's Avatar
Member with 5 posts.
THREAD STARTER
  
Join Date: Jul 2012
11-Jul-2012, 10:16 PM #3
Thanks for the swift reply Kevin, I did the command promt command and it said that there were no "Violations", but I did not see any sort of log made for that.

Here is the log for the ComboFix:

ComboFix 12-07-11.03 - Thomas 11/07/2012 19:39:52.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.7860.5928 [GMT -6:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\intellidownload\gunzip.exe
c:\programdata\CP.ico
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Downloaded Program Files\prsetup.dll
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\L\00000004.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\L\201d3dde
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\L\55490ac4
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\00000004.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\00000008.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\000000cb.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\80000000.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\80000032.@
c:\windows\Installer\{188a36e9-5e0c-c310-6f0d-08896b023b54}\U\80000064.@
c:\windows\system32\fxsst.dll . . . . Failed to delete
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\srrstr.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
c:\windows\system32\termsrv.dll . . . . Failed to delete
.
----- File Replicators -----
.
c:\programdata\Adobe\Reader\9.2\ARM\11748\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\11748\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\11748\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\11861\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\11861\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\11861\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\1201\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\1201\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\1201\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\13636\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\13636\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\13636\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\14180\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\14180\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\14180\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\17357\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\17357\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\17357\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\20515\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\20515\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\20515\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\23347\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\23347\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\23347\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\24111\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\24111\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\24111\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\25936\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\25936\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\25936\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\26820\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\26820\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\26820\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\27295\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\27295\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\27295\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\30466\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\30466\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\30466\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\31237\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\31237\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\31237\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\3140\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\3140\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\3140\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\9382\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\9382\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\9382\ReaderUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\9947\AcrobatUpdater.exe
c:\programdata\Adobe\Reader\9.2\ARM\9947\AdobeARMHelper.exe
c:\programdata\Adobe\Reader\9.2\ARM\9947\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11748\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11748\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11748\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11861\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11861\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11861\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\1201\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\1201\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\1201\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\13636\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\13636\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\13636\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\14180\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\14180\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\14180\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\17357\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\17357\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\17357\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\20515\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\20515\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\20515\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\23347\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\23347\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\23347\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\24111\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\24111\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\24111\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\25936\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\25936\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\25936\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\26820\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\26820\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\26820\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\27295\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\27295\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\27295\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\30466\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\30466\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\30466\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\31237\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\31237\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\31237\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\3140\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\3140\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\3140\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9382\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9382\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9382\ReaderUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9947\AcrobatUpdater.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9947\AdobeARMHelper.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9947\ReaderUpdater.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))
.
.
2012-07-12 01:51 . 2012-07-12 01:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 03:57 . 2012-07-07 03:57 -------- d-----w- c:\users\Thomas\AppData\Roaming\Packard Bell
2012-07-07 03:57 . 2012-07-07 03:57 -------- d-----w- c:\users\Thomas\AppData\Local\Gateway
2012-07-06 04:38 . 2012-07-06 04:39 -------- d-----w- c:\users\Thomas\AppData\Roaming\AVG
2012-07-05 16:24 . 2012-07-05 16:24 -------- d-----w- c:\program files (x86)\ASIO4ALL v2
2012-07-04 02:00 . 2012-07-11 06:47 -------- d-----w- c:\windows\usb-audio.deBehringer2902
2012-07-04 01:50 . 2009-10-30 19:39 49728 ----a-w- c:\windows\system32\drivers\busbwdm.sys
2012-07-04 01:50 . 2009-10-30 19:39 460864 ----a-w- c:\windows\system32\drivers\BUSB2902.sys
2012-07-03 15:06 . 2012-07-03 15:06 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-03 15:01 . 2012-07-03 15:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 15:01 . 2012-07-03 15:01 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 15:01 . 2012-07-03 15:01 -------- d-----w- c:\windows\system32\Macromed
2012-07-03 14:55 . 2012-07-03 20:18 -------- d-----w- c:\program files (x86)\OApps
2012-07-03 14:55 . 2012-07-03 14:55 -------- d-----w- c:\program files (x86)\TorrentSearch
2012-07-03 14:55 . 2012-07-12 01:50 -------- d-----w- c:\program files (x86)\intellidownload
2012-07-03 14:46 . 2012-07-03 20:39 -------- d-----w- c:\users\Thomas\AppData\Roaming\Line 6
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\programdata\Line 6
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\program files (x86)\Common Files\Digidesign
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\program files (x86)\Line6
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\users\Thomas\AppData\Local\CRE
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\program files (x86)\Conduit
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\users\Thomas\AppData\Local\Conduit
2012-07-03 14:38 . 2012-07-11 06:48 -------- d-----w- c:\program files (x86)\uTorrent
2012-07-03 14:37 . 2012-07-11 06:48 -------- d-----w- c:\users\Thomas\AppData\Roaming\uTorrent
2012-06-24 19:48 . 2012-05-18 02:06 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-22 13:13 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 13:13 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 13:13 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 13:13 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 13:13 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 13:13 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 13:13 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 13:13 . 2012-06-02 21:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 13:13 . 2012-06-02 21:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-14 04:53 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 04:53 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 04:53 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 04:53 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 04:53 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-14 04:53 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-14 04:53 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-14 04:53 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 04:52 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 04:52 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-14 04:52 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-14 04:52 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 04:52 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-14 04:52 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 04:52 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 04:52 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-14 04:52 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-13 04:01 . 2012-06-13 04:01 -------- d-----w- c:\users\Thomas\AppData\Local\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-05 22:50 . 2012-06-05 22:50 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-05 22:50 . 2012-06-05 22:50 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-06-05 22:50 . 2012-06-05 22:50 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-06-05 22:50 . 2012-06-05 22:50 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-05 22:50 . 2012-06-05 22:50 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-06-05 22:50 . 2012-06-05 22:50 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-06-05 22:50 . 2012-06-05 22:50 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-06-05 22:50 . 2012-06-05 22:50 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-06-05 22:50 . 2012-06-05 22:50 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-06-05 22:50 . 2012-06-05 22:50 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-06-05 22:50 . 2012-06-05 22:50 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-05 22:50 . 2012-06-05 22:50 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-06-05 22:50 . 2012-06-05 22:50 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-06-05 22:50 . 2012-06-05 22:50 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-05 22:50 . 2012-06-05 22:50 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-06-05 22:50 . 2012-06-05 22:50 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-06-05 22:50 . 2012-06-05 22:50 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-06-05 22:50 . 2012-06-05 22:50 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-05 22:50 . 2012-06-05 22:50 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-06-05 22:50 . 2012-06-05 22:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-05 22:50 . 2012-06-05 22:50 222208 ----a-w- c:\windows\system32\msls31.dll
2012-06-05 22:50 . 2012-06-05 22:50 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-05 22:50 . 2012-06-05 22:50 12288 ----a-w- c:\windows\system32\mshta.exe
2012-06-05 22:50 . 2012-06-05 22:50 114176 ----a-w- c:\windows\system32\admparse.dll
2012-06-05 22:50 . 2012-06-05 22:50 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-05 22:50 . 2012-06-05 22:50 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-06-05 22:50 . 2012-06-05 22:50 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-06-05 22:50 . 2012-06-05 22:50 448512 ----a-w- c:\windows\system32\html.iec
2012-06-05 22:50 . 2012-06-05 22:50 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-05 22:50 . 2012-06-05 22:50 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-06-05 22:50 . 2012-06-05 22:50 160256 ----a-w- c:\windows\system32\wextract.exe
2012-06-05 22:50 . 2012-06-05 22:50 603648 ----a-w- c:\windows\system32\vbscript.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files (x86)\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-06-12 14:56 2068536 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll" [2012-06-12 2068536]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files (x86)\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-10-14 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-09-24 244480]
"Camera Assistant Software"="c:\program files (x86)\Video Web Camera\traybar.exe" [2009-12-03 600688]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-06-12 1104440]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
.
c:\users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe [2012-3-13 274328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-28 136176]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-07-22 40448]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
R3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\Drivers\BUSB2902.sys [2009-10-30 460864]
R3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [2009-10-30 49728]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-28 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.271\McCHSvc.exe [2012-03-13 237272]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-21 1255736]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-03-16 37456]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2011-09-26 64272]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-01-07 304720]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-03-01 41552]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-04-05 377936]
S1 RapportCerberus_32029;RapportCerberus_32029;c:\programdata\Trusteer\Rapport \store\exts\RapportCerberus\32029\RapportCerberus64_32029.sys [2011-10-18 396816]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-09-26 55056]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-09-26 61712]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-09-24 62720]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-09-26 919352]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 11576]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 vToolbarUpdater11.1.0;vToolbarUpdater11.1.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [2012-06-12 935480]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 118864]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 29264]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 244736]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-06 320040]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-28 02:54]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-28 02:54]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-29 8312352]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-07-22 323072]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-11-20 200704]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 823840]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=nv59&r=27360810k6b6l0370z1h5a49k1y320
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cantireu.com
Trusted Zone: icanelearn.com
Trusted Zone: line6.net
Trusted Zone: plateau.com
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files (x86)\Pando Networks\Media Booster\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-640407645-4038575709-3359598853-1001\Software\SecuROM\License information*]
"datasecu"=hex:18,0e,52,d6,9b,9c,31,91,e1,a2,67,2d,63,8a,c8,f0,45,1f,97,32, 56,
e0,0c,11,c5,4c,00,51,1a,50,ef,d9,31,ef,d2,cb,e4,82,7a,4c,12,8d,58,1a,b0,c3, \
"rkeysecu"=hex:d4,b9,60,18,d4,27,0a,7d,bd,68,93,3b,ba,0a,24,65
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2012-07-11 20:04:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-12 02:04
.
Pre-Run: 473,582,874,624 bytes free
Post-Run: 483,927,490,560 bytes free
.
- - End Of File - - D3FE263550DAA5280F07D3FE69ADB9CD

Awaiting further instructions..
FizzyJay's Avatar
Member with 5 posts.
THREAD STARTER
  
Join Date: Jul 2012
11-Jul-2012, 10:18 PM #4
On a side note, ComboFix said I hadn't disabled my AVG security when infact I had, I wasn't sure what to do about that but it ran anyways. I haven't noticed any damage as of yet thankfully.

Awaiting further instructions..
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 8,514 posts.
  
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
12-Jul-2012, 03:20 AM #5
OK, continue as follows please:

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
KillAll::
ClearJavaCache::
Folder::
c:\windows\SysWow64\%APPDATA%
c:\program files (x86)\Conduit
c:\users\Thomas\AppData\Local\Conduit
c:\program files (x86)\uTorrentControl2
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=-
[-HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=-
[-HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 3

Go here http://www.sophos.com/products/free-...i-rootkit.html to Download Sophos tool.

Select the Download now tab as below:




In the new window select for Home User then fill out all necessary information:

The download should start automatically, if not select the link as below:




Save the download file to your Desktop, when complete double click the file to install the tool. Windows 7 or Vista user accept UAC alert.

The tool will self extract as below:





In the new window select next, as below:





Agree the licence and select next, as below:





Leave the installation folder as default, select next, as below:





In the new window select "Install" as below:





The install will progress from:





To:




At the above image ensure "Launch Sophos Virus Removal tool" is checked, then select Finish:

In the new window select "Start scanning" as below:





When the tool completes the log can be found by Navigating Start > Computer > C:\Program data \Sophos. open the Sophos folder and expand to Logs.

Post the 3 produced logs, also give update on current issues/concerns..

Kevin
FizzyJay's Avatar
Member with 5 posts.
THREAD STARTER
  
Join Date: Jul 2012
12-Jul-2012, 02:04 PM #6
Here is the ComboFix log:

ComboFix 12-07-11.03 - Thomas 12/07/2012 1:31.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.7860.5772 [GMT -6:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
Command switches used :: c:\users\Thomas\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\fxsst.dll . . . . Failed to delete
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\srrstr.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
c:\windows\system32\termsrv.dll . . . . Failed to delete
.
----- File Replicators -----
.
c:\programdata\Adobe\Reader\9.2\ARM\11748\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\11861\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\1201\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\13636\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\14180\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\15238\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\17357\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\20515\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\23347\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\24111\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\25936\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\26820\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\27295\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\30466\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\31237\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\3140\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\9382\AdobeARM.exe
c:\programdata\Adobe\Reader\9.2\ARM\9947\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11748\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\11861\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\1201\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\13636\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\14180\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\15238\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\17357\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\20515\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\23347\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\24111\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\25936\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\26820\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\27295\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\30466\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\31237\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\3140\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9382\AdobeARM.exe
c:\users\All Users\Adobe\Reader\9.2\ARM\9947\AdobeARM.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))
.
.
2012-07-12 08:14 . 2012-07-12 08:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 03:57 . 2012-07-07 03:57 -------- d-----w- c:\users\Thomas\AppData\Roaming\Packard Bell
2012-07-07 03:57 . 2012-07-07 03:57 -------- d-----w- c:\users\Thomas\AppData\Local\Gateway
2012-07-06 04:38 . 2012-07-06 04:39 -------- d-----w- c:\users\Thomas\AppData\Roaming\AVG
2012-07-05 16:24 . 2012-07-05 16:24 -------- d-----w- c:\program files (x86)\ASIO4ALL v2
2012-07-04 02:00 . 2012-07-11 06:47 -------- d-----w- c:\windows\usb-audio.deBehringer2902
2012-07-04 01:50 . 2009-10-30 19:39 49728 ----a-w- c:\windows\system32\drivers\busbwdm.sys
2012-07-04 01:50 . 2009-10-30 19:39 460864 ----a-w- c:\windows\system32\drivers\BUSB2902.sys
2012-07-03 15:06 . 2012-07-03 15:06 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-03 15:01 . 2012-07-03 15:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 15:01 . 2012-07-03 15:01 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 15:01 . 2012-07-03 15:01 -------- d-----w- c:\windows\system32\Macromed
2012-07-03 14:55 . 2012-07-03 20:18 -------- d-----w- c:\program files (x86)\OApps
2012-07-03 14:55 . 2012-07-03 14:55 -------- d-----w- c:\program files (x86)\TorrentSearch
2012-07-03 14:55 . 2012-07-12 01:50 -------- d-----w- c:\program files (x86)\intellidownload
2012-07-03 14:46 . 2012-07-03 20:39 -------- d-----w- c:\users\Thomas\AppData\Roaming\Line 6
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\programdata\Line 6
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\program files (x86)\Common Files\Digidesign
2012-07-03 14:45 . 2012-07-03 14:45 -------- d-----w- c:\program files (x86)\Line6
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\users\Thomas\AppData\Local\CRE
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\program files (x86)\Conduit
2012-07-03 14:38 . 2012-07-03 14:38 -------- d-----w- c:\users\Thomas\AppData\Local\Conduit
2012-07-03 14:38 . 2012-07-11 06:48 -------- d-----w- c:\program files (x86)\uTorrent
2012-07-03 14:37 . 2012-07-11 06:48 -------- d-----w- c:\users\Thomas\AppData\Roaming\uTorrent
2012-06-24 19:48 . 2012-05-18 02:06 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-22 13:13 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 13:13 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 13:13 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 13:13 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 13:13 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 13:13 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 13:13 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 13:13 . 2012-06-02 21:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 13:13 . 2012-06-02 21:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-14 04:53 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 04:53 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 04:53 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 04:53 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 04:53 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-14 04:53 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-14 04:53 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-14 04:53 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 04:52 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 04:52 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-14 04:52 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-14 04:52 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 04:52 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-14 04:52 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 04:52 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 04:52 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-14 04:52 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-13 04:01 . 2012-06-13 04:01 -------- d-----w- c:\users\Thomas\AppData\Local\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-05 22:50 . 2012-06-05 22:50 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-05 22:50 . 2012-06-05 22:50 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-06-05 22:50 . 2012-06-05 22:50 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-06-05 22:50 . 2012-06-05 22:50 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-05 22:50 . 2012-06-05 22:50 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-06-05 22:50 . 2012-06-05 22:50 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-06-05 22:50 . 2012-06-05 22:50 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-06-05 22:50 . 2012-06-05 22:50 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-06-05 22:50 . 2012-06-05 22:50 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-06-05 22:50 . 2012-06-05 22:50 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-06-05 22:50 . 2012-06-05 22:50 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-05 22:50 . 2012-06-05 22:50 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-06-05 22:50 . 2012-06-05 22:50 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-06-05 22:50 . 2012-06-05 22:50 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-05 22:50 . 2012-06-05 22:50 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-06-05 22:50 . 2012-06-05 22:50 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-06-05 22:50 . 2012-06-05 22:50 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-06-05 22:50 . 2012-06-05 22:50 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-05 22:50 . 2012-06-05 22:50 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-06-05 22:50 . 2012-06-05 22:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-05 22:50 . 2012-06-05 22:50 222208 ----a-w- c:\windows\system32\msls31.dll
2012-06-05 22:50 . 2012-06-05 22:50 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-05 22:50 . 2012-06-05 22:50 12288 ----a-w- c:\windows\system32\mshta.exe
2012-06-05 22:50 . 2012-06-05 22:50 114176 ----a-w- c:\windows\system32\admparse.dll
2012-06-05 22:50 . 2012-06-05 22:50 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-05 22:50 . 2012-06-05 22:50 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-06-05 22:50 . 2012-06-05 22:50 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-06-05 22:50 . 2012-06-05 22:50 448512 ----a-w- c:\windows\system32\html.iec
2012-06-05 22:50 . 2012-06-05 22:50 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-05 22:50 . 2012-06-05 22:50 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-06-05 22:50 . 2012-06-05 22:50 160256 ----a-w- c:\windows\system32\wextract.exe
2012-06-05 22:50 . 2012-06-05 22:50 603648 ----a-w- c:\windows\system32\vbscript.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-12_01.56.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 05:06 . 2012-07-12 02:31 45130 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-12 08:19 38160 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-08-21 01:29 . 2012-07-12 08:19 11160 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-640407645-4038575709-3359598853-1001_UserData.bin
- 2012-07-12 01:54 . 2012-07-12 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-12 08:16 . 2012-07-12 08:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-12 01:54 . 2012-07-12 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-12 08:16 . 2012-07-12 08:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-07-12 08:16 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-12 01:54 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2010-08-21 04:08 . 2012-07-12 07:16 317510 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 05:01 . 2012-07-12 08:15 327648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-12 01:53 327648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-07-12 08:16 1228800 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-12 01:54 1228800 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-12 08:16 1474560 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-12 01:54 1474560 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2012-02-21 15:21 . 2012-07-12 08:15 2431220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-640407645-4038575709-3359598853-1001-8192.dat
+ 2012-07-04 02:01 . 2012-07-12 02:26 1745472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-640407645-4038575709-3359598853-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-06-12 14:56 2068536 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll" [2012-06-12 2068536]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-10-14 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-09-24 244480]
"Camera Assistant Software"="c:\program files (x86)\Video Web Camera\traybar.exe" [2009-12-03 600688]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-06-12 1104440]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
.
c:\users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe [2012-3-13 274328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-07-22 40448]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
R3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\Drivers\BUSB2902.sys [2009-10-30 460864]
R3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [2009-10-30 49728]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.271\McCHSvc.exe [2012-03-13 237272]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-21 1255736]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-03-16 37456]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2011-09-26 64272]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-01-07 304720]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-03-01 41552]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-04-05 377936]
S1 RapportCerberus_32029;RapportCerberus_32029;c:\programdata\Trusteer\Rapport \store\exts\RapportCerberus\32029\RapportCerberus64_32029.sys [2011-10-18 396816]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-09-26 55056]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-09-26 61712]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-09-24 62720]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-09-26 919352]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 11576]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 vToolbarUpdater11.1.0;vToolbarUpdater11.1.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [2012-06-12 935480]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 118864]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 29264]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 244736]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-06 320040]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-29 8312352]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-07-22 323072]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-11-20 200704]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 823840]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=nv59&r=27360810k6b6l0370z1h5a49k1y320
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cantireu.com
Trusted Zone: icanelearn.com
Trusted Zone: line6.net
Trusted Zone: plateau.com
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-640407645-4038575709-3359598853-1001\Software\SecuROM\License information*]
"datasecu"=hex:18,0e,52,d6,9b,9c,31,91,e1,a2,67,2d,63,8a,c8,f0,45,1f,97,32, 56,
e0,0c,11,c5,4c,00,51,1a,50,ef,d9,31,ef,d2,cb,e4,82,7a,4c,12,8d,58,1a,b0,c3, \
"rkeysecu"=hex:d4,b9,60,18,d4,27,0a,7d,bd,68,93,3b,ba,0a,24,65
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2012-07-12 02:26:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-12 08:26
ComboFix2.txt 2012-07-12 02:04
.
Pre-Run: 484,467,417,088 bytes free
Post-Run: 484,227,055,616 bytes free
.
- - End Of File - - 820756381DC0C83CED20E1293727D697

Here is the MBAM log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.12.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Thomas :: THOMAS-PC [administrator]
12/07/2012 9:59:42 AM
mbam-log-2012-07-12 (09-59-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213758
Time elapsed: 1 minute(s), 34 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Finally, here is the sophos log:

2012-07-12 10:04:02 Sophos Virus Removal Tool version 2.1
2012-07-12 10:04:02 Copyright (c) 2009-2012 Sophos Limited. All rights reserved.
2012-07-12 10:04:02 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.
2012-07-12 10:04:02 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x300 PT=0x1 WOW64
2012-07-12 10:04:02 Component SVRTcli.exe version 2.1
2012-07-12 10:04:02 Component control.dll version 2.1
2012-07-12 10:04:02 Component SVRTservice.exe version 2.1
2012-07-12 10:04:02 Component osdp.dll version 1.44.0.1982
2012-07-12 10:04:03 Component veex.dll version 3.33.2.1982
2012-07-12 10:04:03 Component savi.dll version 7.5.9.1982
2012-07-12 10:04:03 Component rkdisk.dll version 1.5.30.0
2012-07-12 10:04:12 Option all = no
2012-07-12 10:04:12 Option recurse = yes
2012-07-12 10:04:12 Option archive = no
2012-07-12 10:04:12 Option service = yes
2012-07-12 10:04:12 Option confirm = yes
2012-07-12 10:04:12 Option sxl = yes
2012-07-12 10:04:12 Option max-data-age = 35
2012-07-12 10:04:12 Version info: Product version 2.1
2012-07-12 10:04:12 Version info: Detection engine 3.33.2
2012-07-12 10:04:12 Version info: Detection data 4.79
2012-07-12 10:04:12 Version info: Virus data date 02/07/2012
2012-07-12 10:04:12 Version info: Data files added 261


2012-07-12 10:44:00 Could not open C:\hiberfil.sys
2012-07-12 10:45:13 Could not open C:\pagefile.sys
2012-07-12 10:52:34 >>> Virus 'Mal/FakeAV-DO' found in file C:\Program Files (x86)\Gateway Games\Virtual Villagers - The Secret City\Virtual Villagers - The Secret City-WT.exe\FILE:0001
2012-07-12 11:03:07 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-07-12 11:03:07 Could not open C:\System Volume Information\{58ea33b6-cc38-11e1-8520-00262d714433}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-07-12 11:03:07 Could not open C:\System Volume Information\{973640a7-cb15-11e1-a9fa-00262d714433}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-07-12 11:18:00 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2012-07-12 11:18:00 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2012-07-12 11:49:25 The following items will be cleaned up:
2012-07-12 11:49:25 Mal/FakeAV-DO
2012-07-12 12:01:49 >>> Virus 'Mal/FakeAV-DO' found in file C:\Program Files (x86)\Gateway Games\Virtual Villagers - The Secret City\Virtual Villagers - The Secret City-WT.exe\FILE:0001
2012-07-12 12:01:49 Disinfection failed
2012-07-12 12:02:09 Scan completed.
2012-07-12 12:02:09
------------------------------------------------------------


With respect to my current issues/concerns, my computer appears to be running better since the runnings of combofix, mbam and sophos although sophos failed to remove the malware it discovered. ComboFix did take not quite an hour to run this morning (~1:30am -> 2:30am my time), could this be due to a more serious infection? MBAM detected one threat and removed it successfully, which is a good thing . Prior to starting this fix process, my computer sometimes would freeze while gaming or even while browsing with chrome/ie. While I have yet to use my computer for online games, browsing has not lead to a freeze as of yet. The speed of my computer at startup still feels slower than it did before my pc became infected. Could this be from some damage done by the infection(s) or due to a lingering infection that the software run up to this point has not detected? Regardless, great work thus far with removing these threats from my computer.

Awaiting further instructions..
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 8,514 posts.
  
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
12-Jul-2012, 02:58 PM #7
Hiya FizzyJay,

I concerned that Combofix is looking to delete the following system files, maybe they are corrupt or patched. It is unusual action from CF

c:\windows\system32\fxsst.dll
c:\windows\system32\slwga.dll
c:\windows\system32\srrstr.dll
c:\windows\system32\systemcpl.dll
c:\windows\system32\termsrv.dll

I`d like you to uload them to VirusTotal for analysis.

Please visit
Virustotal
  • Click the Browse... button
  • Navigate to the file c:\windows\system32\fxsst.dll or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files

c:\windows\system32\slwga.dll
c:\windows\system32\srrstr.dll
c:\windows\system32\systemcpl.dll
c:\windows\system32\termsrv.dll

Let me see the results,

Also can you UNinstall Virtual Villagers - The Secret City

Kevin
FizzyJay's Avatar
Member with 5 posts.
THREAD STARTER
  
Join Date: Jul 2012
12-Jul-2012, 06:01 PM #8
The first file, c:\windows\system32\fxsst.dll, does not exist according to VirusTotal
Link for the second scan: https://www.virustotal.com/file/da54...is/1342129972/
The third file, c:\windows\system32\srrstr.dll, does not exist according to VirusTotal
Link for the fourth scan:
https://www.virustotal.com/file/1091...is/1342130276/
The fifth and final file also does not exist according to VirusTotal

I uninstalled that Gateway game as requested

Awaiting further instructions..
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 8,514 posts.
  
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
13-Jul-2012, 04:04 AM #9
Apologies for dragging this out, I want to be 100% sure we`ve missed nothing, run the following :-

Step 1

Download TFC to your desktop, from either of the following links
Link 1
Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Step 2

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Kevin..
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join Today!

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


TECH SUPPORT GUY
WELCOME
FOLLOW US
 
You Are Using: Server ID
All times are GMT -4. The time now is 02:20 AM.
Advertisements do not imply our endorsement of that product or service.
Copyright © 1996 - 2013 TechGuy, Inc. All rights reserved. Privacy & Terms.

Trusted Website Back to the Top ↑