Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Services.exe infected with patched_c.lze


(!)

chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
16-Aug-2012, 06:40 PM #1
Services.exe infected with patched_c.lze
Hi all,
having agreed to have a look at the in-laws lappy for them for what I thought would be a simple scan and clean, I've found that (at the very least) services.exe is infected with patched_c.lze. AVG threw this up shortly after logon.

I'm fairly tech savvy but after a little research I thought I could save myself time and potential issues by asking for help on here, as I see others have recevied good help with similar problems, so here I am.

The machine seems, in short, absolutely knackered - processes are just failing left right and centre. Thankfully I have PCs of my own I can use for net etc and can xfer files via USB stick (carefully)!

When I tried to run GMER initially, it bluescreened, so I restarted in safe mode and ran it again - though I noticed it greyed out some of the options (only Services, Registry, Files, C:\ and ADS were selected). If I need a full scan in normal windows let me know and I'll try it again!

=========================================================================== ===============
=========================================================================== ===============
HIJACKTHIS:
=========================================================================== ===============
=========================================================================== ===============

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:05:51, on 16/08/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\spaRKLYPIXIE\Desktop\HijackThis.exe
C:\Windows\system32\WerFault.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnu.com/406
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://support.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O1 - Hosts: ::1 localhost
O2 - BHO: vShare Toolbar - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: vShare Toolbar - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON SX110 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU "C:\Windows\TEMP\E_S311E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D}] C:\Users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...Control_32.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: vToolbarUpdater11.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe

--
End of file - 11649 bytes

=========================================================================== ===============
=========================================================================== ===============
DDS
=========================================================================== ===============
=========================================================================== ===============

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by spaRKLYPIXIE at 23:06:40 on 2012-08-16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.193

[GMT 1:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-

0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-

307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support

\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\o2flash.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater

\11.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers

\RIMBBLaunchAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.searchnu.com/406
mDefault_Page_URL = hxxp://support.thetechguys.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uURLSearchHooks: H - No File
uURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} -

c:\program files\agi\common\agcutils.dll
mURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} -

c:\program files\agi\common\agcutils.dll
mURLSearchHooks: H - No File
BHO: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files

\vshare\vshare_toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:

\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - c:\program

files\agi\common\agcutils.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files

\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:

\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files

\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:

\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:

\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program

files\epson software\easy photo print\EPTBL.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program

files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:

\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:

\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:

\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:

\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:

\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program

files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files

\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program

files\windows live\toolbar\wltcore.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files

\epson software\easy photo print\EPTBL.dll
TB: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files

\vshare\vshare_toolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program

files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files

\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:

\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe"

/background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice

\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON SX110 Series] c:\windows\system32\spool\drivers

\w32x86\3\e_fatifbe.exe /fu "c:\windows\temp\E_S311E.tmp" /EF "HKCU"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy

\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier

\GoogleToolbarNotifier.exe"
uRun: [{3C96B37F-6B8A-4DF8-C9F7-4E07A3B1E33B}] c:\users\sparklypixie\appdata

\roaming\adobe\online services\printfilterpipelinesvc.exe
uRun: [{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D}] c:\users\sparklypixie\appdata

\roaming\ezgaokw\aqenwez.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device

support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office

\office12\GrooveMonitor.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion

\usb drivers\RIMBBLaunchAgent.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application

support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe"

/PROMPT /CMPID=roc_dec12
mRun: [HF_G_Jul] "c:\program files\avg secure search\HF_G_Jul.exe" /DoAction
mRunServices: [McShld9x] c:\program files\mcafee.com\vso\mcshld9x.exe
StartupFolder: c:\users\sparkl~1\appdata\roaming\micros~1\windows

\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop

\BBC iPlayer Desktop.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-

F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-

206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In -

hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6A8D8DCF-1D4D-435F-B813-E10BFD3F9E55} : DhcpNameServer =

192.168.1.1
TCP: Interfaces\{BAC2B88B-0332-4C29-B74D-245C21D47C98} : DhcpNameServer =

192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program

files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

files\avg\avg8\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files

\common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program

files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} -

c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sparklypixie\appdata\roaming\mozilla\firefox

\profiles\m15qiws8.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?

src=ffb&appid=101&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\avg secure search

\sitesafetyinstaller\11.2.0\npsitesafety.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher

\NPWebSLLauncher.dll
FF - plugin: c:\program files\filmfanaticei\installr\1.bin\NPpaEISb.dll
FF - plugin: c:\program files\google\google updater

\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\televisionfanaticei\installr\1.bin\NP64EISb.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-11-19 38400]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-11-16 31360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers

\avgldx86.sys [2008-11-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows

\system32\drivers\avgmfx86.sys [2008-11-6 27784]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows

\system32\drivers\netr73.sys [2009-5-24 501248]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-16 54632]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers

\s816bus.sys [2008-10-26 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows

\system32\drivers\s816mdfl.sys [2008-10-26 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows

\system32\drivers\s816mdm.sys [2008-10-26 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:

\windows\system32\drivers\s816mgmt.sys [2008-10-26 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:

\windows\system32\drivers\s816nd5.sys [2008-10-26 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows

\system32\drivers\s816obex.sys [2008-10-26 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:

\windows\system32\drivers\s816unic.sys [2008-10-26 97704]
.
=============== Created Last 30 ================
.
2012-08-15 16:36:12 -------- d-----w- c:\users\sparklypixie

\appdata\roaming\Rezy
2012-08-15 16:36:11 -------- d-----w- c:\users\sparklypixie

\appdata\roaming\Ezgaokw
2012-08-14 16:24:49 6891424 ----a-w- c:\programdata\microsoft\windows

defender\definition updates\{c459725f-8b73-4c18-8e8e-2c297541e95f}\mpengine.dll
.
==================== Find3M ====================
.
2012-05-31 11:25:14 237072 ------w- c:\windows

\system32\MpSigStub.exe
.
============= FINISH: 23:09:34.50 ===============

=========================================================================== ===============
=========================================================================== ===============
GMER
=========================================================================== ===============
=========================================================================== ===============

BLANK! Not sure if this is right or not :S
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
16-Aug-2012, 10:19 PM #2
Hi,

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
----------

Please download aswMBR to your desktop.
  • Right click and Run as Administrator the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If asked whether you would like to update the Avast virus database please do.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it
----------
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
17-Aug-2012, 02:47 AM #3
Hi jeffce,
thanks very mich for picking this up. net access won't be a problem as I have the lappy sitting next to my machine and I can use USB to transfer anything I need.

I'd like to try cleaning it before reinstalling OS (not least because I don't have the disk and would have to get it from them), but if we have to do that we have to. I'll start copying (and scanning) the in-laws docs in case we end up doing that.

anyway, here are the resuilts from aswMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 06:57:23
-----------------------------
06:57:23.832 OS Version: Windows 6.0.6001 Service Pack 1
06:57:23.832 Number of processors: 2 586 0xE0C
06:57:23.832 ComputerName: SPARKLYPIXIE-PC UserName: spaRKLYPIXIE
06:58:32.097 Initialize success
07:01:13.757 AVAST engine download error: 0
07:01:24.864 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
07:01:24.864 Disk 0 Vendor: Hitachi_HTS541280H9SA00 HP3OC20F Size: 76319MB BusType: 3
07:01:24.895 Disk 0 MBR read successfully
07:01:24.895 Disk 0 MBR scan
07:01:24.895 Disk 0 Windows VISTA default MBR code
07:01:24.911 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 5500 MB offset 2048
07:01:24.942 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 11266048
07:01:24.957 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 69317 MB offset 14338048
07:01:24.957 Disk 0 scanning sectors +156299264
07:01:25.051 Disk 0 scanning C:\Windows\system32\drivers
07:01:48.504 Service scanning
07:02:25.897 Modules scanning
07:02:34.571 Disk 0 trace - called modules:
07:02:34.617 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
07:02:34.617 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b0ac8]
07:02:34.633 3 CLASSPNP.SYS[869a0745] -> nt!IofCallDriver -> [0x84d01918]
07:02:34.633 5 acpi.sys[8068e6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x84cf0030]
07:02:34.649 Scan finished successfully
07:03:14.944 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
07:03:14.960 The log file has been saved successfully to "D:\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 07:04:01
-----------------------------
07:04:01.369 OS Version: Windows 6.0.6001 Service Pack 1
07:04:01.369 Number of processors: 2 586 0xE0C
07:04:01.369 ComputerName: SPARKLYPIXIE-PC UserName: spaRKLYPIXIE
07:04:06.330 Initialize success
07:06:23.573 AVAST engine defs: 12081601
07:06:35.866 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
07:06:35.882 Disk 0 Vendor: Hitachi_HTS541280H9SA00 HP3OC20F Size: 76319MB BusType: 3
07:06:35.928 Disk 0 MBR read successfully
07:06:35.944 Disk 0 MBR scan
07:06:36.396 Disk 0 Windows VISTA default MBR code
07:06:36.459 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 5500 MB offset 2048
07:06:36.506 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 11266048
07:06:36.552 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 69317 MB offset 14338048
07:06:36.615 Disk 0 scanning sectors +156299264
07:06:36.896 Disk 0 scanning C:\Windows\system32\drivers
07:07:11.639 Service scanning
07:08:09.081 Modules scanning
07:08:42.622 Disk 0 trace - called modules:
07:08:42.716 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
07:08:42.716 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b0ac8]
07:08:42.731 3 CLASSPNP.SYS[869a0745] -> nt!IofCallDriver -> [0x84d01918]
07:08:42.747 5 acpi.sys[8068e6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x84cf0030]
07:08:44.151 AVAST engine scan C:\Windows
07:08:55.275 AVAST engine scan C:\Windows\system32
07:16:52.313 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
07:19:18.299 AVAST engine scan C:\Windows\system32\drivers
07:19:51.544 AVAST engine scan C:\Users\spaRKLYPIXIE
07:22:50.158 File: C:\Users\spaRKLYPIXIE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FH6CTWS0\info[1].exe **INFECTED** Win32:MBRlock-DG [Trj]
07:22:54.276 File: C:\Users\spaRKLYPIXIE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP2HK1EZ\info[1].exe **INFECTED** Win32:Sirefef-AHQ [Trj]
07:30:14.122 File: C:\Users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe **INFECTED** Win32:MBRlock-DG [Trj]
07:39:38.796 AVAST engine scan C:\ProgramData
07:42:49.446 Scan finished successfully
07:45:11.267 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
07:45:11.345 The log file has been saved successfully to "D:\aswMBR.txt"
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
17-Aug-2012, 09:57 AM #4
Hi,

Download Combofix from the link below, and save it to your desktop.
Link

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
----------
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
17-Aug-2012, 11:10 AM #5
Hi jeffce,
thanks again and here we go:

ComboFix 12-08-17.01 - spaRKLYPIXIE 17/08/2012 15:27:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.383 [GMT 1:00]
Running from: c:\users\spaRKLYPIXIE\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\FilmFanaticEI
c:\program files\FilmFanaticEI\Installr\1.bin\NPpaEISb.dll
c:\program files\FilmFanaticEI\Installr\1.bin\paEIPlug.dll
c:\program files\FilmFanaticEI\Installr\1.bin\paEZSETP.dll
c:\program files\screensavers.com
c:\program files\TelevisionFanaticEI
c:\program files\TelevisionFanaticEI\Installr\1.bin\64EIPlug.dll
c:\program files\TelevisionFanaticEI\Installr\1.bin\64EZSETP.dll
c:\program files\TelevisionFanaticEI\Installr\1.bin\NP64EISb.dll
c:\programdata\181188670
c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}
c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\@
c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\n
c:\users\spaRKLYPIXIE\AppData\Roaming\Adobe\Online Services\printfilterpipelinesvc.exe
c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
c:\users\spaRKLYPIXIE\Documents\~WRL1185.tmp
c:\users\spaRKLYPIXIE\Documents\~WRL2176.tmp
c:\users\spaRKLYPIXIE\Documents\~WRL3035.tmp
c:\users\spaRKLYPIXIE\Documents\~WRL3253.tmp
c:\users\spaRKLYPIXIE\Documents\~WRL3400.tmp
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\L\00000004.@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\L\201d3dde
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\n
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\00000004.@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\00000008.@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\000000cb.@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\80000000.@
c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\80000032.@
.
c:\windows\system32\services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
.
.
2012-08-17 14:39 . 2012-08-17 14:50 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Local\temp
2012-08-17 14:39 . 2012-08-17 14:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-16 22:16 . 2012-08-16 22:16 100864 ----a-w- C:\kfkirkob.sys
2012-08-15 16:36 . 2012-08-16 21:13 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Rezy
2012-08-15 16:36 . 2012-08-17 14:38 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw
2012-08-14 16:24 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C459725F-8B73-4C18-8E8E-2C297541E95F}\mpengine.dll
2012-07-25 17:02 . 2012-07-25 17:02 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 11:25 . 2009-10-02 18:02 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-07 11:48 . 2012-02-25 14:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "c:\program files\AGI\common\agcutils.dll" [2010-01-07 43520]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
2010-01-07 18:19 43520 ----a-w- c:\program files\AGI\common\agcutils.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-12-07 17:02 277648 ----a-w- c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
.
[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
.
[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\users\spaRKLYPIXIE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce3505b4437e0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com/406
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
FF - ProfilePath - c:\users\spaRKLYPIXIE\AppData\Roaming\Mozilla\Firefox\Profiles\m15qiws8.def ault\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKCU-Run-{3C96B37F-6B8A-4DF8-C9F7-4E07A3B1E33B} - c:\users\spaRKLYPIXIE\AppData\Roaming\Adobe\Online Services\printfilterpipelinesvc.exe
HKCU-Run-{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D} - c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
AddRemove-{23A287DB-449A-462F-BDE1-8635A61671CE} - c:\program files\AGI\common\bootstrapper.exe -uninstallC:/Program Files/AGI/Python25\pythonw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-17 15:51
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3192540412-4096636921-3291768311-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:fe,7e,01,11,98,6b,14,00
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\windows\system32\o2flash.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2012-08-17 15:56:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-17 14:56
.
Pre-Run: 16,963,780,608 bytes free
Post-Run: 16,829,390,848 bytes free
.
- - End Of File - - 35CB88D76C0F401390EEFFFFC63CFA22
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
17-Aug-2012, 01:21 PM #6
Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


**If you are using a 64bit system please use either of the following links for your download instead:
Link 1
Link 2
  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content within the following codebox into the main textfield:
    Code:
    :filefind
    services.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
17-Aug-2012, 02:24 PM #7
Cheers Jeff.

SystemLook 30.07.11 by jpshortstuff
Log created at 18:42 on 17/08/2012 by spaRKLYPIXIE
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x 86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\ser vices.exe --a---- 279552 bytes [18:14 04/08/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\System32\services.exe --a---- 279040 bytes [10:49 07/06/2008] [07:33 19/01/2008] 5DC3C54FC22BBB6F66C290C7C0384DF9
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\ser vices.exe --a---- 279552 bytes [08:35 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\ser vices.exe --a---- 279040 bytes [10:49 07/06/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

-= EOF =-
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
17-Aug-2012, 09:20 PM #8
Hi,
  • Please download the file I attached to this reply to your Desktop then follow the instructions below...
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
18-Aug-2012, 03:18 PM #9
Hi Jeff,
here's the latest. I should note that I removed AVG using the AVG uninstaller tool before running SystemLook as the UI was crashing when I was trying to disable it -should have mentioned this earlier, sorry!

ComboFix 12-08-17.01 - spaRKLYPIXIE 18/08/2012 20:02:36.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.365 [GMT 1:00]
Running from: c:\users\spaRKLYPIXIE\Desktop\ComboFix.exe
Command switches used :: c:\users\spaRKLYPIXIE\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\ser vices.exe --> c:\windows\System32\services.exe
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Local\temp
2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-16 22:16 . 2012-08-16 22:16 100864 ----a-w- C:\kfkirkob.sys
2012-08-15 16:36 . 2012-08-16 21:13 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Rezy
2012-08-15 16:36 . 2012-08-17 14:38 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw
2012-08-14 16:24 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C459725F-8B73-4C18-8E8E-2C297541E95F}\mpengine.dll
2012-07-25 17:02 . 2012-07-25 17:02 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 11:25 . 2009-10-02 18:02 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-07 11:48 . 2012-02-25 14:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "c:\program files\AGI\common\agcutils.dll" [2010-01-07 43520]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
2010-01-07 18:19 43520 ----a-w- c:\program files\AGI\common\agcutils.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-12-07 17:02 277648 ----a-w- c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
.
[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
.
[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\users\spaRKLYPIXIE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce3505b4437e0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
.
2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com/406
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
FF - ProfilePath - c:\users\spaRKLYPIXIE\AppData\Roaming\Mozilla\Firefox\Profiles\m15qiws8.def ault\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-18 20:12
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3192540412-4096636921-3291768311-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:fe,7e,01,11,98,6b,14,00
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-18 20:15:43
ComboFix-quarantined-files.txt 2012-08-18 19:15
ComboFix2.txt 2012-08-17 14:56
.
Pre-Run: 16,746,000,384 bytes free
Post-Run: 16,659,976,192 bytes free
.
- - End Of File - - 8CC427E6817EC045C09699CC00554EA4
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
18-Aug-2012, 04:33 PM #10
Quote:
I removed AVG using the AVG uninstaller tool before running SystemLook as the UI was crashing when I was trying to disable it -should have mentioned this earlier, sorry!
No worries!
-------

OTL
  • Download OTL to your desktop.
  • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
----------
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
18-Aug-2012, 06:40 PM #11
Just done the above and have had returned the following dialog:

"OTL
Win32 Error. Code: 23.
Data error (cyclic redundancy check)."

At the time the status bar was showing "System Event Log record 49319"

After OKing that it seems to have locked up. I'll try running it again tomorrow, but for now I need some sleep!

I've attached a jpeg showing the settings I had selected.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
18-Aug-2012, 10:53 PM #12
Ok....if you need to do so try to run OTL in Safe Mode.
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
19-Aug-2012, 09:53 AM #13
Same error received in same place whilst carrying out scan in safe mode!

Going to run a disk check in case the CRC is indicative of bad sectors.
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
19-Aug-2012, 11:05 AM #14
chrispcarter's Avatar
chrispcarter chrispcarter is offline
Member with 20 posts.
THREAD STARTER
 
Join Date: Aug 2012
Experience: Intermediate
19-Aug-2012, 11:25 AM #15
There were some issues on the disk, hopefully all sorted now, so I am re-running OTL.

Checking file system on C:
The type of the file system is NTFS.
Volume label is Vista.
A disk check has been scheduled.
Windows will now check the disk.
173760 file records processed.
925 large file records processed.
0 bad file records processed.
12 EA records processed.
60 reparse records processed.
226924 index entries processed.
0 unindexed files processed.
173760 security descriptors processed.
Cleaning up 399 unused index entries from index $SII of file 0x9.
Cleaning up 399 unused index entries from index $SDH of file 0x9.
Cleaning up 399 unused security descriptors.

26583 data files processed.
CHKDSK is verifying Usn Journal...
37335312 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
173744 files processed. File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
4351737 free clusters processed.
Free space verification is complete. C
HKDSK discovered free space marked as allocated in the master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.
70980607 KB total disk space.
53193260 KB in 126598 files.
87268 KB in 26584 indexes.
4 KB in bad sectors.
293123 KB in use by the system.
65536 KB occupied by the log file.
17406952 KB available on disk.
4096 bytes in each allocation unit.
17745151 total allocation units on disk.
4351738 allocation units available on disk.
Internal Info:
c0 a6 02 00 6a 56 02 00 f2 1c 04 00 00 00 00 00 ....jV..........
ae 87 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 ....<...........
42 00 00 00 5f 84 2a 77 78 85 2d 00 78 7d 2d 00 B..._.*wx.-.x}-.
Windows has finished checking your disk.
Please wait while your computer restarts.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑