1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Services.exe infected with patched_c.lze

Discussion in 'Virus & Other Malware Removal' started by chrispcarter, Aug 16, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Hi all,
    having agreed to have a look at the in-laws lappy for them for what I thought would be a simple scan and clean, I've found that (at the very least) services.exe is infected with patched_c.lze. AVG threw this up shortly after logon.

    I'm fairly tech savvy but after a little research I thought I could save myself time and potential issues by asking for help on here, as I see others have recevied good help with similar problems, so here I am.

    The machine seems, in short, absolutely knackered - processes are just failing left right and centre. Thankfully I have PCs of my own I can use for net etc and can xfer files via USB stick (carefully)!

    When I tried to run GMER initially, it bluescreened, so I restarted in safe mode and ran it again - though I noticed it greyed out some of the options (only Services, Registry, Files, C:\ and ADS were selected). If I need a full scan in normal windows let me know and I'll try it again!

    ==========================================================================================
    ==========================================================================================
    HIJACKTHIS:
    ==========================================================================================
    ==========================================================================================

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 23:05:51, on 16/08/2012
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.19088)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\spaRKLYPIXIE\Desktop\HijackThis.exe
    C:\Windows\system32\WerFault.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnu.com/406
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://support.thetechguys.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: vShare Toolbar - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O3 - Toolbar: vShare Toolbar - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
    O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
    O4 - HKLM\..\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction
    O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON SX110 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU "C:\Windows\TEMP\E_S311E.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D}] C:\Users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
    O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: vToolbarUpdater11.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe

    --
    End of file - 11649 bytes

    ==========================================================================================
    ==========================================================================================
    DDS
    ==========================================================================================
    ==========================================================================================

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19088
    Run by spaRKLYPIXIE at 23:06:40 on 2012-08-16
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.193

    [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-

    0B0C7F62AF82}
    SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-

    307E04E5E53F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support

    \AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Windows\system32\o2flash.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater

    \11.2.0\ToolbarUpdater.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers

    \RIMBBLaunchAgent.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.searchnu.com/406
    mDefault_Page_URL = hxxp://support.thetechguys.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    uURLSearchHooks: H - No File
    uURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} -

    c:\program files\agi\common\agcutils.dll
    mURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} -

    c:\program files\agi\common\agcutils.dll
    mURLSearchHooks: H - No File
    BHO: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files

    \vshare\vshare_toolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:

    \program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - c:\program

    files\agi\common\agcutils.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files

    \avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:

    \progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files

    \kiwee toolbar\2.8.167\KiweeIEToolbar.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:

    \program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:

    \program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program

    files\epson software\easy photo print\EPTBL.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program

    files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
    BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:

    \progra~1\search~1\datamngr\toolbar\searchqudtx.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

    files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:

    \program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:

    \program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:

    \program files\windows live\toolbar\wltcore.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:

    \program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program

    files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files

    \kiwee toolbar\2.8.167\KiweeIEToolbar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program

    files\windows live\toolbar\wltcore.dll
    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files

    \epson software\easy photo print\EPTBL.dll
    TB: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files

    \vshare\vshare_toolbar.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program

    files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files

    \google\google toolbar\GoogleToolbar_32.dll
    TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:

    \progra~1\search~1\datamngr\toolbar\searchqudtx.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe"

    /background
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice

    \ISUSPM.exe" -scheduler
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EPSON SX110 Series] c:\windows\system32\spool\drivers

    \w32x86\3\e_fatifbe.exe /fu "c:\windows\temp\E_S311E.tmp" /EF "HKCU"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy

    \TeaTimer.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier

    \GoogleToolbarNotifier.exe"
    uRun: [{3C96B37F-6B8A-4DF8-C9F7-4E07A3B1E33B}] c:\users\sparklypixie\appdata

    \roaming\adobe\online services\printfilterpipelinesvc.exe
    uRun: [{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D}] c:\users\sparklypixie\appdata

    \roaming\ezgaokw\aqenwez.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device

    support\AppleSyncNotifier.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office

    \office12\GrooveMonitor.exe"
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion

    \usb drivers\RIMBBLaunchAgent.exe
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application

    support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe"

    /PROMPT /CMPID=roc_dec12
    mRun: [HF_G_Jul] "c:\program files\avg secure search\HF_G_Jul.exe" /DoAction
    mRunServices: [McShld9x] c:\program files\mcafee.com\vso\mcshld9x.exe
    StartupFolder: c:\users\sparkl~1\appdata\roaming\micros~1\windows

    \startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop

    \BBC iPlayer Desktop.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

    E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-

    F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

    96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-

    206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    DPF: Garmin Communicator Plug-In -

    hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

    hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

    hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{6A8D8DCF-1D4D-435F-B813-E10BFD3F9E55} : DhcpNameServer =

    192.168.1.1
    TCP: Interfaces\{BAC2B88B-0332-4C29-B74D-245C21D47C98} : DhcpNameServer =

    192.168.0.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program

    files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

    files\avg\avg8\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files

    \common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program

    files\vshare\vshare_toolbar.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: avgrsstx.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} -

    c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sparklypixie\appdata\roaming\mozilla\firefox

    \profiles\m15qiws8.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?

    src=ffb&appid=101&systemid=406&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\common files\avg secure search

    \sitesafetyinstaller\11.2.0\npsitesafety.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher

    \NPWebSLLauncher.dll
    FF - plugin: c:\program files\filmfanaticei\installr\1.bin\NPpaEISb.dll
    FF - plugin: c:\program files\google\google updater

    \2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\program files\televisionfanaticei\installr\1.bin\NP64EISb.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: -
    FF - user.js: security.enable_tls - false
    FF - user.js: network.http.accept-encoding -
    FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-11-19 38400]
    R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-11-16 31360]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers

    \avgldx86.sys [2008-11-6 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows

    \system32\drivers\avgmfx86.sys [2008-11-6 27784]
    R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows

    \system32\drivers\netr73.sys [2009-5-24 501248]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-16 54632]
    S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers

    \s816bus.sys [2008-10-26 81832]
    S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows

    \system32\drivers\s816mdfl.sys [2008-10-26 13864]
    S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows

    \system32\drivers\s816mdm.sys [2008-10-26 107304]
    S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:

    \windows\system32\drivers\s816mgmt.sys [2008-10-26 99112]
    S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:

    \windows\system32\drivers\s816nd5.sys [2008-10-26 21928]
    S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows

    \system32\drivers\s816obex.sys [2008-10-26 97320]
    S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:

    \windows\system32\drivers\s816unic.sys [2008-10-26 97704]
    .
    =============== Created Last 30 ================
    .
    2012-08-15 16:36:12 -------- d-----w- c:\users\sparklypixie

    \appdata\roaming\Rezy
    2012-08-15 16:36:11 -------- d-----w- c:\users\sparklypixie

    \appdata\roaming\Ezgaokw
    2012-08-14 16:24:49 6891424 ----a-w- c:\programdata\microsoft\windows

    defender\definition updates\{c459725f-8b73-4c18-8e8e-2c297541e95f}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2012-05-31 11:25:14 237072 ------w- c:\windows

    \system32\MpSigStub.exe
    .
    ============= FINISH: 23:09:34.50 ===============

    ==========================================================================================
    ==========================================================================================
    GMER
    ==========================================================================================
    ==========================================================================================

    BLANK! Not sure if this is right or not :S
     

    Attached Files:

  2. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
    ----------

    Please download aswMBR to your desktop.

    • Right click and Run as Administrator the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • If asked whether you would like to update the Avast virus database please do.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

    [​IMG]
    Click the image to enlarge it
    ----------
     
  3. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Hi jeffce,
    thanks very mich for picking this up. net access won't be a problem as I have the lappy sitting next to my machine and I can use USB to transfer anything I need.

    I'd like to try cleaning it before reinstalling OS (not least because I don't have the disk and would have to get it from them), but if we have to do that we have to. I'll start copying (and scanning) the in-laws docs in case we end up doing that.

    anyway, here are the resuilts from aswMBR:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-17 06:57:23
    -----------------------------
    06:57:23.832 OS Version: Windows 6.0.6001 Service Pack 1
    06:57:23.832 Number of processors: 2 586 0xE0C
    06:57:23.832 ComputerName: SPARKLYPIXIE-PC UserName: spaRKLYPIXIE
    06:58:32.097 Initialize success
    07:01:13.757 AVAST engine download error: 0
    07:01:24.864 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
    07:01:24.864 Disk 0 Vendor: Hitachi_HTS541280H9SA00 HP3OC20F Size: 76319MB BusType: 3
    07:01:24.895 Disk 0 MBR read successfully
    07:01:24.895 Disk 0 MBR scan
    07:01:24.895 Disk 0 Windows VISTA default MBR code
    07:01:24.911 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 5500 MB offset 2048
    07:01:24.942 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 11266048
    07:01:24.957 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 69317 MB offset 14338048
    07:01:24.957 Disk 0 scanning sectors +156299264
    07:01:25.051 Disk 0 scanning C:\Windows\system32\drivers
    07:01:48.504 Service scanning
    07:02:25.897 Modules scanning
    07:02:34.571 Disk 0 trace - called modules:
    07:02:34.617 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
    07:02:34.617 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b0ac8]
    07:02:34.633 3 CLASSPNP.SYS[869a0745] -> nt!IofCallDriver -> [0x84d01918]
    07:02:34.633 5 acpi.sys[8068e6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x84cf0030]
    07:02:34.649 Scan finished successfully
    07:03:14.944 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
    07:03:14.960 The log file has been saved successfully to "D:\aswMBR.txt"
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-17 07:04:01
    -----------------------------
    07:04:01.369 OS Version: Windows 6.0.6001 Service Pack 1
    07:04:01.369 Number of processors: 2 586 0xE0C
    07:04:01.369 ComputerName: SPARKLYPIXIE-PC UserName: spaRKLYPIXIE
    07:04:06.330 Initialize success
    07:06:23.573 AVAST engine defs: 12081601
    07:06:35.866 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
    07:06:35.882 Disk 0 Vendor: Hitachi_HTS541280H9SA00 HP3OC20F Size: 76319MB BusType: 3
    07:06:35.928 Disk 0 MBR read successfully
    07:06:35.944 Disk 0 MBR scan
    07:06:36.396 Disk 0 Windows VISTA default MBR code
    07:06:36.459 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 5500 MB offset 2048
    07:06:36.506 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 11266048
    07:06:36.552 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 69317 MB offset 14338048
    07:06:36.615 Disk 0 scanning sectors +156299264
    07:06:36.896 Disk 0 scanning C:\Windows\system32\drivers
    07:07:11.639 Service scanning
    07:08:09.081 Modules scanning
    07:08:42.622 Disk 0 trace - called modules:
    07:08:42.716 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
    07:08:42.716 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b0ac8]
    07:08:42.731 3 CLASSPNP.SYS[869a0745] -> nt!IofCallDriver -> [0x84d01918]
    07:08:42.747 5 acpi.sys[8068e6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x84cf0030]
    07:08:44.151 AVAST engine scan C:\Windows
    07:08:55.275 AVAST engine scan C:\Windows\system32
    07:16:52.313 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    07:19:18.299 AVAST engine scan C:\Windows\system32\drivers
    07:19:51.544 AVAST engine scan C:\Users\spaRKLYPIXIE
    07:22:50.158 File: C:\Users\spaRKLYPIXIE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FH6CTWS0\info[1].exe **INFECTED** Win32:MBRlock-DG [Trj]
    07:22:54.276 File: C:\Users\spaRKLYPIXIE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP2HK1EZ\info[1].exe **INFECTED** Win32:Sirefef-AHQ [Trj]
    07:30:14.122 File: C:\Users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe **INFECTED** Win32:MBRlock-DG [Trj]
    07:39:38.796 AVAST engine scan C:\ProgramData
    07:42:49.446 Scan finished successfully
    07:45:11.267 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
    07:45:11.345 The log file has been saved successfully to "D:\aswMBR.txt"
     
  4. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Download Combofix from the link below, and save it to your desktop.
    Link

    **Note: It is important that it is saved directly to your desktop**
    If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
    ----------
     
  5. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Hi jeffce,
    thanks again and here we go:

    ComboFix 12-08-17.01 - spaRKLYPIXIE 17/08/2012 15:27:20.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.383 [GMT 1:00]
    Running from: c:\users\spaRKLYPIXIE\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
    SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\program files\FilmFanaticEI
    c:\program files\FilmFanaticEI\Installr\1.bin\NPpaEISb.dll
    c:\program files\FilmFanaticEI\Installr\1.bin\paEIPlug.dll
    c:\program files\FilmFanaticEI\Installr\1.bin\paEZSETP.dll
    c:\program files\screensavers.com
    c:\program files\TelevisionFanaticEI
    c:\program files\TelevisionFanaticEI\Installr\1.bin\64EIPlug.dll
    c:\program files\TelevisionFanaticEI\Installr\1.bin\64EZSETP.dll
    c:\program files\TelevisionFanaticEI\Installr\1.bin\NP64EISb.dll
    c:\programdata\181188670
    c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}
    c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\@
    c:\users\spaRKLYPIXIE\AppData\Local\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\n
    c:\users\spaRKLYPIXIE\AppData\Roaming\Adobe\Online Services\printfilterpipelinesvc.exe
    c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
    c:\users\spaRKLYPIXIE\Documents\~WRL1185.tmp
    c:\users\spaRKLYPIXIE\Documents\~WRL2176.tmp
    c:\users\spaRKLYPIXIE\Documents\~WRL3035.tmp
    c:\users\spaRKLYPIXIE\Documents\~WRL3253.tmp
    c:\users\spaRKLYPIXIE\Documents\~WRL3400.tmp
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\L\00000004.@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\L\201d3dde
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\n
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\00000004.@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\00000008.@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\000000cb.@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\80000000.@
    c:\windows\Installer\{8a96069a-0c85-afbc-7f78-6d7f2a42cf58}\U\80000032.@
    .
    c:\windows\system32\services.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-17 14:39 . 2012-08-17 14:50 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Local\temp
    2012-08-17 14:39 . 2012-08-17 14:39 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-16 22:16 . 2012-08-16 22:16 100864 ----a-w- C:\kfkirkob.sys
    2012-08-15 16:36 . 2012-08-16 21:13 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Rezy
    2012-08-15 16:36 . 2012-08-17 14:38 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw
    2012-08-14 16:24 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C459725F-8B73-4C18-8E8E-2C297541E95F}\mpengine.dll
    2012-07-25 17:02 . 2012-07-25 17:02 -------- d-----w- c:\program files\Microsoft Silverlight
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 11:25 . 2009-10-02 18:02 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-07 11:48 . 2012-02-25 14:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "c:\program files\AGI\common\agcutils.dll" [2010-01-07 43520]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agcutils.AGSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
    [HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
    2010-01-07 18:19 43520 ----a-w- c:\program files\AGI\common\agcutils.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
    2008-12-07 17:02 277648 ----a-w- c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
    .
    [HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
    .
    [HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\users\spaRKLYPIXIE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce3505b4437e0.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.searchnu.com/406
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
    FF - ProfilePath - c:\users\spaRKLYPIXIE\AppData\Roaming\Mozilla\Firefox\Profiles\m15qiws8.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: -
    FF - user.js: security.enable_tls - false
    FF - user.js: network.http.accept-encoding -
    FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    HKCU-Run-{3C96B37F-6B8A-4DF8-C9F7-4E07A3B1E33B} - c:\users\spaRKLYPIXIE\AppData\Roaming\Adobe\Online Services\printfilterpipelinesvc.exe
    HKCU-Run-{A6C424EB-3895-E234-2EA1-CC8C39BFAE2D} - c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw\aqenwez.exe
    HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    HKLM-Run-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
    AddRemove-{23A287DB-449A-462F-BDE1-8635A61671CE} - c:\program files\AGI\common\bootstrapper.exe -uninstallC:/Program Files/AGI/Python25\pythonw.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-17 15:51
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3192540412-4096636921-3291768311-1000\¬ î**]
    @Allowed: (Read) (RestrictedCode)
    "MachineID"=hex:fe,7e,01,11,98,6b,14,00
    DUMPHIVE0.003 (REGF)
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\windows\system32\o2flash.exe
    c:\program files\Spybot - Search & Destroy\SDWinSec.exe
    c:\windows\system32\WUDFHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-17 15:56:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-17 14:56
    .
    Pre-Run: 16,963,780,608 bytes free
    Post-Run: 16,829,390,848 bytes free
    .
    - - End Of File - - 35CB88D76C0F401390EEFFFFC63CFA22
     
  6. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    **If you are using a 64bit system please use either of the following links for your download instead:
    Link 1
    Link 2

    • Right-click and Run as Administrator SystemLook.exe to run it.
    • Copy the content within the following codebox into the main textfield:
      Code:
      :filefind
      services.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  7. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Cheers Jeff.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 18:42 on 17/08/2012 by spaRKLYPIXIE
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "services.exe"
    C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [18:14 04/08/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\System32\services.exe --a---- 279040 bytes [10:49 07/06/2008] [07:33 19/01/2008] 5DC3C54FC22BBB6F66C290C7C0384DF9
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [08:35 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [10:49 07/06/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

    -= EOF =-
     
  8. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    • Please download the file I attached to this reply to your Desktop then follow the instructions below...
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     

    Attached Files:

  9. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Hi Jeff,
    here's the latest. I should note that I removed AVG using the AVG uninstaller tool before running SystemLook as the UI was crashing when I was trying to disable it -should have mentioned this earlier, sorry!

    ComboFix 12-08-17.01 - spaRKLYPIXIE 18/08/2012 20:02:36.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.365 [GMT 1:00]
    Running from: c:\users\spaRKLYPIXIE\Desktop\ComboFix.exe
    Command switches used :: c:\users\spaRKLYPIXIE\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --> c:\windows\System32\services.exe
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Local\temp
    2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-08-18 19:12 . 2012-08-18 19:12 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-16 22:16 . 2012-08-16 22:16 100864 ----a-w- C:\kfkirkob.sys
    2012-08-15 16:36 . 2012-08-16 21:13 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Rezy
    2012-08-15 16:36 . 2012-08-17 14:38 -------- d-----w- c:\users\spaRKLYPIXIE\AppData\Roaming\Ezgaokw
    2012-08-14 16:24 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C459725F-8B73-4C18-8E8E-2C297541E95F}\mpengine.dll
    2012-07-25 17:02 . 2012-07-25 17:02 -------- d-----w- c:\program files\Microsoft Silverlight
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 11:25 . 2009-10-02 18:02 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-07 11:48 . 2012-02-25 14:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "c:\program files\AGI\common\agcutils.dll" [2010-01-07 43520]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agcutils.AGSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
    [HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}]
    2010-01-07 18:19 43520 ----a-w- c:\program files\AGI\common\agcutils.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
    2008-12-07 17:02 277648 ----a-w- c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
    .
    [HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll" [2008-12-07 277648]
    .
    [HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
    [HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\users\spaRKLYPIXIE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce3505b4437e0.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 19:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.searchnu.com/406
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
    FF - ProfilePath - c:\users\spaRKLYPIXIE\AppData\Roaming\Mozilla\Firefox\Profiles\m15qiws8.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: -
    FF - user.js: security.enable_tls - false
    FF - user.js: network.http.accept-encoding -
    FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-18 20:12
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3192540412-4096636921-3291768311-1000\¬ î**]
    @Allowed: (Read) (RestrictedCode)
    "MachineID"=hex:fe,7e,01,11,98,6b,14,00
    DUMPHIVE0.003 (REGF)
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-08-18 20:15:43
    ComboFix-quarantined-files.txt 2012-08-18 19:15
    ComboFix2.txt 2012-08-17 14:56
    .
    Pre-Run: 16,746,000,384 bytes free
    Post-Run: 16,659,976,192 bytes free
    .
    - - End Of File - - 8CC427E6817EC045C09699CC00554EA4
     
  10. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    No worries! :)
    -------

    OTL
    • Download OTL to your desktop.
    • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Select All Users
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under the Custom Scan box paste this in

      netsvcs
      /md5start
      consrv.dll
      explorer.exe
      winlogon.exe
      Userinit.exe
      svchost.exe
      /md5stop
      CREATERESTOREPOINT
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    ----------
     
  11. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Just done the above and have had returned the following dialog:

    "OTL
    Win32 Error. Code: 23.
    Data error (cyclic redundancy check)."

    At the time the status bar was showing "System Event Log record 49319"

    After OKing that it seems to have locked up. I'll try running it again tomorrow, but for now I need some sleep!

    I've attached a jpeg showing the settings I had selected.
     

    Attached Files:

  12. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Ok....if you need to do so try to run OTL in Safe Mode.
     
  13. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    Same error received in same place whilst carrying out scan in safe mode!

    Going to run a disk check in case the CRC is indicative of bad sectors.
     
  14. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
  15. chrispcarter

    chrispcarter Thread Starter

    Joined:
    Aug 16, 2012
    Messages:
    20
    There were some issues on the disk, hopefully all sorted now, so I am re-running OTL.

    Checking file system on C:
    The type of the file system is NTFS.
    Volume label is Vista.
    A disk check has been scheduled.
    Windows will now check the disk.
    173760 file records processed.
    925 large file records processed.
    0 bad file records processed.
    12 EA records processed.
    60 reparse records processed.
    226924 index entries processed.
    0 unindexed files processed.
    173760 security descriptors processed.
    Cleaning up 399 unused index entries from index $SII of file 0x9.
    Cleaning up 399 unused index entries from index $SDH of file 0x9.
    Cleaning up 399 unused security descriptors.

    26583 data files processed.
    CHKDSK is verifying Usn Journal...
    37335312 USN bytes processed.
    Usn Journal verification completed.
    CHKDSK is verifying file data (stage 4 of 5)...
    173744 files processed. File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
    4351737 free clusters processed.
    Free space verification is complete. C
    HKDSK discovered free space marked as allocated in the master file table (MFT) bitmap.
    CHKDSK discovered free space marked as allocated in the volume bitmap.

    Windows has made corrections to the file system.
    70980607 KB total disk space.
    53193260 KB in 126598 files.
    87268 KB in 26584 indexes.
    4 KB in bad sectors.
    293123 KB in use by the system.
    65536 KB occupied by the log file.
    17406952 KB available on disk.
    4096 bytes in each allocation unit.
    17745151 total allocation units on disk.
    4351738 allocation units available on disk.
    Internal Info:
    c0 a6 02 00 6a 56 02 00 f2 1c 04 00 00 00 00 00 ....jV..........
    ae 87 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 ....<...........
    42 00 00 00 5f 84 2a 77 78 85 2d 00 78 7d 2d 00 B..._.*wx.-.x}-.
    Windows has finished checking your disk.
    Please wait while your computer restarts.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1065378