1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

services.exe Trojan horse Patched_c.LXT Win 7

Discussion in 'Virus & Other Malware Removal' started by Neopacket, Jul 9, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Neopacket

    Neopacket Thread Starter

    Joined:
    Jul 9, 2012
    Messages:
    4
    I got a nasty trojan while trying to find some video editing freeware online today.

    Avg got rid of all of it except for:

    C:\Windows\System32\services.exe, Trojan horse Patched_c.LXT, Object is white-listed (critical/system file that should not be removed)"

    I've ran MBAM, AVG in safe mode and CC cleaner.

    Below is my HijackThis Log and i have the DDS logs as well.

    Thank for any help.
    -Neopacket

    HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:58:45 PM, on 7/8/2012
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\IObit\Game Booster\gbtray.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Google\Google Talk\googletalk.exe
    C:\Program Files (x86)\Winamp\winampa.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    C:\Users\Neopacket\Desktop\ComboFix.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\32788R22FWJFW\pev.3XE
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/?src=startp...4f79&browser=IE&os=win&os_version=6.1-x64-SP0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [cdloader] "C:\Users\Neopacket\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
    O4 - HKUS\S-1-5-18\..\Run: [Welcome Center] C:\Windows\system32\rundll32.exe C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Welcome Center] C:\Windows\system32\rundll32.exe C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABFCC4-4460-4AAD-9929-9187D54F79DE}: NameServer = 192.168.1.1
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 9859 bytes
     
  2. Neopacket

    Neopacket Thread Starter

    Joined:
    Jul 9, 2012
    Messages:
    4
  3. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,801
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  4. Neopacket

    Neopacket Thread Starter

    Joined:
    Jul 9, 2012
    Messages:
    4
    Thanks so much for your time, I followed the directions fully and...

    Below is the combo Fix log,
    AVG Still sees the Services.exe file as being infected.
    it looked like Combo Fix tried to fix it but it went on to the next step too fast for me to see if it was successful in any way with it.

    -Neopacket


    ComboFix 12-07-10.01 - Neopacket 07/10/2012 22:25:53.1.4 - x64
    Microsoft Windows 7 GAMER™ 2010 6.1.7600.0.1252.1.1033.18.8190.6308 [GMT -7:00]
    Running from: c:\users\Neopacket\Desktop\username123.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\SelectRebates
    c:\program files (x86)\SelectRebates\FFToolbar\chrome.manifest
    c:\program files (x86)\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
    c:\program files (x86)\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
    c:\program files (x86)\SelectRebates\FFToolbar\install.rdf
    c:\program files (x86)\SelectRebates\SahImages\alert.png
    c:\program files (x86)\SelectRebates\SahImages\check.png
    c:\program files (x86)\SelectRebates\SahImages\close.png
    c:\program files (x86)\SelectRebates\SelectAlerts.dat
    c:\program files (x86)\SelectRebates\SelectRebates.exe
    c:\program files (x86)\SelectRebates\SelectRebates.ini
    c:\program files (x86)\SelectRebates\SelectRebatesA.dat
    c:\program files (x86)\SelectRebates\SelectRebatesApi.exe
    c:\program files (x86)\SelectRebates\SelectRebatesB.dat
    c:\program files (x86)\SelectRebates\SelectRebatesBT.dat
    c:\program files (x86)\SelectRebates\SelectRebatesDownload.exe
    c:\program files (x86)\SelectRebates\SelectRebatesUninstall.exe
    c:\program files (x86)\SelectRebates\SRebates.dll
    c:\program files (x86)\SelectRebates\SRFF3.dll
    c:\program files (x86)\SelectRebates\Toolbar\AddtoList.bmp
    c:\program files (x86)\SelectRebates\Toolbar\basis.xml
    c:\program files (x86)\SelectRebates\Toolbar\Basis.xml.dym
    c:\program files (x86)\SelectRebates\Toolbar\Blank.bmp
    c:\program files (x86)\SelectRebates\Toolbar\CashBack.bmp
    c:\program files (x86)\SelectRebates\Toolbar\Coupons.bmp
    c:\program files (x86)\SelectRebates\Toolbar\GroceryCoupon.bmp
    c:\program files (x86)\SelectRebates\Toolbar\i_magnifying.bmp
    c:\program files (x86)\SelectRebates\Toolbar\icons.bmp
    c:\program files (x86)\SelectRebates\Toolbar\logo.bmp
    c:\program files (x86)\SelectRebates\Toolbar\logo_24.bmp
    c:\program files (x86)\SelectRebates\Toolbar\logo_HotSpots.bmp
    c:\program files (x86)\SelectRebates\Toolbar\ReviewSite.bmp
    c:\program files (x86)\SelectRebates\Toolbar\RightControls.dym
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-alert.bmp
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-go.bmp
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-icons.bmp
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-restaurant.bmp
    c:\program files (x86)\SelectRebates\Toolbar\sahtb-wishlist.bmp
    c:\program files (x86)\SelectRebates\Toolbar\Scissors.bmp
    c:\program files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    c:\program files (x86)\StartNow Toolbar
    c:\program files (x86)\StartNow Toolbar\Reactivate.exe
    c:\program files (x86)\StartNow Toolbar\ReactivateFF.exe
    c:\program files (x86)\StartNow Toolbar\Resources\images\btn-msn.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\chevronButton.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\separator.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\splitter.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png
    c:\program files (x86)\StartNow Toolbar\Resources\installer.xml
    c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
    c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml
    c:\program files (x86)\StartNow Toolbar\Resources\update.xml
    c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
    c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
    c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe
    c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
    c:\program files (x86)\StartNow Toolbar\uninstall.dat
    c:\program files (x86)\StartNow Toolbar\XBrowser.dll
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\hosts.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\injection_button.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\popups.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\printerExternalAccessFF.js
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_images.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_maps.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_news.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_videos.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_web.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_amazon.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_ebay.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_facebook.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_games.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_msn.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_shopping.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_travel.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_twitter.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\startnow_logo.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\installer.xml
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\chevron_button.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_hover.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_normal.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_dropdown_button_normal.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_background.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_left.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_middle.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\separator.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\splitter.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ff_hover_c.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_c.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_l.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_r.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_c.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_l.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_r.png
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\toolbar.xml
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{5911488E-9D1E-40ec-8CBB-06B231CC153F}.dtd
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf
    c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\searchplugins\bing-zugo.xml
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\L\00000004.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\L\1afb2d56
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\L\201d3dde
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\00000004.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\00000008.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\000000cb.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\80000000.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\80000032.@
    c:\windows\Installer\{b9af5121-d9a5-3843-c50f-7d13d76d9a80}\U\80000064.@
    .
    c:\windows\system32\Services.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Updater Service for StartNow Toolbar
    -------\Service_Updater Service for StartNow Toolbar
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-11 to 2012-07-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-09 04:41 . 2012-07-09 04:41 -------- d-----w- c:\program files\CCleaner
    2012-07-09 04:39 . 2012-07-09 04:39 388096 ----a-r- c:\users\Neopacket\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-07-09 04:39 . 2012-07-09 04:39 -------- d-----w- c:\program files (x86)\Trend Micro
    2012-07-08 19:21 . 2012-07-08 19:21 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-08 19:21 . 2012-07-08 19:21 -------- d-----w- c:\windows\system32\Macromed
    2012-07-08 19:20 . 2012-07-08 19:20 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-08 19:15 . 2012-07-08 19:15 -------- d-----w- c:\users\Neopacket\AppData\Roaming\DVD Flick
    2012-07-08 19:14 . 2012-07-08 19:19 -------- d-----w- c:\program files (x86)\Solid Mp4 to DVD Converter and Burner
    2012-07-08 19:14 . 2004-03-09 07:00 212240 ----a-w- c:\windows\SysWow64\richtx32.ocx
    2012-07-08 19:14 . 2000-11-05 22:27 36864 ----a-w- c:\windows\SysWow64\trayicon.ocx
    2012-07-08 19:14 . 2000-05-20 00:56 81920 ----a-w- c:\windows\SysWow64\mbmouse.ocx
    2012-07-08 18:06 . 2012-07-08 18:06 -------- d-----w- c:\users\Neopacket\AppData\Local\Aimersoft
    2012-07-08 18:06 . 2012-07-08 18:06 -------- d-----w- c:\program files (x86)\Common Files\Aimersoft
    2012-07-08 18:06 . 2012-07-08 18:06 -------- d-----w- c:\program files (x86)\Aimersoft
    2012-07-07 21:39 . 2012-07-09 03:51 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-06-21 14:06 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 14:06 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 14:06 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 14:06 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 14:06 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 14:06 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 14:06 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 14:06 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 14:06 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-08 19:21 . 2011-05-21 04:09 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-04-19 11:50 . 2012-04-19 11:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    "Sidebar"="c:\program files (x86)\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "cdloader"="c:\users\Neopacket\AppData\Roaming\mjusbsp\cdloader2.exe" [2011-05-16 50592]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Welcome Center"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMBalloonTip"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-03 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-08 113120]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-12-14 51712]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-07 14464]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-02-06 834544]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-02-06 254528]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2012-04-30 5106744]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-08-13 87040]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-11-11 155752]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\username123\CF29290.3XE" [2009-07-14 344576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjddr&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110529&user_guid=5B528C7D23DA4699A4630BCF1BB83F1C&machine_id=41543faf3bc14f6b04c96dd388454f79&browser=IE&os=win&os_version=6.1-x64-SP0
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    LSP: mswsock.dll
    TCP: Interfaces\{AEABFCC4-4460-4AAD-9929-9187D54F79DE}: NameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Neopacket\AppData\Roaming\Mozilla\Firefox\Profiles\quwnsejv.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjddr&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110529&user_guid=5B528C7D23DA4699A4630BCF1BB83F1C&machine_id=41543faf3bc14f6b04c96dd388454f79&browser=FF&os=win&os_version=6.1-x64-SP0&q=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\IObit\Game Booster\gbtray.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-10 22:33:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-11 05:33
    .
    Pre-Run: 564,599,422,976 bytes free
    Post-Run: 564,424,470,528 bytes free
    .
    - - End Of File - - 18C5DC3E84E20921D217313DB70EBEC5
     
  5. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,801
    that has just showed me that you have a pirated version of windows
    Before I consider carrying on with any fixes

    Please run the MGA Diagnostic Tool and post back the report it creates:
    • Download MGADiag to your desktop.
    • Double-click on MGADiag.exe to launch the program
    • Click "Continue"
    • Ensure that the "Windows" tab is selected (it should be by default).
    • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
    • Paste the MGA Diagnostic Report back here in your next reply.

    Please download and run WVCheck.
    • Double-click WVCheck.exe.
    • As indicated by the prompt, this program can take a while depending on your hard drive space.
    • Once the program is done, copy the contents of the Notepad file as a reply.
     
  6. Neopacket

    Neopacket Thread Starter

    Joined:
    Jul 9, 2012
    Messages:
    4
    I do not have a pirate copy of windows, I paid for windows 7 Ultimate, I have the windows sticker Sticker on my case. My friend Brian built my computer for me a couple of years ago and said he would customize the theme for me. Is there something illegal with my theme? Did that let the Trojan in?

    I ran the files you asked me to run, below is the text from the 2 of them.
    Thanks for any help.
    WVcheck

    Windows Validation Check
    Version: 1.9.12.5
    Log Created On: 1954_11-07-2012
    -----------------------

    Windows Information
    -----------------------
    Windows Version: Windows 7
    Windows Mode: Normal
    Systemroot Path: C:\Windows

    WVCheck's Auto Update Check
    -----------------------
    Auto-Update Option: Download updates automatically, but ask me when I want to install them.
    -----------------------
    Last Success Time for Update Detection: 2012-07-11 11:48:58
    Last Success Time for Update Download: 2012-01-08 18:21:21
    Last Success Time for Update Installation: 2012-02-01 08:34:47


    WVCheck's Registry Check Check
    -----------------------
    Antiwpa: Not Found
    -----------------------
    Chew7Hale: Not Found
    -----------------------


    WVCheck's File Dump
    -----------------------
    C:\Windows\System32\slwga.dll
    Size: 13824 bytes
    Creation; 13/7/2009 16:36:22
    Modification; 13/7/2009 18:16:15
    MD5; 01fe4bdd0b47a7d8bf34d78d2bc23ddb
    Matched: slwga.dll
    -----------------------
    C:\Windows\SysWOW64\slwga.dll
    Size: 13824 bytes
    Creation; 13/7/2009 16:36:22
    Modification; 13/7/2009 18:16:15
    MD5; 01fe4bdd0b47a7d8bf34d78d2bc23ddb
    Matched: slwga.dll
    -----------------------
    C:\Windows\winsxs\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll
    Size: 14848 bytes
    Creation; 13/7/2009 16:52:11
    Modification; 13/7/2009 18:41:54
    MD5; cc03cf9f24946dcbd70acb3e1b2f05bf
    Matched: slwga.dll
    -----------------------
    C:\Windows\winsxs\x86_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_ff27e02604a90885\slwga.dll
    Size: 13824 bytes
    Creation; 13/7/2009 16:36:22
    Modification; 13/7/2009 18:16:15
    MD5; 01fe4bdd0b47a7d8bf34d78d2bc23ddb
    Matched: slwga.dll
    -----------------------


    WVCheck's Dir Dump
    -----------------------
    WVCheck found no known bad directories.


    WVCheck's Missing File Check
    -----------------------
    WVCheck found no missing Windows files.


    WVCheck's MBAM Quarantine Check
    -----------------------
    There were no bad files quarantined by MBAM.


    WVCheck's HOSTS File Check
    -----------------------
    WVCheck found no bad lines in the hosts file.


    WVCheck's MD5 Check
    EXPERIMENTAL!!
    -----------------------
    user32.dll - e8b0ffc209e504cb7e79fc24e6c085f0


    -------- End of File, program close at 1956_11-07-2012 --------


    MGADiag

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-GJY49-VJBQ7-HYRR2
    Windows Product Key Hash: W5/6nm6F2UPXrCkY5xUhXb/+21g=
    Windows Product ID: 00426-OEM-8992662-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7600.2.00010100.0.0.001
    ID: {DF458637-5AB8-4411-8337-35900B4679C4}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows Seven Black Edition
    Architecture: 0x00000009
    Build lab: 7600.win7_rtm.090713-1255
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 10\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{DF458637-5AB8-4411-8337-35900B4679C4}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HYRR2</PKey><PID>00426-OEM-8992662-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1368505747-1608405879-1355149246</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS M3N-HT Deluxe ACPI BIOS Revision 3202</Version><SMBIOSVersion major="2" minor="5"/><Date>20100728000000.000000+000</Date></BIOS><HWID>91BA3607018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>100D8B005DC0586</Val><Hash>63Ggc8qJqCD64MiH08mFtHMdFYw=</Hash><Pid>89388-707-1264422-65684</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, Ultimate edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00426-00178-926-600006-02-1033-7600.0000-0372011
    Installation ID: 009965098432920871558371971736714054695184220674179911
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: HYRR2
    License Status: Licensed
    Remaining Windows rearm count: 1
    Trusted time: 7/11/2012 7:54:14 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: OgAAAAIABgABAAEAAAADAAAAAQABAAEAln1Qp/i0dxYA14DAlpK4VFYQBp7A+4htgjKiofUU2O/Wxw==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC Nvidia ASUSACPI
    FACP Nvidia ASUSACPI
    HPET Nvidia ASUSACPI
    MCFG Nvidia ASUSACPI
    SLIC ACRSYS ACRPRDCT
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,801
    sorry windows 7 black edition is not a legal windows version
    closed topic
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1060218