Page 3 of 7 FirstFirst 1234567 LastLast
Results 21 to 30 of 68

Thread: IDP.Trojan.1C8D1A13 & Crypt.AQLW

  1. 2012-04-27, 02:08 #21
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jacknjaspa,



    Please read through the instructions to familarize youself with what to expect when the tool runs.

    It is vitally important that combofix is renamed before it is even started to download


    Please download ComboFix from Link 1or Link 2 to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • If you are using Firefox, make sure that your download settings are as follows:
      -Tools->Options->Main tab
      -Set to "Always ask me where to Save the files".
    • During the download, before you save it to your desktop, rename Combofix to jgh.exe


    • It is important you rename Combofix during the download, but not after.
    • Please do not rename Combofix to other names, but only to the one indicated.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

    Please post back with
    • combofix log
    How is the computer?

    Thanks
    Member of UNITE and ASAP
  2. 2012-04-27, 03:41 #22
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    Hi there its taken a long time but finally gone thoguh to the following;
    System file is infected!! Attempting to restore
    "C:WINDOWS\system32\drivers\cdrom.sys"
    Suceesfully restored


    It's now been hanging on this for over 15 minutes.....do I just keep waiting?
  3. 2012-04-27, 03:52 #23
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    Hope I haven't stuffed it up. I ended up closing the window as nothing happened for nearly 25 mins.

    I had to restart the pc but cant find the combofix.txt file (did search on c drive but nothing there). Have i done something wrong?
  4. 2012-04-27, 10:06 #24
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jacknjaspa,

    Sometimes it takes quite a while for the log especially on a heavily infected machie. Have a look in C:\Qoobox for a file named ComboFix-quarantined-files.txt

    If it's there please post it.

    Rerun combofix, it may look like it's stalled but if there is any hint of hard drive activity it's still running. It may have fixed somethings in the first run and may run quicker this time.

    Post the combofix log when you get it.
    Member of UNITE and ASAP
  5. 2012-04-27, 13:05 #25
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    Ok. Back home form work & ran it again & just left it alone for half an hour. Came back & log.txt was opened & Im assuming this is the correct file (I hope so & sorry if its not.


    ComboFix 12-04-26.01 - Cameron 27/04/2012 18:31:21.2.2 - x86
    Running from: c:\documents and settings\Cameron\Desktop\jgh.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\Setup.ilg
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe
    c:\documents and settings\Cameron.old\WINDOWS
    c:\documents and settings\Cameron\My Documents\$AP318.tmp
    c:\documents and settings\Cameron\My Documents\$AP3D1.tmp
    c:\documents and settings\Cameron\My Documents\pub1DD.tmp
    C:\install.exe
    c:\program files\FunWebProducts
    c:\program files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
    c:\program files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL
    c:\program files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL
    c:\program files\Internet Explorer\SET1D2.tmp
    c:\program files\Internet Explorer\SET1FE.tmp
    c:\program files\RewardsArcade
    c:\program files\RewardsArcade\appAPIinternalWrapper.js
    c:\program files\RewardsArcade\fb.js
    c:\program files\RewardsArcade\jquery.js
    c:\program files\RewardsArcade\json.js
    c:\program files\RewardsArcade\RewardsArcade.dll
    c:\program files\RewardsArcade\RewardsArcade.exe
    c:\program files\RewardsArcade\Uninstall.exe
    c:\program files\RewardsArcade\UserConfirmation.exe
    C:\Thumbs.db
    c:\windows\system32\_000006_.tmp.dll
    c:\windows\system32\SET1C1.tmp
    c:\windows\system32\SET1C2.tmp
    c:\windows\system32\SET1C6.tmp
    c:\windows\system32\SET1C7.tmp
    c:\windows\system32\SET1C8.tmp
    c:\windows\system32\SET1CC.tmp
    c:\windows\system32\SET1CE.tmp
    c:\windows\system32\SET203.tmp
    c:\windows\system32\SET205.tmp
    c:\windows\system32\SET209.tmp
    c:\windows\system32\SET20A.tmp
    c:\windows\system32\SET20B.tmp
    c:\windows\system32\SET20F.tmp
    c:\windows\system32\SET210.tmp
    c:\windows\system32\SETBE.tmp
    c:\windows\system32\urttemp
    c:\windows\system32\urttemp\fusion.dll
    c:\windows\system32\urttemp\mscoree.dll
    c:\windows\system32\urttemp\mscoree.dll.local
    c:\windows\system32\urttemp\mscorsn.dll
    c:\windows\system32\urttemp\mscorwks.dll
    c:\windows\system32\urttemp\msvcr71.dll
    c:\windows\system32\urttemp\regtlib.exe
    G:\AUTORUN.INF
    .
    -- Previous Run --
    .
    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - c:\system volume information\_restore{0D95BA26-366A-429A-9C57-0099E7D1AE60}\RP407\A0089135.sys
    .
    --------
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-26 13:57 . 2012-04-26 13:57 -------- d-----w- C:\_OTL
    2012-04-26 13:57 . 2011-07-10 17:14 295248 -c--a-w- c:\windows\system32\dllcache\avgtdix.sys
    2012-04-25 13:18 . 2012-04-25 22:49 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-24 05:19 . 2012-04-24 05:20 -------- d-----w- c:\documents and settings\Cameron\Local Settings\Application Data\NPE
    2012-04-24 05:19 . 2012-04-24 05:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
    2012-04-24 05:08 . 2012-04-24 05:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\COMODO
    2012-04-24 05:08 . 2012-04-24 05:08 -------- d-----w- c:\documents and settings\Cameron\Application Data\Comodo
    2012-04-23 17:39 . 2012-04-23 17:39 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
    2012-04-23 00:07 . 2012-04-24 07:35 -------- d-----w- c:\documents and settings\Cameron\Application Data\Uqycux
    2012-04-23 00:07 . 2012-04-23 00:07 -------- d-----w- c:\documents and settings\Cameron\Application Data\Rofeen
    2012-04-22 15:48 . 2012-04-22 15:48 -------- d-----w- c:\documents and settings\Cameron\Local Settings\Application Data\Identities
    2012-04-22 15:47 . 2012-04-24 05:12 -------- d-----w- c:\documents and settings\Cameron\Application Data\Ydod
    2012-04-22 15:47 . 2012-04-23 00:28 -------- d-----w- c:\documents and settings\Cameron\Application Data\Ypaxad
    2012-04-20 00:23 . 2012-04-20 00:38 -------- d-----w- C:\sh4ldr
    2012-04-20 00:23 . 2012-04-20 00:23 -------- d-----w- c:\program files\Enigma Software Group
    2012-04-20 00:21 . 2012-04-20 00:38 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
    2012-04-20 00:21 . 2012-04-20 00:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-04-19 23:48 . 2012-04-24 07:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F4D55F2C000BBBB74E027CC6D151FC4E
    2012-04-17 00:41 . 2012-04-17 00:41 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJFAX
    2012-04-17 00:40 . 2010-09-13 06:44 106496 ----a-w- c:\windows\system32\CNC410U.dll
    2012-04-17 00:40 . 2010-09-13 06:42 1347584 ----a-w- c:\windows\system32\CNC410C.dll
    2012-04-17 00:40 . 2010-09-13 06:42 114688 ----a-w- c:\windows\system32\CNC410I.dll
    2012-04-17 00:40 . 2010-09-06 09:03 315392 ----a-w- c:\windows\system32\CNC410L.dll
    2012-04-17 00:36 . 2012-04-19 02:05 -------- d-----w- c:\documents and settings\Cameron\Application Data\Canon Easy-WebPrint EX
    2012-04-17 00:32 . 2010-10-20 21:00 257024 ----a-w- c:\windows\system32\CNCALAL.DLL
    2012-04-17 00:32 . 2012-04-17 00:32 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonBJ
    2012-04-17 00:31 . 2010-09-19 21:00 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPPAL.DLL
    2012-04-17 00:31 . 2010-09-19 21:00 303104 ----a-w- c:\windows\system32\CNMLMAL.DLL
    2012-04-17 00:31 . 2010-09-19 21:00 28672 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPDAL.DLL
    2012-04-17 00:31 . 2012-04-17 00:31 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
    2012-04-17 00:31 . 2010-06-03 06:11 94208 ----a-w- c:\windows\system32\CNC410O.dll
    2012-04-17 00:31 . 2010-09-07 01:58 180224 ----a-w- c:\windows\system32\CNMIUAL.DLL
    2012-04-17 00:31 . 2012-04-17 00:31 -------- d--h--w- c:\program files\CanonBJ
    2012-04-07 08:55 . 2012-04-07 08:55 -------- d-----w- C:\found.000
    2012-04-07 07:42 . 2012-04-07 07:45 -------- d-----w- C:\big w prints
    2012-04-07 07:07 . 2012-04-19 02:23 -------- d-----w- C:\Vuze
    2012-04-07 06:48 . 2012-04-07 06:57 -------- d-----w- C:\To Transfer
    2012-04-06 00:19 . 2012-04-14 15:02 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-01 03:09 . 2012-04-01 03:09 -------- d-----r- C:\g on Home PC (B03f21ae66bf49c)
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-26 14:10 . 2011-04-04 16:59 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-04-25 13:22 . 2008-04-14 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2012-04-25 13:22 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-14 15:02 . 2011-06-17 23:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 12:00 148480 ------w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
    2012-02-15 03:01 . 2011-12-15 14:13 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 03:01 . 2011-12-15 14:13 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-02-07 03:02 . 2012-02-07 03:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-29 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-06 222504]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Cameron\Start Menu\Programs\Startup\
    My Program.lnk - c:\program files\FingerPrint\FingerPrint.exe [2012-2-15 924728]
    .
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "c:\\Program Files\\FingerPrint\\FingerPrintService.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=
    "c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=
    "c:\\Program Files\\Plex\\Plex Media Center\\Plex.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Safari\\Safari.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [22/02/2011 8:13 AM 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [16/03/2011 4:03 PM 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/01/2011 6:41 AM 230608]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [5/04/2011 12:59 AM 295248]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 6:25 AM 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/08/2011 6:09 AM 192776]
    R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [23/06/2009 5:40 PM 127352]
    R2 FingerPrint;FingerPrint Service;c:\program files\FingerPrint\FingerPrintService.exe -start --> c:\program files\FingerPrint\FingerPrintService.exe -start [?]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [14/04/2011 9:28 PM 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10/02/2011 7:53 AM 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/02/2011 7:53 AM 16720]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2012 3:24 PM 116648]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/04/2012 8:19 AM 253088]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/05/2011 7:04 AM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2012 3:24 PM 116648]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [15/12/2011 10:13 PM 18432]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    sqlserveragent
    AVCSTRM
    websensecamreportserver
    vsdatant
    zendcoreapache
    epson_pm_rpcv2_02
    MRESP50a64
    ami0nt
    UPATC
    proxyhostdriver
    AlKernel
    Xponaut_WBD
    beatjammusicstreamingserver
    s616mgmt
    nod32krn
    btfirst
    cpqdmi
    symantecantibotshim
    NWSNS
    cachemgr
    enodpl
    HssTrayService
    deventagent
    sbcssvc
    Sk99202k
    useraccess
    phc600
    ibmpmsvc
    FETNDIS
    rt73
    antivirservice
    stllssvr
    flashcomadmin
    papycpu2
    pilogsrv
    epsonbidirectionalagent
    ibmfilter
    lxby_device
    sit_flt
    EagleNT
    mfeapfk
    videoacceleratorengine
    rslinxng
    vmparport
    BoiHwsetup
    usbatapi2000
    igniteservice.exe
    bthidenum
    ltxred
    p2psvc
    HPFECP20
    IWCA
    UDFReadr
    wpshelper
    serialkeys
    cq_mem
    fcprintservice
    lxcj_device
    CAMFLT
    MSFWHLPR
    pcscnsrv
    uhcd
    bcm43xx
    61883
    GT680x
    oracleorahome92tnslistener
    GTF32BUS
    ibmpmdrv
    IntelC53
    FA312
    ZuneWlanCfgSvc
    spcsutilityservice
    tzontservice
    enxpsvc
    HpqKbFiltr
    3dkeybd
    pshost
    pdlnctdl
    wlluc48
    KMW_USB
    aksusb
    wlancfg
    hsf_dp
    moufiltr
    mks_scan
    dktknsrv
    aswmon2
    dot4print
    EIO_XP
    SE2Cmdm
    snapman
    Si3114r5
    hidgame
    dirms_defragmentation
    elnkservice
    DM9102
    pdlnemsg
    dnwhodisp
    NCPro
    upperdev
    npfmntor
    aslm75
    lusbaudio
    bhmonitorservice
    SiRemFil
    whoisd32
    tfsnopio
    CBN
    se44mgmt
    opcenum
    ANC
    appnnode
    dlaudfam
    AVerBDA
    bglivesvc
    ASMMAP
    clisvc
    snac
    pepifilter
    dtscsi
    sprtsvc_ddoctorv2
    NWADI
    MSCamSvc
    2wirepcp
    freepops
    USB_RNDIS
    sandboxu
    BrPar
    scarddrv
    wmccdsls
    lxdm_device
    StickyMesger
    cmigameport
    ixiaendpoint
    Machnm32
    symantecantibotdriver
    bridgemp
    driverhardwarev2
    TMHIDSRV
    dsbrokerservice
    DCamUSBMke
    ntiopnp
    NxSysMon
    pdengine
    besclient
    iaimfp2
    pmsveh
    SiSRaid2
    DritekPortIO
    sshrmd
    sonytvc
    pavdrv
    nim32
    scsiaccess
    admjoy
    ofcpfwsvc
    ntsyslog
    netdevio
    mcvsrte
    pnrouter
    SrvcEPIOMngr
    backuplauncher
    ltmodem5
    sbhooksvc
    iaimtv2
    HSFHWICH
    belgium_id_card_service
    ccalib8
    tversitymediaserver
    winachcf
    susbser
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    napagent
    hkmsvc
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 15:02]
    .
    2012-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 09:57]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-03-28 07:24]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-03-28 07:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.1.1
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    SafeBoot-38545416.sys
    SafeBoot-51110031.sys
    AddRemove-RewardsArcade - c:\program files\RewardsArcade\Uninstall.exe
    AddRemove-Smart Fortress 2012 - c:\documents and settings\All Users.WINDOWS\Application Data\F4D55F2C000BBBB74E027CC6D151FC4E\F4D55F2C000BBBB74E027CC6D151FC4E.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-27 18:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\05\03\0b\0a;9»"
    .
    Completion time: 2012-04-27 18:48:30
    ComboFix-quarantined-files.txt 2012-04-27 10:48
    .
    Pre-Run: 41,104,412,672 bytes free
    Post-Run: 41,070,153,728 bytes free
    .
    - - End Of File - - 4B6E889FFFC861BD0EBE5A8BAE0C2BC0
  6. 2012-04-27, 13:09 #26
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    I just went & checked the other folder that you told me to check & found the correct 1 (not sure what the last 1 I posted means?)

    Pretty sure this is the correct one now.



    2012-04-27 10:47:40 . 2012-04-27 10:47:40 1,306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Smart Fortress 2012.reg.dat
    2012-04-27 10:47:40 . 2012-04-27 10:47:40 638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-RewardsArcade.reg.dat
    2012-04-27 10:47:31 . 2012-04-27 10:47:31 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-51110031.sys.reg.dat
    2012-04-27 10:47:31 . 2012-04-27 10:47:31 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-38545416.sys.reg.dat
    2012-04-27 10:47:22 . 2012-04-27 10:47:22 78 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-10.reg.dat
    2012-04-27 10:46:42 . 2012-04-27 10:46:42 373 ----a-w- C:\Qoobox\Quarantine\G\av1.zip
    2012-04-27 10:46:42 . 2007-10-22 19:54:10 90 ----a-w- C:\Qoobox\Quarantine\G\AUTORUN.INF.vir
    2012-04-27 01:30:58 . 2012-04-27 10:45:19 16,593 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2012-04-27 00:25:58 . 2012-04-27 10:30:04 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2012-01-02 00:41:15 . 2012-01-02 00:41:15 376,264 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\Uninstall.exe.vir
    2011-11-03 17:39:18 . 2011-11-03 17:39:18 313,176 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\RewardsArcade.exe.vir
    2011-11-03 17:38:44 . 2011-11-03 17:38:44 528,216 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\RewardsArcade.dll.vir
    2011-09-21 00:57:34 . 2011-09-21 00:57:34 36,688 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\appAPIinternalWrapper.js.vir
    2011-09-21 00:57:34 . 2011-09-21 00:57:34 16,102 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\fb.js.vir
    2011-09-21 00:57:34 . 2011-09-21 00:57:34 172,584 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\jquery.js.vir
    2011-09-21 00:57:34 . 2011-09-21 00:57:34 10,795 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\json.js.vir
    2011-09-21 00:57:34 . 2011-09-21 00:57:34 2,512,384 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RewardsArcade\UserConfirmation.exe.vir
    2011-07-30 11:32:26 . 2011-07-30 11:32:24 113,664 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\Temp\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\Setup.ilg.vir
    2011-07-30 11:29:20 . 2010-03-24 21:12:42 42,280 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\Temp\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe.vir
    2011-07-30 11:23:28 . 2011-07-30 11:32:02 36,864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\Temp\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe.vir
    2011-07-30 11:22:21 . 2009-05-22 09:15:42 316,712 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\Temp\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe.vir
    2011-07-30 11:19:54 . 2010-03-24 21:12:42 42,280 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\Temp\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe.vir
    2011-07-21 10:18:36 . 2011-07-21 10:18:36 30,264 ----a-w- C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL.vir
    2011-07-21 10:18:36 . 2011-07-21 10:18:36 46,632 ----a-w- C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL.vir
    2011-07-21 10:18:36 . 2011-07-21 10:18:36 218,664 ----a-w- C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL.vir
    2011-06-16 19:01:01 . 2011-02-22 23:06:28 247,808 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SET1FE.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:28 11,080,704 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET203.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:28 1,991,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET205.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:29 602,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET209.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:29 55,296 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET20A.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:29 5,962,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET20B.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:29 1,210,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET20F.tmp.vir
    2011-06-16 19:01:00 . 2011-02-22 23:06:29 916,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET210.tmp.vir
    2011-06-16 05:23:43 . 2011-04-25 16:11:12 602,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1C8.tmp.vir
    2011-06-16 05:23:43 . 2011-04-25 16:11:12 55,296 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1C7.tmp.vir
    2011-06-16 05:23:42 . 2011-04-25 16:11:11 247,808 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SET1D2.tmp.vir
    2011-06-16 05:23:42 . 2011-04-25 16:11:12 916,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1C1.tmp.vir
    2011-06-16 05:23:41 . 2011-04-25 16:11:11 1,991,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1CC.tmp.vir
    2011-06-16 05:23:41 . 2011-04-25 16:11:12 1,211,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1C2.tmp.vir
    2011-06-16 05:23:41 . 2011-05-30 22:19:48 5,964,800 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1C6.tmp.vir
    2011-05-12 22:52:39 . 2011-05-12 22:52:39 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir
    2011-05-12 22:52:39 . 2003-02-20 20:42:22 348,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir
    2011-05-12 22:52:39 . 2003-02-20 11:08:32 2,482,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir
    2011-05-12 22:52:39 . 2003-02-20 11:09:18 77,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir
    2011-05-12 22:52:39 . 2003-02-20 11:06:24 155,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir
    2011-05-12 22:52:39 . 2003-02-20 11:06:20 282,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir
    2011-04-26 02:11:12 . 2011-04-26 02:11:12 11,081,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1CE.tmp.vir
    2010-11-14 12:38:53 . 2010-11-14 12:38:55 3,072 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir
    2009-09-04 12:37:03 . 2008-09-02 11:51:48 81,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Cameron\My Documents\pub1DD.tmp.vir
    2009-09-04 12:36:52 . 2007-10-15 21:25:35 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Cameron\My Documents\$AP318.tmp.vir
    2009-09-04 12:36:52 . 2007-10-17 21:31:19 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Cameron\My Documents\$AP3D1.tmp.vir
    2008-04-14 12:00:00 . 2008-04-14 12:00:00 551,936 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir
    2008-04-14 12:00:00 . 2008-04-14 12:00:00 62,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\cdrom.sys.vir
    2007-11-07 00:03:18 . 2007-11-07 00:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir
    2006-10-18 13:47:20 . 2006-10-18 13:47:20 8,231,936 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SETBE.tmp.vir
    2003-02-20 21:16:08 . 2003-02-20 21:16:08 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir
  7. 2012-04-27, 18:15 #27
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jacknjaspa,

    You did fine. The first log you posted was the combofix log. It indicates that it was interupted during it's run. The second log is the quarantined files list. I asked for this just in case it was created and you couldn't get combofix to complete it's run.

    Please follow all previous instructions regarding security programs.

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


    Code:
    Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"NetSvcs"=-
"NetSvcs"=hex(7):36,74,6F,34,00,41,70,70,4D,67,6D,74,00,41,\
  75,64,69,6F,53,72,76,00,42,72,6F,77,73,65,72,00,43,72,79,70,74,53,76,\
  63,00,44,4D,53,65,72,76,65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,\
  76,65,6E,74,53,79,73,74,65,6D,00,46,61,73,74,55,73,65,72,53,77,69,74,\
  63,68,69,6E,67,43,6F,6D,70,61,74,69,62,69,6C,69,74,79,00,48,69,64,53,\
  65,72,76,00,49,61,73,00,49,70,72,69,70,00,49,72,6D,6F,6E,00,4C,61,6E,\
  6D,61,6E,53,65,72,76,65,72,00,4C,61,6E,6D,61,6E,57,6F,72,6B,73,74,61,\
  74,69,6F,6E,00,4D,65,73,73,65,6E,67,65,72,00,4E,65,74,6D,61,6E,00,4E,\
  6C,61,00,4E,74,6D,73,73,76,63,00,4E,57,43,57,6F,72,6B,73,74,61,74,69,\
  6F,6E,00,4E,77,73,61,70,61,67,65,6E,74,00,52,61,73,61,75,74,6F,00,52,\
  61,73,6D,61,6E,00,52,65,6D,6F,74,65,61,63,63,65,73,73,00,53,63,68,65,\
  64,75,6C,65,00,53,65,63,6C,6F,67,6F,6E,00,53,45,4E,53,00,53,68,61,72,\
  65,64,61,63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,\
  73,72,76,00,54,68,65,6D,65,73,00,54,72,6B,57,6B,73,00,57,33,32,54,69,\
  6D,65,00,57,5A,43,53,56,43,00,57,6D,69,00,57,6D,64,6D,50,6D,53,70,00,77,\
  69,6E,6D,67,6D,74,00,77,73,63,73,76,63,00,78,6D,6C,70,72,6F,76,00,6E,\
  61,70,61,67,65,6E,74,00,68,6B,6D,73,76,63,00,42,49,54,53,00,77,75,61,\
  75,73,65,72,76,00,53,68,65,6C,6C,48,57,44,65,74,65,63,74,69,6F,6E,00,68,\
  65,6C,70,73,76,63,00,57,6D,64,6D,50,6D,53,4E,00,00

Driver::
sqlserveragent
AVCSTRM
websensecamreportserver
vsdatant
zendcoreapache
epson_pm_rpcv2_02
MRESP50a64
ami0nt
UPATC
proxyhostdriver
AlKernel
Xponaut_WBD
beatjammusicstreamingserver
s616mgmt
nod32krn
btfirst
cpqdmi
symantecantibotshim
NWSNS
cachemgr
enodpl
HssTrayService
deventagent
sbcssvc
Sk99202k
useraccess
phc600
ibmpmsvc
FETNDIS
rt73
antivirservice
stllssvr
flashcomadmin
papycpu2
pilogsrv
epsonbidirectionalagent
ibmfilter
lxby_device
sit_flt
EagleNT
mfeapfk
videoacceleratorengine
rslinxng
vmparport
BoiHwsetup
usbatapi2000
igniteservice.exe
bthidenum
ltxred
p2psvc
HPFECP20
IWCA
UDFReadr
wpshelper
serialkeys
cq_mem
fcprintservice
lxcj_device
CAMFLT
MSFWHLPR
pcscnsrv
uhcd
bcm43xx
61883
GT680x
oracleorahome92tnslistener
GTF32BUS
ibmpmdrv
IntelC53
FA312
ZuneWlanCfgSvc
spcsutilityservice
tzontservice
enxpsvc
HpqKbFiltr
3dkeybd
pshost
pdlnctdl
wlluc48
KMW_USB
aksusb
wlancfg
hsf_dp
moufiltr
mks_scan
dktknsrv
aswmon2
dot4print
EIO_XP
SE2Cmdm
snapman
Si3114r5
hidgame
dirms_defragmentation
elnkservice
DM9102
pdlnemsg
dnwhodisp
NCPro
upperdev
npfmntor
aslm75
lusbaudio
bhmonitorservice
SiRemFil
whoisd32
tfsnopio
CBN
se44mgmt
opcenum
ANC
appnnode
dlaudfam
AVerBDA
bglivesvc
ASMMAP
clisvc
snac
pepifilter
dtscsi
sprtsvc_ddoctorv2
NWADI
MSCamSvc
2wirepcp
freepops
USB_RNDIS
sandboxu
BrPar
scarddrv
wmccdsls
lxdm_device
StickyMesger
cmigameport
ixiaendpoint
Machnm32
symantecantibotdriver
bridgemp
driverhardwarev2
TMHIDSRV
dsbrokerservice
DCamUSBMke
ntiopnp
NxSysMon
pdengine
besclient
iaimfp2
pmsveh
SiSRaid2
DritekPortIO
sshrmd
sonytvc
pavdrv
nim32
scsiaccess
admjoy
ofcpfwsvc
ntsyslog
netdevio
mcvsrte
pnrouter
SrvcEPIOMngr
backuplauncher
ltmodem5
sbhooksvc
iaimtv2
HSFHWICH
belgium_id_card_service
ccalib8
tversitymediaserver
winachcf
susbser
    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again.Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



    Please post the combofix log.

    How's the computer?
    Member of UNITE and ASAP
  8. 2012-04-28, 00:38 #28
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    Ok, up & about (I'm in Western Australia) & did what you told me.

    Heres the log. You asked hows the computer & seems OK but not sure what I'm looking for. Should I'm run an AVG scan? (FYI No AVG warnings have pooped up.....yet)


    ComboFix 12-04-26.01 - Cameron 28/04/2012 6:12.3.2 - x86
    Running from: c:\documents and settings\Cameron\Desktop\jgh.exe
    Command switches used :: c:\documents and settings\Cameron\Desktop\CFscript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_2WIREPCP
    -------\Legacy_3DKEYBD
    -------\Legacy_61883
    -------\Legacy_ADMJOY
    -------\Legacy_AKSUSB
    -------\Legacy_ALKERNEL
    -------\Legacy_AMI0NT
    -------\Legacy_ANC
    -------\Legacy_ANTIVIRSERVICE
    -------\Legacy_APPNNODE
    -------\Legacy_ASLM75
    -------\Legacy_ASMMAP
    -------\Legacy_ASWMON2
    -------\Legacy_AVCSTRM
    -------\Legacy_AVERBDA
    -------\Legacy_BACKUPLAUNCHER
    -------\Legacy_BCM43XX
    -------\Legacy_BEATJAMMUSICSTREAMINGSERVER
    -------\Legacy_BELGIUM_ID_CARD_SERVICE
    -------\Legacy_BESCLIENT
    -------\Legacy_BGLIVESVC
    -------\Legacy_BHMONITORSERVICE
    -------\Legacy_BOIHWSETUP
    -------\Legacy_BRIDGEMP
    -------\Legacy_BRPAR
    -------\Legacy_BTFIRST
    -------\Legacy_BTHIDENUM
    -------\Legacy_CACHEMGR
    -------\Legacy_CAMFLT
    -------\Legacy_CBN
    -------\Legacy_CCALIB8
    -------\Legacy_CLISVC
    -------\Legacy_CMIGAMEPORT
    -------\Legacy_CPQDMI
    -------\Legacy_CQ_MEM
    -------\Legacy_DCAMUSBMKE
    -------\Legacy_DEVENTAGENT
    -------\Legacy_DIRMS_DEFRAGMENTATION
    -------\Legacy_DKTKNSRV
    -------\Legacy_DLAUDFAM
    -------\Legacy_DM9102
    -------\Legacy_DNWHODISP
    -------\Legacy_DOT4PRINT
    -------\Legacy_DRITEKPORTIO
    -------\Legacy_DRIVERHARDWAREV2
    -------\Legacy_DSBROKERSERVICE
    -------\Legacy_DTSCSI
    -------\Legacy_EAGLENT
    -------\Legacy_EIO_XP
    -------\Legacy_ELNKSERVICE
    -------\Legacy_ENODPL
    -------\Legacy_ENXPSVC
    -------\Legacy_EPSONBIDIRECTIONALAGENT
    -------\Legacy_EPSON_PM_RPCV2_02
    -------\Legacy_FA312
    -------\Legacy_FCPRINTSERVICE
    -------\Legacy_FETNDIS
    -------\Legacy_FLASHCOMADMIN
    -------\Legacy_FREEPOPS
    -------\Legacy_GT680X
    -------\Legacy_GTF32BUS
    -------\Legacy_HIDGAME
    -------\Legacy_HPFECP20
    -------\Legacy_HPQKBFILTR
    -------\Legacy_HSFHWICH
    -------\Legacy_HSF_DP
    -------\Legacy_HSSTRAYSERVICE
    -------\Legacy_IAIMFP2
    -------\Legacy_IAIMTV2
    -------\Legacy_IBMFILTER
    -------\Legacy_IBMPMDRV
    -------\Legacy_IBMPMSVC
    -------\Legacy_IGNITESERVICE.EXE
    -------\Legacy_INTELC53
    -------\Legacy_IWCA
    -------\Legacy_IXIAENDPOINT
    -------\Legacy_KMW_USB
    -------\Legacy_LTMODEM5
    -------\Legacy_LTXRED
    -------\Legacy_LUSBAUDIO
    -------\Legacy_LXBY_DEVICE
    -------\Legacy_LXCJ_DEVICE
    -------\Legacy_LXDM_DEVICE
    -------\Legacy_MACHNM32
    -------\Legacy_MCVSRTE
    -------\Legacy_MFEAPFK
    -------\Legacy_MKS_SCAN
    -------\Legacy_MOUFILTR
    -------\Legacy_MRESP50A64
    -------\Legacy_MSCAMSVC
    -------\Legacy_MSFWHLPR
    -------\Legacy_NCPRO
    -------\Legacy_NETDEVIO
    -------\Legacy_NIM32
    -------\Legacy_NOD32KRN
    -------\Legacy_NPFMNTOR
    -------\Legacy_NTIOPNP
    -------\Legacy_NTSYSLOG
    -------\Legacy_NWADI
    -------\Legacy_NWSNS
    -------\Legacy_NXSYSMON
    -------\Legacy_OFCPFWSVC
    -------\Legacy_OPCENUM
    -------\Legacy_ORACLEORAHOME92TNSLISTENER
    -------\Legacy_P2PSVC
    -------\Legacy_PAPYCPU2
    -------\Legacy_PAVDRV
    -------\Legacy_PCSCNSRV
    -------\Legacy_PDENGINE
    -------\Legacy_PDLNCTDL
    -------\Legacy_PDLNEMSG
    -------\Legacy_PEPIFILTER
    -------\Legacy_PHC600
    -------\Legacy_PILOGSRV
    -------\Legacy_PMSVEH
    -------\Legacy_PNROUTER
    -------\Legacy_PROXYHOSTDRIVER
    -------\Legacy_PSHOST
    -------\Legacy_RSLINXNG
    -------\Legacy_RT73
    -------\Legacy_S616MGMT
    -------\Legacy_SANDBOXU
    -------\Legacy_SBCSSVC
    -------\Legacy_SBHOOKSVC
    -------\Legacy_SCARDDRV
    -------\Legacy_SCSIACCESS
    -------\Legacy_SE2CMDM
    -------\Legacy_SE44MGMT
    -------\Legacy_SERIALKEYS
    -------\Legacy_SI3114R5
    -------\Legacy_SIREMFIL
    -------\Legacy_SISRAID2
    -------\Legacy_SIT_FLT
    -------\Legacy_SK99202K
    -------\Legacy_SNAC
    -------\Legacy_SNAPMAN
    -------\Legacy_SONYTVC
    -------\Legacy_SPCSUTILITYSERVICE
    -------\Legacy_SPRTSVC_DDOCTORV2
    -------\Legacy_SQLSERVERAGENT
    -------\Legacy_SRVCEPIOMNGR
    -------\Legacy_SSHRMD
    -------\Legacy_STICKYMESGER
    -------\Legacy_STLLSSVR
    -------\Legacy_SUSBSER
    -------\Legacy_SYMANTECANTIBOTDRIVER
    -------\Legacy_SYMANTECANTIBOTSHIM
    -------\Legacy_TFSNOPIO
    -------\Legacy_TMHIDSRV
    -------\Legacy_TVERSITYMEDIASERVER
    -------\Legacy_TZONTSERVICE
    -------\Legacy_UDFREADR
    -------\Legacy_UHCD
    -------\Legacy_UPATC
    -------\Legacy_UPPERDEV
    -------\Legacy_USBATAPI2000
    -------\Legacy_USB_RNDIS
    -------\Legacy_USERACCESS
    -------\Legacy_VIDEOACCELERATORENGINE
    -------\Legacy_VMPARPORT
    -------\Legacy_VSDATANT
    -------\Legacy_WEBSENSECAMREPORTSERVER
    -------\Legacy_WHOISD32
    -------\Legacy_WINACHCF
    -------\Legacy_WLANCFG
    -------\Legacy_WLLUC48
    -------\Legacy_WMCCDSLS
    -------\Legacy_WPSHELPER
    -------\Legacy_XPONAUT_WBD
    -------\Legacy_ZENDCOREAPACHE
    -------\Legacy_ZUNEWLANCFGSVC
    -------\Service_2wirepcp
    -------\Service_3dkeybd
    -------\Service_61883
    -------\Service_admjoy
    -------\Service_aksusb
    -------\Service_AlKernel
    -------\Service_ami0nt
    -------\Service_ANC
    -------\Service_antivirservice
    -------\Service_appnnode
    -------\Service_aslm75
    -------\Service_ASMMAP
    -------\Service_aswmon2
    -------\Service_AVCSTRM
    -------\Service_AVerBDA
    -------\Service_backuplauncher
    -------\Service_bcm43xx
    -------\Service_beatjammusicstreamingserver
    -------\Service_belgium_id_card_service
    -------\Service_besclient
    -------\Service_bglivesvc
    -------\Service_bhmonitorservice
    -------\Service_BoiHwsetup
    -------\Service_bridgemp
    -------\Service_BrPar
    -------\Service_btfirst
    -------\Service_bthidenum
    -------\Service_cachemgr
    -------\Service_CAMFLT
    -------\Service_CBN
    -------\Service_ccalib8
    -------\Service_clisvc
    -------\Service_cmigameport
    -------\Service_cpqdmi
    -------\Service_cq_mem
    -------\Service_DCamUSBMke
    -------\Service_deventagent
    -------\Service_dirms_defragmentation
    -------\Service_dlaudfam
    -------\Service_DM9102
    -------\Service_dnwhodisp
    -------\Service_dot4print
    -------\Service_DritekPortIO
    -------\Service_driverhardwarev2
    -------\Service_dsbrokerservice
    -------\Service_dtscsi
    -------\Service_EagleNT
    -------\Service_EIO_XP
    -------\Service_elnkservice
    -------\Service_enodpl
    -------\Service_enxpsvc
    -------\Service_epson_pm_rpcv2_02
    -------\Service_epsonbidirectionalagent
    -------\Service_FA312
    -------\Service_fcprintservice
    -------\Service_FETNDIS
    -------\Service_flashcomadmin
    -------\Service_freepops
    -------\Service_GT680x
    -------\Service_GTF32BUS
    -------\Service_hidgame
    -------\Service_HPFECP20
    -------\Service_HpqKbFiltr
    -------\Service_hsf_dp
    -------\Service_HSFHWICH
    -------\Service_HssTrayService
    -------\Service_iaimfp2
    -------\Service_iaimtv2
    -------\Service_ibmfilter
    -------\Service_ibmpmdrv
    -------\Service_ibmpmsvc
    -------\Service_igniteservice.exe
    -------\Service_IntelC53
    -------\Service_IWCA
    -------\Service_ixiaendpoint
    -------\Service_KMW_USB
    -------\Service_ltmodem5
    -------\Service_ltxred
    -------\Service_lusbaudio
    -------\Service_lxby_device
    -------\Service_lxcj_device
    -------\Service_lxdm_device
    -------\Service_Machnm32
    -------\Service_mcvsrte
    -------\Service_mfeapfk
    -------\Service_mks_scan
    -------\Service_moufiltr
    -------\Service_MRESP50a64
    -------\Service_MSCamSvc
    -------\Service_MSFWHLPR
    -------\Service_NCPro
    -------\Service_netdevio
    -------\Service_nim32
    -------\Service_nod32krn
    -------\Service_npfmntor
    -------\Service_ntiopnp
    -------\Service_ntsyslog
    -------\Service_NWADI
    -------\Service_NWSNS
    -------\Service_NxSysMon
    -------\Service_ofcpfwsvc
    -------\Service_opcenum
    -------\Service_oracleorahome92tnslistener
    -------\Service_p2psvc
    -------\Service_papycpu2
    -------\Service_pavdrv
    -------\Service_pcscnsrv
    -------\Service_pdengine
    -------\Service_pdlnctdl
    -------\Service_pdlnemsg
    -------\Service_pepifilter
    -------\Service_phc600
    -------\Service_pilogsrv
    -------\Service_pmsveh
    -------\Service_pnrouter
    -------\Service_proxyhostdriver
    -------\Service_pshost
    -------\Service_rslinxng
    -------\Service_rt73
    -------\Service_s616mgmt
    -------\Service_sandboxu
    -------\Service_sbcssvc
    -------\Service_sbhooksvc
    -------\Service_scarddrv
    -------\Service_scsiaccess
    -------\Service_SE2Cmdm
    -------\Service_se44mgmt
    -------\Service_serialkeys
    -------\Service_Si3114r5
    -------\Service_SiRemFil
    -------\Service_SiSRaid2
    -------\Service_sit_flt
    -------\Service_Sk99202k
    -------\Service_snac
    -------\Service_snapman
    -------\Service_sonytvc
    -------\Service_spcsutilityservice
    -------\Service_sprtsvc_ddoctorv2
    -------\Service_sqlserveragent
    -------\Service_SrvcEPIOMngr
    -------\Service_sshrmd
    -------\Service_StickyMesger
    -------\Service_stllssvr
    -------\Service_susbser
    -------\Service_symantecantibotdriver
    -------\Service_symantecantibotshim
    -------\Service_tfsnopio
    -------\Service_TMHIDSRV
    -------\Service_tversitymediaserver
    -------\Service_tzontservice
    -------\Service_UDFReadr
    -------\Service_uhcd
    -------\Service_UPATC
    -------\Service_upperdev
    -------\Service_USB_RNDIS
    -------\Service_usbatapi2000
    -------\Service_useraccess
    -------\Service_videoacceleratorengine
    -------\Service_vmparport
    -------\Service_vsdatant
    -------\Service_websensecamreportserver
    -------\Service_whoisd32
    -------\Service_winachcf
    -------\Service_wlancfg
    -------\Service_wlluc48
    -------\Service_wmccdsls
    -------\Service_wpshelper
    -------\Service_Xponaut_WBD
    -------\Service_zendcoreapache
    -------\Service_ZuneWlanCfgSvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-26 13:57 . 2012-04-26 13:57 -------- d-----w- C:\_OTL
    2012-04-26 13:57 . 2011-07-10 17:14 295248 -c--a-w- c:\windows\system32\dllcache\avgtdix.sys
    2012-04-25 13:18 . 2012-04-25 22:49 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-24 05:19 . 2012-04-24 05:20 -------- d-----w- c:\documents and settings\Cameron\Local Settings\Application Data\NPE
    2012-04-24 05:19 . 2012-04-24 05:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
    2012-04-24 05:08 . 2012-04-24 05:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\COMODO
    2012-04-24 05:08 . 2012-04-24 05:08 -------- d-----w- c:\documents and settings\Cameron\Application Data\Comodo
    2012-04-23 17:39 . 2012-04-23 17:39 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
    2012-04-23 00:07 . 2012-04-24 07:35 -------- d-----w- c:\documents and settings\Cameron\Application Data\Uqycux
    2012-04-23 00:07 . 2012-04-23 00:07 -------- d-----w- c:\documents and settings\Cameron\Application Data\Rofeen
    2012-04-22 15:48 . 2012-04-22 15:48 -------- d-----w- c:\documents and settings\Cameron\Local Settings\Application Data\Identities
    2012-04-22 15:47 . 2012-04-24 05:12 -------- d-----w- c:\documents and settings\Cameron\Application Data\Ydod
    2012-04-22 15:47 . 2012-04-23 00:28 -------- d-----w- c:\documents and settings\Cameron\Application Data\Ypaxad
    2012-04-20 00:23 . 2012-04-20 00:38 -------- d-----w- C:\sh4ldr
    2012-04-20 00:23 . 2012-04-20 00:23 -------- d-----w- c:\program files\Enigma Software Group
    2012-04-20 00:21 . 2012-04-20 00:38 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
    2012-04-20 00:21 . 2012-04-20 00:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-04-19 23:48 . 2012-04-24 07:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F4D55F2C000BBBB74E027CC6D151FC4E
    2012-04-17 00:41 . 2012-04-17 00:41 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJFAX
    2012-04-17 00:40 . 2010-09-13 06:44 106496 ----a-w- c:\windows\system32\CNC410U.dll
    2012-04-17 00:40 . 2010-09-13 06:42 1347584 ----a-w- c:\windows\system32\CNC410C.dll
    2012-04-17 00:40 . 2010-09-13 06:42 114688 ----a-w- c:\windows\system32\CNC410I.dll
    2012-04-17 00:40 . 2010-09-06 09:03 315392 ----a-w- c:\windows\system32\CNC410L.dll
    2012-04-17 00:36 . 2012-04-19 02:05 -------- d-----w- c:\documents and settings\Cameron\Application Data\Canon Easy-WebPrint EX
    2012-04-17 00:32 . 2010-10-20 21:00 257024 ----a-w- c:\windows\system32\CNCALAL.DLL
    2012-04-17 00:32 . 2012-04-17 00:32 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonBJ
    2012-04-17 00:31 . 2010-09-19 21:00 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPPAL.DLL
    2012-04-17 00:31 . 2010-09-19 21:00 303104 ----a-w- c:\windows\system32\CNMLMAL.DLL
    2012-04-17 00:31 . 2010-09-19 21:00 28672 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPDAL.DLL
    2012-04-17 00:31 . 2012-04-17 00:31 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
    2012-04-17 00:31 . 2010-06-03 06:11 94208 ----a-w- c:\windows\system32\CNC410O.dll
    2012-04-17 00:31 . 2010-09-07 01:58 180224 ----a-w- c:\windows\system32\CNMIUAL.DLL
    2012-04-17 00:31 . 2012-04-17 00:31 -------- d--h--w- c:\program files\CanonBJ
    2012-04-07 08:55 . 2012-04-07 08:55 -------- d-----w- C:\found.000
    2012-04-07 07:42 . 2012-04-07 07:45 -------- d-----w- C:\big w prints
    2012-04-07 07:07 . 2012-04-19 02:23 -------- d-----w- C:\Vuze
    2012-04-07 06:48 . 2012-04-07 06:57 -------- d-----w- C:\To Transfer
    2012-04-06 00:19 . 2012-04-14 15:02 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-01 03:09 . 2012-04-01 03:09 -------- d-----r- C:\g on Home PC (B03f21ae66bf49c)
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-26 14:10 . 2011-04-04 16:59 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-04-25 13:22 . 2008-04-14 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2012-04-25 13:22 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-14 15:02 . 2011-06-17 23:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 12:00 148480 ------w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
    2012-02-15 03:01 . 2011-12-15 14:13 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 03:01 . 2011-12-15 14:13 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-02-07 03:02 . 2012-02-07 03:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-27_10.46.45 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-27 22:30 . 2012-04-27 22:30 16384 c:\windows\Temp\Perflib_Perfdata_8f8.dat
    + 2012-04-27 22:30 . 2009-10-06 17:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-29 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-06 222504]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Cameron\Start Menu\Programs\Startup\
    My Program.lnk - c:\program files\FingerPrint\FingerPrint.exe [2012-2-15 924728]
    .
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "c:\\Program Files\\FingerPrint\\FingerPrintService.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=
    "c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=
    "c:\\Program Files\\Plex\\Plex Media Center\\Plex.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Safari\\Safari.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [22/02/2011 8:13 AM 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [16/03/2011 4:03 PM 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/01/2011 6:41 AM 230608]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [5/04/2011 12:59 AM 295248]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 6:25 AM 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/08/2011 6:09 AM 192776]
    R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [23/06/2009 5:40 PM 127352]
    R2 FingerPrint;FingerPrint Service;c:\program files\FingerPrint\FingerPrintService.exe -start --> c:\program files\FingerPrint\FingerPrintService.exe -start [?]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [14/04/2011 9:28 PM 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10/02/2011 7:53 AM 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/02/2011 7:53 AM 16720]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2012 3:24 PM 116648]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/04/2012 8:19 AM 253088]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/05/2011 7:04 AM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2012 3:24 PM 116648]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [15/12/2011 10:13 PM 18432]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 15:02]
    .
    2012-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 09:57]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-03-28 07:24]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-03-28 07:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.1.1
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-28 06:31
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\05\03\0b\0a;9»"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(6040)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\AVG\AVG2012\avgrsx.exe
    c:\program files\AVG\AVG2012\avgcsrvx.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\FingerPrint\FingerPrintService.exe
    c:\program files\AVG\AVG2012\avgnsx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\dwwin.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-28 06:34:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-27 22:34
    ComboFix2.txt 2012-04-27 10:48
    .
    Pre-Run: 41,058,344,960 bytes free
    Post-Run: 40,950,337,536 bytes free
    .
    - - End Of File - - FD992461C2628152305169762D3AC99F
  9. 2012-04-28, 01:16 #29
    jacknjaspa
    jacknjaspa is offline
    Member
    Join Date
    Apr 2012
    Posts
    42

    Default

    Spoke to soon, AVG threat detection warnings now popping up again
  10. 2012-04-28, 02:32 #30
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jacknjaspa,

    Please don't run an AVG. Antivrus programs have a habit od detecting and removing parts of the tools we use.

    What is AVG detecting and what is the filename and path?

    Please follow all previous instructions regarding security programs.

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


    Code:
    Folder::
c:\documents and settings\Cameron\Application Data\Uqycux
c:\documents and settings\Cameron\Application Data\Rofeen
c:\documents and settings\Cameron\Application Data\Ydod
c:\documents and settings\Cameron\Application Data\Ypaxad
    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again.Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



    Next

    Download and save to your desktop Malwarebytes Anti-Malware

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    Please post back with
    • combofix log
    • MBAM log
    Member of UNITE and ASAP
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules