IDP.Trojan Crpt.AQLW Issues

**boatnerd06** · 2012-05-07, 05:15

Hello,
I am having many of the same problems that others are having with this bugger. I got into a file earlier and started getting the Vault messages from AVG Free. Any help to remove this issue would be appreciated.

Thanks

dds log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Nathan at 23:08:14 on 2012-05-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.1521 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Program Files\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Users\Nathan\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Users\Nathan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\Nathan\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\SRServer.exe
C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\VMLite\VMLite Workstation\VMLiteService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://startsear.ch/?aff=1&cf=3b7fc524-29a8-11e1-8e12-001fd08149e9
uInternet Settings,ProxyServer = 46.23.70.176:3128
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: IE5BarLauncherBHO Class: {78f3a323-798e-4aea-9a57-88f4b05fd5dd} - c:\program files\vshare.tv plugin\BarLcher.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: RebateRobot BHO: {fa3fedf6-1a34-4076-9f25-a26a2de6a401} - c:\program files\rebaterobot\RebateRobot.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
TB: VShareToolBar: {7ac3e13b-3bca-4158-b330-f66dbb03c1b5} - c:\program files\vshare.tv plugin\BarLcher.dll
TB: {B771FEA3-2A05-4C21-B1E2-55551A97D520} - No File
TB: {719D74AB-1AF9-43A1-8C62-D8750628D93E} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [Akamai NetSession Interface] "c:\users\nathan\appdata\local\akamai\netsession_win.exe"
uRun: [Google Update] "c:\users\nathan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [CA737A4C8A218980B307F7230906C3F73A69889A._service_run] "c:\users\nathan\appdata\local\google\chrome\application\chrome.exe" --type=service
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [PowerSuite] "c:\program files\uniblue\powersuite\launcher.exe" delay 20000 -m
uRun: [DriverScanner] "c:\program files\uniblue\driverscanner\launcher.exe" delay 20000
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\nathan\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\nathan\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: 360-value.com
Trusted Zone: billerweb.com
Trusted Zone: bristolwest.com
Trusted Zone: bwproducers.com
Trusted Zone: cisgroup.com
Trusted Zone: co-optimum.com
Trusted Zone: farmers.com
Trusted Zone: farmers.csod.com
Trusted Zone: farmersces.com
Trusted Zone: farmersflood.com
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersleadcenter.com
Trusted Zone: farmerslife.com
Trusted Zone: farmersmarketpoint.com
Trusted Zone: foremostfarmers.com
Trusted Zone: foremoststar.com
Trusted Zone: ipipeline.com
Trusted Zone: msbexpress.net
Trusted Zone: seccas.com
Trusted Zone: zurich.com
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{FEAEC8ED-0698-44E1-8342-E4CD3DA1D97E} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nathan\appdata\roaming\mozilla\firefox\profiles\jkd87gk8.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://startsear.ch/?aff=1&cf=3b7fc524-29a8-11e1-8e12-001fd08149e9
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bbc3f9e54-7112-455e-8307-e15978e50026%7D&mid=695c58de235e47d6b412d1569665a01a-630f14d88c88f78d12f6037265eb8b1d7839be65&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2011-10-17%2012%3A38%3A28&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\nathan\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\nathan\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\nathan\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 vmlitedrv;vmlitedrv;c:\windows\system32\drivers\vmlitedrv.sys [2012-1-26 15464]
R1 VMLiteUSBMon;VMLiteUSBMon;c:\windows\system32\drivers\vmliteusbmon.sys [2012-1-26 127080]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-9-12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-3 47640]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\splashtop\splashtop remote\server\SRService.exe [2012-2-9 531328]
R2 SSUService;Splashtop Software Updater Service;c:\program files\splashtop\splashtop software updater\SSUService.exe [2012-3-15 370504]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 VMLiteService;VMLiteService;c:\program files\vmlite\vmlite workstation\VMLiteService.exe [2010-8-21 455784]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
R3 vmlitestor;vmlitestor;c:\windows\system32\drivers\vmlitestor.sys [2010-8-18 140392]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-26 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 257696]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-27 984392]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-26 135664]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-7-1 9216]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-10 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-1 1343400]
S3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [2011-7-1 105856]
S3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2011-7-1 105856]
.
=============== Created Last 30 ================
.
2012-05-07 03:00:04 295248 ----a-w- c:\windows\system32\dllcache
2012-05-07 03:00:04 -------- d-----w- C:\_OTL
2012-05-07 02:11:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-07 01:16:06 -------- d-s---w- C:\ComboFix
2012-05-06 22:12:22 98816 ----a-w- c:\windows\sed.exe
2012-05-06 22:12:22 518144 ----a-w- c:\windows\SWREG.exe
2012-05-06 22:12:22 256000 ----a-w- c:\windows\PEV.exe
2012-05-06 22:12:22 208896 ----a-w- c:\windows\MBR.exe
2012-05-06 19:58:31 -------- d-----w- C:\DashConfig
2012-05-06 19:25:23 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-05-06 19:24:58 -------- d-----w- c:\users\nathan\appdata\local\PackageAware
2012-05-06 18:58:22 -------- dc-h--w- c:\programdata\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2012-05-06 18:41:32 -------- dc-h--w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}
2012-05-06 17:42:21 -------- d-----w- c:\program files\NirSoft
2012-05-06 17:37:45 -------- d-----w- c:\programdata\Uniblue
2012-05-06 17:37:22 -------- d-----w- c:\program files\Uniblue
2012-04-28 00:23:59 -------- d-----w- c:\program files\Paradox Interactive
2012-04-11 02:48:07 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 02:48:07 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 02:48:07 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 02:48:07 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 02:46:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 02:46:49 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 02:44:43 805376 ----a-w- c:\windows\system32\FntCache.dll
2012-04-11 02:44:43 739840 ----a-w- c:\windows\system32\d2d1.dll
.
==================== Find3M ====================
.
2012-05-07 02:13:24 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-05-06 20:04:15 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-06 20:04:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 13:43:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 05:38:52 981504 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 03:52:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-24 19:43:36 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 23:09:38.21 ===============

**Scolabar** · 2012-05-15, 18:56

Hi boatnerd06,

Firstly, welcome to the Safer-Networking Malware Removal Forum.

My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.
If you no longer require help I would be grateful if you would let me know.

Please note the following important guidelines before proceeding:

The instructions that will be provided are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
Absence of symptoms does not necessarily mean that everything is clear.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) where the conditions for receiving help here are explained.

Windows 7 Advice:
Please Note: The programs I ask you to use will need to be run in Administrator Mode.
In order to do this Right-click on the program file and select the Run as Administrator option.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
If prompted, please click on the Allow button.
Reference: User Account Control (UAC) and Running as Administrator

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

Backup Your Data - Windows 7

If you follow these guidelines, things should proceed smoothly.

I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar

**boatnerd06** · 2012-05-16, 03:18

Thank you Scolabar, I'm looking forward to getting this issue resolved.

**Scolabar** · 2012-05-16, 07:18

Hi boatnerd06,

Thank you again for your patience.

Please read these instructions carefully before executing and perform the steps exactly in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
Company-Owned Computer?

Entries in the log provided lead me to believe this may be a company-owned computer.
Please confirm whether or not this computer is a company owned computer, a computer used for business or connected to a business network.
If this is not the case, please proceed with Step 2 and clarify for what purposes this computer is used in your next post.

Step 2:
Tools Already Used

Have you already been receiving help at another malware removal forum?

Please Note: Using powerful tools without the guidance of a Malware Removal Expert runs the risk of turning a computer into a brick.

I will need to see the log files for the fixes run:

TDSSKiller - Log

I notice that TDSSKiller has been used recently on this computer. Please follow the instructions below to retrieve the log file:

Please download TDSSQlook.exe by Kaspersky and save it to your Desktop. <-- Important!!!
Right-click on TDSSQlook.exe and select the Run As Administrator option to launch the program. If you receive a UAC prompt, please allow it.
A log file will be created on the Desktop called TDSSQ.txt.
Copy and Paste the entire contents of the TDSSQ.txt file into your next reply.

ComboFix - Log

I also notice that ComboFix has been recently installed on this computer. You need to be aware of the following:

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

Please post the entire contents of the combofix.txt log file (- it is normally to be found in the C:\qoobox\ directory) into your next reply.

OTL - Log

If you ran an OTL fix I will need to see that log file as well. Otherwise, go to Step 3.

The OTL log can be found in the following location:

C:\_OTL\MovedFiles\DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Please Copy and Paste that log report into your next reply.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
Is this computer a company-owned computer, a computer used for business or connected to a business network?
If not, please clarify for what purposes the computer is used.
TDSSQ.txt.
combofix.txt.
C:\_OTL\MovedFiles\DD/DD/DD TT/TT.txt.
Do you have the original Windows installation media for your PC?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**Scolabar** · 2012-05-18, 09:13

Hi boatnerd06,

It has been over 48 hours since my last post.

Do you still need help?
Do you need more time?
Are you having problems following my instructions?
In line with Safer-Networking's Forum Guidelines, topics will be closed after 3 days without a response.
If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**boatnerd06** · 2012-05-22, 02:00

Sorry about the lack of response I was gone for the weekend.

2. It is my own personal computer that I also use for business. In order for our website to work on my computer it requires that we download a packet to make everything work well.

3. I have not been using another form however I was attempting to fix it myself as I was completely unusable. I got it to a point that its functional but not to the point that It was before.

6. I do not have the original Installation media for this computer. It was a Vista Media Center to Windows 7 Upgrade via a downloadable file from Microsoft.

**boatnerd06** · 2012-05-22, 02:01

TTDSQ Log

TDSSKiller Quarantine Information log
Version 1.0.0.4
***** START SCAN Mon 05/21/2012 20:00:00.02 *****

---------- TDSSKiller logs ----------

TDSSKiller.2.7.34.0_06.05.2012_22.08.18_log.txt

---------- TDSSStarter logs ----------

---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\06.05.2012_22.08.18
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\object.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\tsk0001.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\tsk0001.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0011.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0010.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0011.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0009.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0009.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0008.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0007.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0007.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0006.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0006.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0005.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0005.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0004.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0004.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0003.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0003.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0002.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0001.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0000.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0000.dta
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0001.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\svc0000
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\object.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\svc0000\object.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\object.ini

[InfectedObject]
Verdict: Virus.Win32.ZAccess.aml

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: Avgtdix
Type: Kernel driver (0x1)
Start: System (0x1)
ImagePath: system32\DRIVERS\avgtdix.sys
Suspicious states: Forged file;

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\DRIVERS\avgtdix.sys
md5: 9c38f5a390e2c50773603458d8f0814d

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\svc0000\tsk0001.ini

[InfectedFile]
Type: Api image
Src: C:\Windows\system32\DRIVERS\avgtdix.sys
md5: a6d562b612216d8d02a35ebeb92366bd

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0000.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\@
Size: 2048

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0001.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\cfg.ini
Size: 297

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0002.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\Desktop.ini
Size: 4608

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0003.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\L\xadqgnnk
Size: 295248

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0004.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\oemid
Size: 57

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0005.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\00000001.@
Size: 2048

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0006.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\00000002.@
Size: 224768

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0007.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\00000004.@
Size: 1024

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0008.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\80000000.@
Size: 66560

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0009.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\80000004.@
Size: 1024

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0010.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\U\80000032.@
Size: 115712

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\rtkt0000\zafs0000\tsk0011.ini

[InfectedFile]
Name: C:\Windows\$NtUninstallKB19561$\3558119549\version
Size: 1268

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\object.ini

[InfectedObject]
Verdict: Backdoor.Multi.ZAccess.gen

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: pcradminserver
Type: n/a (0x20)
Start: Auto (0x2)
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
Suspicious states: Locked file;

=== C:\TDSSKiller_Quarantine\06.05.2012_22.08.18\zaea0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\ultra.dll
md5: 11028c6a84a967070cb1286550f2058f

**boatnerd06** · 2012-05-22, 02:03

Latest Combo Fix Log

ComboFix 12-05-11.04 - Nathan 05/11/2012 22:52:54.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2406 [GMT -4:00]
Running from: c:\users\Nathan\Desktop\jgh.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Microsoft
c:\users\Nathan\AppData\Roaming\Roaming
c:\users\Nathan\AppData\Roaming\Roaming\Quest3D\ShipSimExtreme\channels.lst
.
---- Previous Run -------
.
c:\users\Nathan\AppData\Roaming\Roaming
c:\users\Nathan\AppData\Roaming\Roaming\Quest3D\ShipSimExtreme\channels.lst
c:\windows\system32\explorer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_BridgeMP
-------\Service_Dot4Print
-------\Service_p2psvc
-------\Service_SiSRaid2
.
.
((((((((((((((((((((((((( Files Created from 2012-04-12 to 2012-05-12 )))))))))))))))))))))))))))))))
.
.
2012-05-12 03:10 . 2012-05-12 03:10 -------- d-----w- c:\users\Mcx1-NATHAN-PC\AppData\Local\temp
2012-05-12 03:10 . 2012-05-12 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-12 02:11 . 2012-05-12 02:11 -------- d--h--w- c:\windows\AxInstSV
2012-05-12 01:44 . 2012-05-12 01:53 -------- d-----w- c:\windows\system32\catroot2
2012-05-11 03:35 . 2012-05-11 03:35 -------- d-----w- c:\users\Nathan\AppData\Roaming\Malwarebytes
2012-05-11 03:35 . 2012-05-11 03:35 -------- d-----w- c:\programdata\Malwarebytes
2012-05-11 03:35 . 2012-05-11 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 03:35 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-10 15:35 . 2012-05-11 22:35 -------- d-----w- c:\windows\system32\drivers\AVG
2012-05-10 15:35 . 2012-05-10 15:49 -------- d-----w- c:\programdata\AVG2012
2012-05-08 22:57 . 2012-05-09 04:08 -------- d-----w- C:\AVG2012
2012-05-08 22:52 . 2012-05-12 01:58 -------- d-----w- C:\temp
2012-05-08 16:10 . 2012-05-12 03:14 -------- d-----w- c:\users\Nathan\AppData\Local\temp
2012-05-08 15:48 . 2012-05-09 04:08 -------- d-----w- C:\jgh2002j
2012-05-07 22:07 . 2012-05-07 22:07 -------- d-----w- C:\JGH
2012-05-07 03:00 . 2012-05-09 04:06 -------- d-----w- C:\_OTL
2012-05-07 03:00 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\dllcache
2012-05-07 02:11 . 2012-05-09 04:06 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-06 19:58 . 2012-05-09 00:55 -------- d-----w- C:\DashConfig
2012-05-06 19:25 . 2012-05-06 19:25 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-05-06 19:24 . 2012-05-06 19:24 -------- d-----w- c:\users\Nathan\AppData\Local\PackageAware
2012-05-06 18:58 . 2012-05-09 04:06 -------- dc-h--w- c:\programdata\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2012-05-06 18:41 . 2012-05-06 19:16 -------- dc-h--w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}
2012-05-06 17:42 . 2012-05-09 04:06 -------- d-----w- c:\program files\NirSoft
2012-05-06 17:37 . 2012-05-06 17:37 -------- d-----w- c:\programdata\Uniblue
2012-05-06 17:37 . 2012-05-09 04:06 -------- d-----w- c:\program files\Uniblue
2012-04-28 00:23 . 2012-04-28 00:23 -------- d-----w- c:\program files\Paradox Interactive
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-07 02:13 . 2011-07-11 05:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-05-06 20:04 . 2012-04-04 14:11 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-06 20:04 . 2011-05-27 15:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-19 09:17 . 2012-03-19 09:17 301248 ----a-w- c:\windows\system32\drivers\SET7F13.tmp
2012-03-06 13:43 . 2010-05-16 15:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-06 05:59 . 2012-04-11 02:46 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-06 05:59 . 2012-04-11 02:46 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-01 05:46 . 2012-04-11 02:48 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-11 02:48 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-11 02:48 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-11 02:48 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-24 19:43 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-02-22 09:25 . 2012-02-22 09:25 235216 ----a-w- c:\windows\system32\drivers\SET5D10.tmp
2012-02-17 05:34 . 2012-03-15 04:55 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-15 04:55 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-15 04:55 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2012-02-15 16:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-10-11 01:41 . 2011-03-22 22:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-07_21.56.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 06:24 . 2012-05-12 02:48 69388 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-05-12 03:15 47126 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-14 05:04 . 2012-05-12 03:15 22760 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-541655578-1006378361-3361530724-1000_UserData.bin
+ 2010-03-19 21:17 . 2012-05-08 23:49 67584 c:\windows\System32\LogFiles\Srt\bootstat.dat
- 2010-03-19 21:17 . 2010-03-19 23:36 67584 c:\windows\System32\LogFiles\Srt\bootstat.dat
+ 2009-07-14 04:50 . 2012-05-12 03:16 86016 c:\windows\System32\DriverStore\infpub.dat
- 2009-07-14 04:50 . 2012-05-07 12:52 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2012-01-31 08:46 . 2012-01-31 08:46 31952 c:\windows\System32\drivers\avgrkx86.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 41040 c:\windows\System32\drivers\avgmfx86.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 17232 c:\windows\System32\drivers\avgidsshimx.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 24144 c:\windows\System32\drivers\avgidsfilterx.sys
+ 2009-11-14 05:04 . 2012-05-12 03:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-14 05:04 . 2012-05-07 22:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-14 05:04 . 2012-05-12 03:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-14 05:04 . 2012-05-07 22:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-14 05:04 . 2012-05-07 22:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-14 05:04 . 2012-05-12 03:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-14 03:07 . 2012-05-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-14 03:07 . 2012-05-12 03:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-14 03:07 . 2012-05-12 03:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-14 03:07 . 2012-05-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-16 16:18 . 2010-07-16 16:18 10134 c:\windows\Installer\{DA97BDF9-BC72-46FD-8E76-427F2BB951EE}\ARPPRODUCTICON.exe
+ 2012-05-12 01:37 . 2012-05-12 01:37 10134 c:\windows\Installer\{DA97BDF9-BC72-46FD-8E76-427F2BB951EE}\ARPPRODUCTICON.exe
- 2012-05-07 21:29 . 2012-05-07 21:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-12 02:45 . 2012-05-12 03:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-07 21:29 . 2012-05-07 21:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-05-12 02:45 . 2012-05-12 03:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-13 23:58 . 2010-11-20 12:18 854016 c:\windows\winsxs\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6\dbghelp.dll
- 2011-10-11 01:57 . 2010-11-20 12:18 854016 c:\windows\winsxs\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6\dbghelp.dll
- 2009-07-14 04:50 . 2012-05-07 12:52 143360 c:\windows\System32\DriverStore\infstrng.dat
+ 2009-07-14 04:50 . 2012-05-12 03:16 143360 c:\windows\System32\DriverStore\infstrng.dat
- 2009-07-14 04:50 . 2012-05-07 12:52 143360 c:\windows\System32\DriverStore\infstor.dat
+ 2009-07-14 04:50 . 2012-05-12 03:16 143360 c:\windows\System32\DriverStore\infstor.dat
+ 2011-12-23 17:32 . 2011-12-23 17:32 139856 c:\windows\System32\drivers\avgidsdriverx.sys
+ 2009-07-14 04:34 . 2012-05-12 02:47 116104 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:47 . 2012-05-07 21:27 470464 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2012-05-12 02:19 470464 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2007-03-23 19:51 . 2007-03-23 19:51 150368 c:\windows\Downloaded Program Files\igdtoolx.dll
+ 2010-04-03 22:27 . 2010-04-03 22:27 1515624 c:\windows\System32\nvsvcr.dll
+ 2010-04-27 06:17 . 2012-05-12 02:19 2431816 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-541655578-1006378361-3361530724-1000-8192.dat
- 2010-04-27 06:17 . 2012-05-07 21:27 2431816 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-541655578-1006378361-3361530724-1000-8192.dat
+ 2012-05-10 15:31 . 2012-05-10 15:31 5161984 c:\windows\Installer\61b840.msi
+ 2012-05-10 15:34 . 2012-05-10 15:34 2208768 c:\windows\Installer\61b83c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA3FEDF6-1A34-4076-9F25-A26A2DE6A401}]
2011-12-04 05:05 88576 ----a-w- c:\program files\RebateRobot\RebateRobot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Nathan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Nathan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Nathan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\users\Nathan\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-09 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Nathan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 04:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM for Windows]
2012-02-11 04:57 1263448 ----a-w- c:\users\Nathan\AppData\Local\AOL\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2012-03-13 09:37 3331872 ----a-w- c:\users\Nathan\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-04-24 03:05 203416 ----a-w- c:\program files\Alcohol Soft\Alcohol 52\AxCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 09:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CA737A4C8A218980B307F7230906C3F73A69889A._service_run]
2012-04-28 02:07 1224176 ----a-w- c:\users\Nathan\AppData\Local\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2011-03-04 00:52 948880 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2006-10-12 19:57 102400 ------w- c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 07:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-07-22 23:33 150528 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 20:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-09-12 14:20 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicTuneLauncher]
2010-12-21 14:39 51712 ----a-w- c:\program files\MagicTune Premium\MagicTuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2007-06-02 20:59 1457152 ----a-w- c:\program files\PeerGuardian2\pg2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-05-09 21:36 9478320 ----a-w- c:\users\Nathan\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-05-09 21:36 932528 ----a-w- c:\users\Nathan\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-09 13:58 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-03-06 22:24 741240 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41 8192 ----a-w- c:\program files\Xvid\CheckUpdate.exe
.
R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-04-15 9216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-01 1343400]
R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\DRIVERS\ZTEusbgps.sys [2008-04-15 105856]
R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\DRIVERS\ZTEusbnmeaext.sys [2008-04-15 105856]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-06 257696]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 135664]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2012-02-06 374152]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [2012-02-09 531328]
R4 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [2012-03-15 370504]
R4 VMLiteService;VMLiteService;c:\program files\VMLite\VMLite Workstation\VMLiteService.exe [2010-08-21 455784]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2012-04-19 24896]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2012-01-31 31952]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-14 721904]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2012-05-07 295248]
S1 VBoxDrv;VBoxDrv;c:\windows\system32\drivers\VBoxDrv.sys [2010-08-11 143848]
S1 vmlitedrv;vmlitedrv;c:\windows\system32\drivers\vmlitedrv.sys [2010-06-29 15464]
S1 VMLiteUSBMon;VMLiteUSBMon;c:\windows\system32\drivers\vmliteusbmon.sys [2010-08-18 127080]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [2012-04-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2011-12-23 139856]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2011-12-23 17232]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-07-13 657408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]
S3 VBoxNetAdp;VMLite Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-08-11 100264]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-08-11 111208]
S3 vmlitestor;vmlitestor;c:\windows\system32\DRIVERS\vmlitestor.sys [2010-08-18 140392]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Cam5603C
AR5523
SE2Bbus
dvd_2K
LUsbKbd
mgabg
httpfilter
armoucfltr
pcradminserver
awecho
splitter
mssqlserveradhelper
dpfusmgr
GTPTSER
xnacc
pdreli
ntservice1
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 20:04]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 17:16]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 17:16]
.
2012-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-541655578-1006378361-3361530724-1000Core.job
- c:\users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-14 02:38]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-541655578-1006378361-3361530724-1000UA.job
- c:\users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-14 02:38]
.
.
------- Supplementary Scan -------
.
uStart Page = https://eagent.farmersinsurance.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 46.23.70.176:3128
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
Trusted Zone: 360-value.com
Trusted Zone: billerweb.com
Trusted Zone: bristolwest.com
Trusted Zone: bwproducers.com
Trusted Zone: cisgroup.com
Trusted Zone: co-optimum.com
Trusted Zone: farmers.com
Trusted Zone: farmers.csod.com
Trusted Zone: farmersces.com
Trusted Zone: farmersflood.com
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersleadcenter.com
Trusted Zone: farmerslife.com
Trusted Zone: farmersmarketpoint.com
Trusted Zone: foremostfarmers.com
Trusted Zone: foremoststar.com
Trusted Zone: ipipeline.com
Trusted Zone: msbexpress.net
Trusted Zone: seccas.com
Trusted Zone: zurich.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\jkd87gk8.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://startsear.ch/?aff=1&cf=3b7fc524-29a8-11e1-8e12-001fd08149e9
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bbc3f9e54-7112-455e-8307-e15978e50026%7D&mid=695c58de235e47d6b412d1569665a01a-630f14d88c88f78d12f6037265eb8b1d7839be65&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2011-10-17%2012%3A38%3A28&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2204)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\users\Nathan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\windows\system32\nvvsvc.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PrintIsolationHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2012-05-11 23:23:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-12 03:23
ComboFix2.txt 2012-05-07 22:07
.
Pre-Run: 21,887,176,704 bytes free
Post-Run: 21,658,742,784 bytes free
.
- - End Of File - - E09FA5E9093EBB11028084417CFBF20C

**boatnerd06** · 2012-05-22, 02:04

TT Log:

========== REGISTRY ==========
========== SERVICES/DRIVERS ==========
Error: No service named .avgtdix was found to stop!
Service\Driver key .avgtdix not found.
========== FILES ==========
< copy "C:\Program Files\AVG\AVG2012\Drivers\avgtdix.sys" "C:\WINDOWS\system32\dllcache" /c >
1 file(s) copied.
C:\Users\Nathan\Downloads\cmd.bat deleted successfully.
C:\Users\Nathan\Downloads\cmd.txt deleted successfully.
C:\WINDOWS\System32\dds_trash_log.cmd moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.42.3 log created on 05062012_230004

**Scolabar** · 2012-05-23, 10:04

Hi boatnerd06,

Originally Posted by boatnerd06,

Sorry about the lack of response I was gone for the weekend.

You are fortunate. I had requested this topic to be closed, but the request somehow got overlooked. Please make sure you reply in good time otherwise you will run the risk of the topic being closed.

I'm afraid have some bad news for you.

Rootkit Warning

Your logs show signs of the Zero Access Rootkit infection.
A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Your company's IT department should also be informed.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
From a clean computer, change all your passwords.
(ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
Back up all your important data except programs. The programs can be re-installed back from the original disc or from the Net.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again.
Many experts in the security community believe that once infected with this type of malware, the best course of action would be to do a reformat and re-installation of the operating system (OS).

This decision will have to be made by you.

To help you understand more, please take some time to read the following articles:

When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
How and Where to backup your files
Restoring your backups

An attempt can be made to clean this machine, however, you will need to be aware that having already attempted to deal with the malware infections present on your computer your system may have been damaged beyond repair. In addition, there will be no guarantee, if the cleanup is successful, that the computer won't still be compromised, afterwards.

Originally Posted by boatnerd06

I do not have the original Installation media for this computer. It was a Vista Media Center to Windows 7 Upgrade via a downloadable file from Microsoft.

This does not help your situation. I hope you have your original Vista Media Center installation media.

Please confirm how you would like to proceed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Thread: IDP.Trojan Crpt.AQLW Issues

Thread Tools

Display

IDP.Trojan Crpt.AQLW Issues

Posting Permissions