Page 1 of 4 1234 LastLast
Results 1 to 10 of 34

Thread: Trojan Detected - Unable to Remove

  1. #1
    Member
    Join Date
    Aug 2009
    Location
    Canada
    Posts
    52

    Question Trojan Detected - Unable to Remove

    Hello,

    AVG had a popup indicating a threat which it was unable to remove, as the file was locked. The following is the information I obtained when running AVG in Safe Mode:

    AVG 2013 AntiVirus command line scanner
    Copyright (c) 1992 - 2012 AVG Technologies
    Program version 2013.0.3392, engine 2013.0.3222
    Virus Database: Version 3222/6645 2013-09-07
    C:\Windows\explorer.exe (1428) Trojan horse Generic29.AJGE
    c:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\ Locked file. Not tested.
    c:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$R9APP3J\ Locked file. Not tested.

    My DDS and aswMBR files follow. Thank you for your assistance.

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 10.0.9200.16660 BrowserJavaVersion: 10.25.2
    Run by Rick at 19:00:21 on 2013-09-07
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.6071.3403 [GMT -4:00]
    .
    AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
    C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
    C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
    C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
    C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
    C:\Program Files\Microsoft LifeCam\MSCamS64.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe
    C:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
    C:\OEM\USBDECTION\USBS3S4Detection.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\PrintIsolationHost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\WUDFHost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Users\Rick\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Samsung\Kies\Kies.exe
    C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
    C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    C:\Program Files (x86)\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
    C:\Program Files (x86)\AVG\AVG2013\avgui.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
    C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Users\Rick\AppData\Roaming\mjusbsp\magicJack.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Nero\Update\NASvc.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
    C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
    C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\Microsoft MapPoint 2010\StreetsOlkShim.exe
    C:\Program Files (x86)\AVG\AVG2013\avgcsrvx.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uWindow Title = Szirtes Computer Compan
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4831&r=17360310p306p04d5v145k4491r56o
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [WeatherEye] C:\Users\Rick\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    uRun: [Simp] C:\Program Files (x86)\Secway\SimpLite-MSN 2.5\SimpLite-MSN.exe
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [Google Update] "C:\Users\Rick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [cdloader] "C:\Users\Rick\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe"
    uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
    uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
    uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
    mRun: [masqform.exe] C:\Program Files (x86)\PureEdge\Viewer 6.5\masqform.exe -RunOnce
    mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
    mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
    mRun: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
    mRun: [ConnectionManager] C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    LSP: mswsock.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
    DPF: {48A5DF03-A77C-4C9F-95C9-CEDC34631004} - hxxps://www.mydlink.com/8D/activeX//DCPP.cab
    DPF: {57AF0810-BDA7-47A5-B02D-FDA1073C04B0} - hxxps://www.mydlink.com/8D/activeX//TunnelX.ocx
    DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - hxxps://www.mydlink.com/8D/activeX//aplugLiteDL.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1007
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{70441792-5F65-4699-B93D-AF1134F75691} : DHCPNameServer = 192.168.0.1
    Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files (x86)\QuickTax 2009\ic2009pp.dll
    Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files (x86)\TurboTax 2010\ic2010pp.dll
    Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files (x86)\TurboTax 2011\ic2011pp.dll
    Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files (x86)\TurboTax 2012\ic2012pp.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    Notify: PCANotify - PCANotify.dll
    Notify: SDWinLogon - SDWinLogon.dll
    AppInit_DLLs= C:\PROGRA~2\Google\GOOGLE~3\GO36F4~1.DLL
    SSODL: WebCheck - <orphaned>
    x64-mWindow Title = Szirtes Computer Compan
    x64-mSearch Page = hxxp://www.google.com/
    x64-mDefault_Search_URL = hxxp://www.google.com/
    x64-mSearchAssistant = hxxp://www.google.com/ie
    x64-mCustomizeSearch = hxxp://www.google.com/
    x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
    x64-Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - <orphaned>
    x64-Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - <orphaned>
    x64-Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - <orphaned>
    x64-Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - <orphaned>
    x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\
    FF - component: C:\Program Files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Rick\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
    FF - plugin: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}\plugins\np-mswmp.dll
    FF - plugin: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}\plugins\npConduitFirefoxPlugin.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    FF - ExtSQL: 2013-07-13 09:29; {83a8ce1b-683c-4784-b86d-9eb601b59f38}; C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-7-20 71480]
    R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-7-20 311608]
    R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-7-1 116536]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-7-10 45880]
    R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-7-20 246072]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-7-20 206648]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 16056]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2010-4-3 72216]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2009-12-1 283824]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-12-1 56344]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-5-20 36720]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-12 59392]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
    .
    =============== Created Last 30 ================
    .
    2013-09-07 21:21:26 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
    2013-09-07 21:21:22 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-09-07 19:22:27 -------- d-----w- C:\Program Files (x86)\ESET
    2013-08-21 23:26:35 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2013-08-21 23:26:35 -------- d-----w- C:\Program Files\iTunes
    2013-08-21 23:26:35 -------- d-----w- C:\Program Files\iPod
    2013-08-21 23:26:35 -------- d-----w- C:\Program Files (x86)\iTunes
    2013-08-21 16:37:08 17737608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2013-08-14 11:04:21 224256 ----a-w- C:\Windows\System32\wintrust.dll
    2013-08-09 07:00:49 -------- d-----w- C:\Windows\System32\MRT
    .
    ==================== Find3M ====================
    .
    2013-08-21 16:37:14 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-08-21 16:37:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-07-26 05:13:37 2241024 ----a-w- C:\Windows\System32\wininet.dll
    2013-07-26 05:12:08 3958784 ----a-w- C:\Windows\System32\jscript9.dll
    2013-07-26 05:12:04 136704 ----a-w- C:\Windows\System32\iesysprep.dll
    2013-07-26 05:12:03 67072 ----a-w- C:\Windows\System32\iesetup.dll
    2013-07-26 03:35:08 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-07-26 03:13:24 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-07-26 03:12:04 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-07-26 03:12:00 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2013-07-26 03:12:00 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2013-07-26 02:49:14 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-07-26 02:39:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
    2013-07-26 01:59:38 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
    2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
    2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
    2013-07-20 05:51:00 311608 ----a-w- C:\Windows\System32\drivers\avgloga.sys
    2013-07-20 05:50:56 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
    2013-07-20 05:50:56 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
    2013-07-20 05:50:50 206648 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
    2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\sirenacm.dll
    2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\olepro32.dll
    2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atiumdva.dll
    2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atiumdag.dll
    2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atidxx32.dll
    2013-07-10 05:32:38 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
    2013-07-09 06:03:30 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2013-07-09 05:54:22 1732032 ----a-w- C:\Windows\System32\ntdll.dll
    2013-07-09 05:53:12 243712 ----a-w- C:\Windows\System32\wow64.dll
    2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
    2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
    2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
    2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
    2013-07-09 05:03:34 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2013-07-09 05:03:34 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2013-07-09 04:53:47 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
    2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
    2013-07-09 04:52:33 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2013-07-09 04:45:07 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2013-07-09 02:49:42 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2013-07-09 02:49:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2013-07-09 02:49:39 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2013-07-09 02:49:38 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2013-07-03 07:03:14 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2013-07-01 05:45:28 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
    2013-06-20 02:47:17 15359912 ----a-w- C:\SAMSUNG_USB_Driver_for_Mobile_Phones(3).exe
    2013-06-15 04:32:16 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
    2013-06-13 01:48:23 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
    2013-06-13 01:48:17 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2013-06-13 01:47:57 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    .
    ============= FINISH: 19:01:55.24 ===============

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-09-07 19:08:45
    -----------------------------
    19:08:45.143 OS Version: Windows x64 6.1.7601 Service Pack 1
    19:08:45.143 Number of processors: 4 586 0x2502
    19:08:45.144 ComputerName: RICK-PC UserName: Rick
    19:08:46.775 Initialize success
    19:11:20.576 AVAST engine defs: 13090701
    19:34:37.211 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:34:37.215 Disk 0 Vendor: WDC_WD10 01.0 Size: 953869MB BusType: 3
    19:34:37.347 Disk 0 MBR read successfully
    19:34:37.351 Disk 0 MBR scan
    19:34:37.380 Disk 0 Windows 7 default MBR code
    19:34:37.385 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 17408 MB offset 2048
    19:34:37.405 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 35653632
    19:34:37.414 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 936359 MB offset 35858432
    19:34:37.447 Disk 0 scanning C:\Windows\system32\drivers
    19:34:46.187 Service scanning
    19:35:08.379 Modules scanning
    19:35:08.391 Disk 0 trace - called modules:
    19:35:08.412 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    19:35:08.419 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065c3060]
    19:35:08.427 3 CLASSPNP.SYS[fffff88001b2d43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80062bc050]
    19:35:10.367 AVAST engine scan C:\Windows
    19:35:13.766 AVAST engine scan C:\Windows\system32
    19:36:44.349 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    19:36:46.829 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    19:39:24.963 AVAST engine scan C:\Windows\system32\drivers
    19:39:36.452 AVAST engine scan C:\Users\Rick
    19:44:33.195 Disk 0 MBR has been saved successfully to "C:\Users\Rick\Desktop\MBR.dat"
    19:44:33.202 The log file has been saved successfully to "C:\Users\Rick\Desktop\aswMBR.txt"
    Attached Files Attached Files

  2. #2
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi,

    I have bad news I'm afraid.

    One or more of the identified infections is a variant of the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!

    OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course I strongly recommend.

    Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    Next:

    I can attempt to clean this machine(anything I try may not be successful and the machine may loose internet connectivity) but I can't guarantee that it will be at all secure afterwards.

    Should you have any questions, please feel free to ask.

    Please let myself know what you have decided to do in your next post.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  3. #3
    Member
    Join Date
    Aug 2009
    Location
    Canada
    Posts
    52

    Default

    Thank you for your response. That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection, however I have a few questions:

    1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?

    2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?

    3. AVG free did not detect the problem. Would another product have stopped it?

    Thank you.

  4. #4
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi.

    Thank you for your response.
    You're welcome!

    That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection
    I certainly understand how you feel with regard to the news, though to be honest if it was one of my own machines ultimately I would not hesitate to follow the my own advice I provide to those I assist.

    Next:

    1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?
    I can advice preventive measures to ensure any backup(s) created once re-applied are not able to compromise your machine again. I am surmising you will be using a form of removable storage media to do so. Merely inform myself exactly what you are planning to use and I in turn will provide the aforementioned advice.

    2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?
    Recovery Partitions are not usually infected per-say but can be blocked from working correctly. If it works, all fine and it is defacto a reformat and reinstallation of the Windows Operating System. So basically once this has been invoked the machine will back to as it was the first time booted up etc.

    Now in the event it does not work and if you have Recovery Media you may have created those/that could be used and or if not we may be able to rectify that problem if the need arises, so overall not to worry as they say.

    Also if you are unsure how to invoke the actual Recovery Partition, merely inform myself the exact make and modal of your computer and I in turn will provide the appropriate advice.

    3. AVG free did not detect the problem. Would another product have stopped it?
    It did detect to a extent but is unable to rectify it effectively as most Anti-Virus software are to be honest though saying that a more reliable freeware solution would be say Microsoft Security Essentials which I use on all of my machines. Or Avast! Free Antivirus which is another fine application I personally recommend to those I assist. End of the day any-one Anti-Virus software is only as good as its detection database/active real time protection and used in-conjunction with what is known as layered security and observing online safety protocols...

    I can provide my stock advice with regard to the aforementioned online safety if you would care for such, again merely let myself know.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  5. #5
    Member
    Join Date
    Aug 2009
    Location
    Canada
    Posts
    52

    Default

    Thank you again for your quick response. Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful. I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive. Please let me know how to ensure I am not archiving the virus as well as my files. Once I back up my stuff, I'll proceed with any instructions you provide to clean the PC. Your assistance is greatly appreciated.

  6. #6
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi.

    Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful.
    Fair play and I always respect the wishes of those I assist...

    However I do have one proviso if you really want my assistance with a actual malware removal process, being I would like for you to uninstall the following software:

    Vuze
    Vuze Remote Toolbar


    As per the forum guidelines outlined here.

    I will further add if you have used either recently, you can be fairly confident this is one of the principal reasons your computer became infected.

    It's really important, if you value your computer at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, LimeWire and Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your security, and some can turn your machine into a useless "doorstop".

    To be honest I have lost count of the number of machines I have dealt with over the years that became infected due to the use of P2P software...so my friendly advice is steer clear of such software in the future.

    Next:

    I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive.
    OK we will do this in several stages, as in halt any malicious running process's and secure your external hard drive against infection and then you can transfer what you want to backup. Then when we have eradicated the vast majority of malware on your machine you can re-attach your external hard drive and scan it with some appropriate security related software to ensure the integrity of the backups.

    Next:

    Do you still want to uninstall AVG 2013 at some point during the malware removal process and replace it with one of the alternative freeware alternatives I mentioned in my prior post ? If so merely let myself know but do however leave it installed for the time being until I advise otherwise.

    Download/run Rkill:

    Please download Rkill from one of the following links and save to your desktop:

    (If one fails to work delete it and download/try another)

    One, Two,Three, Four or Five

    Note: If your security software warns about Rkill, please ignore and allow the download to continue.

    • Double click on Rkill.
    • A command window will open then disappear upon completion, this is normal.
    • Post the log created, found on the desktop rkill.txt. in your next reply.

    Download/Install & Run Panda USB Vaccine:

    Please download the installer for Panda USB Vaccine from here to the desktop.

    • Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
    • At the configuration screen(settings)...
    • Ensure both Run Panda USB Vaccine automatically when computer boots (/resident mode) & Automatically vaccinate any newly inserted USB key are selected >> plus NTFS support
    • Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> click on Finish.
    • Connect your External Hard Drive Drive to your machine...it will be automatically vaccinated(as will any usb drives connected in the future).
    • Now transfer the files and documents etc what you want to backup to your external hard drive.
    • Then safely remove the External Hard Drive Drive from your machine via right-clicking on the Safely Remove Hardware and Eject Media system tray icon and then select Eject USB Mass Storage Device.
    • Once done so, do not reconnect again until I advice otherwise as I mentioned prior.

    Note: You may uninstall Panda USB Vaccine when we have completed the Malware Removal process if you so wish. Though my advice would be to keep it installed.

    Next:

    Let myself know when completed the above, provide the answer to my AVG 2013 query and post the rkill log. We will then proceed with the actual malware removal process, thank you.
    Last edited by Dakeyras; 2013-09-10 at 12:07. Reason: Punctuation
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  7. #7
    Member
    Join Date
    Aug 2009
    Location
    Canada
    Posts
    52

    Default

    Hello again!
    No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...

    Rkill 2.6.1 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 09/10/2013 08:25:54 AM in x64 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

    Backup Registry file created at:
    C:\Users\Rick\Desktop\rkill\rkill-09-10-2013-08-25-57.reg

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Defender Disabled

    [HKLM\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware" = dword:00000001

    * ALERT: ZEROACCESS rootkit symptoms found!

    * C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\ [ZA Dir]
    * C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\L\ [ZA Dir]
    * C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\n [ZA File]
    * C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\U\ [ZA Dir]
    * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
    * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

    Checking Windows Service Integrity:

    * Windows Defender (WinDefend) is not Running.
    Startup Type set to: Manual

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\olepro32.dll : 0 : 07/13/2013 10:11 AM : d41d8cd98f00b204e9800998ecf8427e [NoSig]
    +-> C:\Windows\SysWOW64\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7600.16385_none_39ea10b66307dbef\olepro32.dll : 90,112 : 07/13/2009 09:16 PM : c10459dbdc2099c5a8428cb7d87db85f [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7601.17514_none_3c1b247e5ff65f89\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]

    Checking HOSTS File:

    * Cannot edit the HOSTS file.
    * Permissions Fixed. Administrators can now edit the HOSTS file.

    * HOSTS file entries found:

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com

    20 out of 15466 HOSTS entries shown.
    Please review HOSTS file for further entries.

    Program finished at: 09/10/2013 08:27:42 AM
    Execution time: 0 hours(s), 1 minute(s), and 48 seconds(s)

  8. #8
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi.

    No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...
    Acknowledged, lets proceed as follows shall we...

    Scan with Farbar Recovery Scan Tool:

    Please download and save Farbar Recovery Scan Tool 64-Bit to to your Desktop.

    • Right-click on FRST.exe and select Run as Administrator to start FRST >> follow the prompt/click on Yes
    • Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
    • Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
    • At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
    • There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  9. #9
    Member
    Join Date
    Aug 2009
    Location
    Canada
    Posts
    52

    Default

    Here you go. The files are attached. Thank you.
    Attached Files Attached Files

  10. #10
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi.

    Here you go. The files are attached. Thank you.
    Acknowledged and you're welcome!

    Custom FRST Script:

    Please download the attached fixlist.txt(see below) and save to the desktop.

    • Now right-click on FRST.exe and select Run as Administrator to start FRST.
    • Then click on the Fix button/radio tab >> at the Fix completed prompt click on OK
    • A log will now open named Fixlog and it will also be on the desktop >> close FRST.
    • Reboot your machine(ensure you do this) and post the contents of the aforementioned Fixlog in your next reply.

    Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •