Looks like a Google redirect virus?

Status
Not open for further replies.
D

douglasvjohnson

New member
Hello and please be patient, as I am not used to this format and process.
The machine is a HP G62 laptop runniing IE 9 and Windows 7 home premium.
Searches in google, and other browsers end up opening multiple unsolicited web pages. I am getting AVG multiple trojan alerts with warnings that deleting the file might crash the system.
Pasted below are the DDS log, the aswMBR log, and an AVG threat log.
Your assistance is greatly appreciated.
Thank you

DDS:

..
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by doug at 18:54:55 on 2012-07-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1208 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxducoms.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe
C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\doug\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\AVG\AVG2012\avgui.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\splwow64.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://kidshealth.org/teen/sexual_health/girls/menstruation.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Google Update] "C:\Users\doug\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\doug\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Video Converter... - C:\Program Files (x86)\Media Player Utilities 5.22\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{63125ED7-4121-4BD2-9811-309F5E911E4E} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{63125ED7-4121-4BD2-9811-309F5E911E4E}\2375942554432323 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{63125ED7-4121-4BD2-9811-309F5E911E4E}\342465D23547166666 : DhcpNameServer = 192.168.0.20 192.168.0.41
TCP: Interfaces\{63125ED7-4121-4BD2-9811-309F5E911E4E}\C696E6B6379737 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C05AD519-926E-46DA-A286-D6B3A0E85834} : DhcpNameServer = 40.6.1.100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=109936&tt=060612_8_&babsrc=HP_ss&mntrId=e24b91780000000000006e0f6e310db9
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04ae27d3-b243-48bd-b214-db703be9693b%7D&mid=dd937770430147d6914ab57816bfae0c-41703a7d52e139f598cda7297c5bbf77f1c1caa4&ds=AVG&v=11.1.0.7&lang=en&pr=fr&d=2011-09-27%2019%3A08%3A03&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\doug\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\doug\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\doug\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109936&tt=060612_8_
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - e24b91780000000000006e0f6e310db9
FF - user.js: extensions.BabylonToolbar_i.hardId - e24b91780000000000006e0f6e310db9
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15503
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.176:57:16
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 64952]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-10-18 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-5-21 140272]
R2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 lxdu_device;lxdu_device;C:\Windows\system32\lxducoms.exe -service --> C:\Windows\system32\lxducoms.exe -service [?]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-6-24 315392]
R2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-7-9 935008]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-8 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-3-12 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-17 250056]
S3 CASprint;Sprint Con App Svc;"C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" --> C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-8 136176]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-24 23:04:53 -------- d-----w- C:\Users\doug\AppData\Local\{55F822EA-D35E-4E87-B15B-0193FB2A6CC0}
2012-07-24 23:04:23 -------- d-----w- C:\Users\doug\AppData\Local\{ACC1CCF6-A046-4A1B-85CF-D722D692E01D}
2012-07-23 23:00:33 -------- d-----w- C:\Users\doug\AppData\Local\{D4A858C2-51C3-4FE0-88B6-C355DB6D7E8C}
2012-07-23 23:00:08 -------- d-----w- C:\Users\doug\AppData\Local\{D4D9214B-C67A-4624-9B83-F539DDB0F396}
2012-07-23 22:59:51 -------- d-----w- C:\Users\doug\AppData\Roaming\PerformerSoft
2012-07-21 02:31:10 -------- d-----w- C:\ProgramData\IBUpdaterService
2012-07-21 02:31:01 550048 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
2012-07-21 02:30:34 550048 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
2012-07-21 02:30:29 -------- d-----w- C:\Program Files (x86)\Conduit
2012-07-21 02:30:27 19000 ----a-w- C:\Windows\System32\roboot64.exe
2012-07-21 02:26:42 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2012-07-21 02:26:41 -------- d-----w- C:\ProgramData\W3i
2012-07-21 02:26:41 -------- d-----w- C:\Program Files (x86)\W3i
2012-07-21 02:26:13 -------- d-----w- C:\Program Files (x86)\Yahoo!
2012-07-15 18:20:53 -------- d-----w- C:\Users\doug\AppData\Local\Macromedia
2012-07-15 17:56:42 -------- d-----w- C:\Users\doug\AppData\Local\{5B699BC4-7578-4233-85FD-1EF2C2AF6E69}
2012-07-15 17:56:26 -------- d-----w- C:\Users\doug\AppData\Local\{BFD953BA-4EE5-45CD-8006-5712BD3D1507}
2012-07-14 17:29:49 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-07-14 15:11:26 -------- d-----w- C:\Users\doug\AppData\Local\{06CEC55E-9177-437B-8FBB-E51C0DEADD93}
2012-07-13 21:27:24 -------- d-----w- C:\Users\doug\AppData\Local\{E97DF82E-E9FF-4C74-9C1D-DD1C3C665AAB}
2012-07-13 01:56:59 -------- d-----w- C:\Users\doug\AppData\Local\{E5E13261-2BE0-44A5-A47D-61ABA06EA83F}
2012-07-13 01:56:46 -------- d-----w- C:\Users\doug\AppData\Local\{D5782E74-ABEB-41C5-BDF9-040D2CB898B3}
2012-07-12 10:59:21 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-12 10:48:35 -------- d-----w- C:\Users\doug\AppData\Local\{CC8A390E-10EE-4BC4-854A-C685EE40DC99}
2012-07-11 21:57:07 -------- d-----w- C:\Users\doug\AppData\Local\{5B000D8A-BE94-42C2-99FD-2486B2573DA2}
2012-07-11 01:01:42 -------- d-----w- C:\Users\doug\AppData\Local\{F9778629-1A0E-448B-BC25-967C86DC4781}
2012-07-11 01:01:31 -------- d-----w- C:\Users\doug\AppData\Local\{279B1882-91A9-4F9D-895B-317A90EB5998}
2012-07-10 12:07:14 -------- d-----w- C:\Users\doug\AppData\Local\{458D767A-FAE3-4FB7-8B1D-0B54D788DA89}
2012-07-09 19:17:58 -------- d-----w- C:\Users\doug\AppData\Local\{546AEAB3-A202-404B-980F-87E39C2FE882}
2012-07-09 01:28:27 -------- d-----w- C:\Users\doug\AppData\Local\{1FBB05D5-05D7-42C0-B7CB-F44E973D0D35}
2012-07-08 13:27:39 -------- d-----w- C:\Users\doug\AppData\Local\{8C411B5B-31B0-488D-8922-E0261DE37AD7}
2012-07-08 00:42:25 -------- d-----w- C:\Users\doug\AppData\Local\{8ED515BE-FF8F-4E70-85E0-B186A11FB9B9}
2012-07-07 01:25:32 -------- d-----w- C:\Users\doug\AppData\Local\{378BB4DB-89F3-4646-916E-E674AEC5B127}
2012-07-06 11:38:46 -------- d-----w- C:\Users\doug\AppData\Local\{0223F3E8-CD14-4637-A9B9-2989652BF20B}
2012-07-05 19:52:37 -------- d-----w- C:\Users\doug\AppData\Local\{6F16E5E3-89DB-4B4E-8FC5-7D0F0BA25CAE}
2012-07-05 00:43:15 -------- d-----w- C:\Users\doug\AppData\Local\{0F7774C4-816B-4D2B-9273-FBB6BDA8BD80}
2012-07-05 00:43:04 -------- d-----w- C:\Users\doug\AppData\Local\{882C83F4-A053-4C2A-B2C2-49EAB22ADDF8}
2012-07-04 18:01:52 -------- d-----w- C:\Users\doug\AppData\Local\{16181CC8-B138-4FFC-9C34-F52C8AF08243}
2012-07-03 17:01:55 -------- d-----w- C:\Users\doug\AppData\Local\{F955B9EA-5422-41EB-8606-A991F2A98EE4}
2012-07-03 03:14:56 -------- d-----w- C:\Users\doug\AppData\Local\{56A7419B-45FD-43B5-BFDB-F96F01886E43}
2012-07-01 21:51:30 -------- d-----w- C:\Users\doug\AppData\Local\{A11D69F4-F8A7-4344-A664-920E8A809497}
2012-06-30 14:08:43 -------- d-----w- C:\Users\doug\AppData\Local\{CF5AAC20-81D4-4028-9878-3DF108C7F42B}
2012-06-29 21:34:09 -------- d-----w- C:\Users\doug\AppData\Local\{A61BA08F-415D-4372-A46C-3B016C0B21AE}
2012-06-29 00:21:59 -------- d-----w- C:\Users\doug\AppData\Local\{571471A4-40AA-423A-9AA4-BB51F2EE5B2D}
2012-06-28 10:35:09 -------- d-----w- C:\Users\doug\AppData\Local\{C5CED7BA-64F4-4171-8A1F-60BD0001AD91}
2012-06-28 10:34:58 -------- d-----w- C:\Users\doug\AppData\Local\{A0A623C1-56F8-456F-916E-B4A3FA947C3B}
2012-06-27 22:34:27 -------- d-----w- C:\Users\doug\AppData\Local\{DBF84FF5-E4AB-46E8-BCF4-DC04893706D6}
2012-06-27 22:34:17 -------- d-----w- C:\Users\doug\AppData\Local\{0CFF0F1B-40EC-451D-A64F-C6D8A747ABE8}
.
==================== Find3M ====================
.
2012-07-12 00:58:27 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 00:58:27 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
.
============= FINISH: 18:56:39.27 ===============

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-24 18:12:31
-----------------------------
18:12:31.122 OS Version: Windows x64 6.1.7601 Service Pack 1
18:12:31.122 Number of processors: 2 586 0x603
18:12:31.123 ComputerName: DOUG-HP UserName: doug
18:12:37.902 Initialize success
18:13:30.384 AVAST engine defs: 12072401
18:13:45.204 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005e
18:13:45.219 Disk 0 Vendor: ST932032 0005 Size: 305245MB BusType: 11
18:13:45.235 Disk 0 MBR read successfully
18:13:45.251 Disk 0 MBR scan
18:13:45.251 Disk 0 unknown MBR code
18:13:45.266 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
18:13:45.297 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 287180 MB offset 409600
18:13:45.329 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 17761 MB offset 588554240
18:13:45.360 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
18:13:45.422 Disk 0 scanning C:\Windows\system32\drivers
18:14:03.440 Service scanning
18:14:42.690 Modules scanning
18:14:42.714 Disk 0 trace - called modules:
18:14:42.758 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
18:14:42.770 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80031de060]
18:14:42.780 3 CLASSPNP.SYS[fffff8800196b43f] -> nt!IofCallDriver -> [0xfffffa8003184040]
18:14:42.791 5 amdxata.sys[fffff880011227a8] -> nt!IofCallDriver -> \Device\0000005e[0xfffffa800317e060]
18:14:45.770 AVAST engine scan C:\Windows
18:14:49.435 AVAST engine scan C:\Windows\system32
18:19:17.563 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
18:19:25.948 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
18:22:35.555 AVAST engine scan C:\Windows\system32\drivers
18:23:02.971 AVAST engine scan C:\Users\doug
18:24:04.521 Disk 0 MBR has been saved successfully to "C:\Users\doug\Desktop\MBR.dat"
18:24:04.537 The log file has been saved successfully to "C:\Users\doug\Desktop\aswMBR.txt"

END OF FILE

=================

AVG Threat log
Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/24/2012, 6:33:14 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Generic28.ANIC;"c:\Windows\assembly\GAC_64\Desktop.ini";"Infected";"7/24/2012, 6:19:25 PM";"file";"C:\Users\doug\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XSI4IK5\aswMBR.exe"
Trojan horse BackDoor.Generic15.AXLA;"c:\Windows\assembly\GAC_32\Desktop.ini";"Infected";"7/24/2012, 6:19:17 PM";"file";"C:\Users\doug\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XSI4IK5\aswMBR.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/24/2012, 6:17:30 PM";"file";"C:\Users\doug\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XSI4IK5\aswMBR.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/24/2012, 6:03:06 PM";"file";"C:\Windows\System32\wininit.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/23/2012, 7:09:03 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/23/2012, 6:55:44 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse FakeAV_s.EP;"c:\Users\doug\AppData\Local\Temp\124kkk290347.exe";"Moved to Virus Vault";"7/23/2012, 6:42:55 PM";"file";"C:\Program Files (x86)\Java\jre6\bin\java.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/23/2012, 6:38:51 PM";"file";"C:\Windows\System32\wininit.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/23/2012, 6:27:56 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/23/2012, 5:58:20 PM";"file";"C:\Windows\System32\wininit.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/20/2012, 9:36:43 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/20/2012, 9:04:21 PM";"file";"C:\Windows\System32\wininit.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/19/2012, 10:26:38 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/19/2012, 10:17:37 PM";"file";"C:\Windows\System32\taskmgr.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/17/2012, 10:33:31 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/16/2012, 9:53:31 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/16/2012, 9:09:37 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/16/2012, 6:52:24 AM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/15/2012, 11:05:13 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/15/2012, 10:24:39 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/15/2012, 6:54:05 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/15/2012, 1:24:04 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 4:03:40 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 3:31:21 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 3:08:50 PM";"file";"C:\Windows\System32\taskmgr.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 3:00:01 PM";"file";"C:\Windows\System32\wininit.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 1:41:27 PM";"file";"C:\Windows\System32\svchost.exe"
Trojan horse Dropper.Generic_c.MMI;"c:\Windows\System32\services.exe";"Object is white-listed (critical/system file that should not be removed)";"7/14/2012, 12:34:03 PM";"file";"C:\Windows\System32\svchost.exe"
The file is signed by an untrusted certificate, issued by: Generic.B89.;"c:\Users\doug\AppData\Local\Temp\STWSetup-IE.exe";"Potentially dangerous object";"11/16/2011, 11:01:40 PM";"file";"C:\Users\doug\Downloads\ooVooSetup.exe"
Virus identified Worm/AutoRun.BR;"f:\autorun.inf";"Infected";"6/29/2011, 10:16:59 PM";"file";"C:\Windows\System32\svchost.exe"
Virus identified Worm/AutoRun.BR;"f:\autorun.inf";"Infected";"6/29/2011, 9:53:20 PM";"file";"C:\Windows\System32\svchost.exe"
Adware Generic4.BHOW;"c:\Users\doug\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HX28HTN\SetupPlaySushi[2].exe";"Potentially dangerous object";"4/11/2011, 10:01:20 PM";"file";"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
 
Hello douglasvjohnson and :welcome:

My name is JonTom

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.

please be patient, as I am not used to this format and process
Click to expand...
No problem at all. We will take things step by step and if you have any questions, just ask (its what I am here for).

I am getting AVG multiple trojan alerts with warnings that deleting the file might crash the system
Click to expand...
One of your critical system files has been infected. DO NOT allow AVG to remove the file or your machine may well become unbootable (we will take care of the file in due course).

The infection on your machine has password stealing capabilities. If you use this machine for financial transactions, please go to an uninfected machine and change all of your passwords as soon as you can. It would also be wise to backup all of your important data before we begin any fixing.


When you ran DDS two logs would have been created. You have posted the dds.txt log, but I also need to see the attach.txt log.

Please post the attach.txt log in your next reply. If you have not saved it, just re-scan with DDS again to create a new one. There is no need to attach the log, just copy and paste it directly into your reply :)
 
Thank You JonTom. I will advise the owner to reset any passwords she had used here.

I have attached what I believe is the correct file requested.

Thank you again.
 
Hello douglasvjohnson

Thank you for the log.

There is no need to attach any logs, just copy and paste them directly into your replies :)

Lets proceed as follows:

  1. Please disable Spybot Teatimer

    • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
    • On the left hand side, click "Tools", then click on the "Resident" icon in the list.
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active" box.
    • Click the "System Startup" icon in the List.
    • Uncheck the "TeaTimer" box and "OK" any prompts.
    • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    • Exit Spybot S&D when done.

  2. Combofix

    • Download ComboFix from one of the following locations:

      Link 1
      Link 2
    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RC1.png

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    • Should there be issues with internet afterward:

      In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

      In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

    Please post the Combofix log in your next reply.

    If you encounter any problems with the scan just let me know.
 
Hello, I opened spybot, Clicked / checked RESIDENT, opened SYTEM STARTUP from left column menu, but I cannot find a teatimer line....
Should I proceed with the next step?. Thank You
 
Hello douglasvjohnson

Try opening Spybot as an Administrator (Right click on the Spybot icon and select "Run as Administrator"). If there is still no reference to Teatimer after trying this, go ahead and run Combofix :)
 
Hello. This is the result of the combofix scan.
Again, Thank You!



ComboFix 12-07-27.03 - doug 07/28/2012 12:26:59.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1549 [GMT -5:00]
Running from: c:\users\doug\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL478D.tmp
c:\programdata\SPL718C.tmp
c:\programdata\SPLF3A1.tmp
c:\users\1\Documents\~WRL1610.tmp
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome.manifest
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\background.html
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\browser.xul
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\crossrider.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\crossriderapi.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\dialog.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\lib\faye-browser-min.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\manage-apps-style.css
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\manage-apps.html
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\messaging.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\options.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\options.xul
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\push.html
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\search_dialog.xul
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\chrome\content\update.html
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\defaults\preferences\prefs.js
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\install.rdf
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\locale\en-US\translations.dtd
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\button1.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\button2.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\button3.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\button4.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\button5.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\crossrider_statusbar.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\icon128.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\icon16.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\icon24.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\icon48.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\panelarrow-up.png
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\popup.css
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\popup.html
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\popup_binding.xml
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\skin.css
c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\extensions\crossriderapp2258@crossrider.com\skin\update.css
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\L\00000004.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\L\1afb2d56
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\L\201d3dde
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\00000004.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\00000008.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\000000cb.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\80000000.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\80000032.@
c:\windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\80000064.@
.
c:\windows\system32\services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
.
.
2012-07-28 20:24 . 2012-07-28 20:24 -------- d-----w- c:\users\Elizabeth\AppData\Local\temp
2012-07-28 20:24 . 2012-07-28 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-28 20:24 . 2012-07-28 20:24 -------- d-----w- c:\users\Doug_2\AppData\Local\temp
2012-07-28 20:24 . 2012-07-28 20:24 -------- d-----w- c:\users\1\AppData\Local\temp
2012-07-23 23:45 . 2012-07-23 23:45 -------- d-----w- c:\program files (x86)\ERUNT
2012-07-23 23:42 . 2012-07-23 23:42 -------- d-----w- c:\windows\Sun
2012-07-23 23:03 . 2012-07-23 23:03 -------- d-----w- c:\users\doug\AppData\Roaming\Yahoo!
2012-07-23 22:59 . 2012-07-23 23:14 -------- d-----w- c:\users\doug\AppData\Roaming\PerformerSoft
2012-07-21 02:31 . 2012-07-21 02:31 -------- d-----w- c:\programdata\IBUpdaterService
2012-07-21 02:31 . 2012-07-21 02:29 550048 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
2012-07-21 02:30 . 2012-07-21 02:29 550048 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
2012-07-21 02:30 . 2012-07-23 23:14 -------- d-----w- c:\users\Doug_2\AppData\Roaming\PerformerSoft
2012-07-21 02:30 . 2012-07-21 02:30 -------- d-----w- c:\program files (x86)\Conduit
2012-07-21 02:30 . 2012-03-14 20:47 19000 ----a-w- c:\windows\system32\roboot64.exe
2012-07-21 02:30 . 2012-07-23 23:12 -------- d-----w- c:\users\Doug_2\AppData\Local\Conduit
2012-07-21 02:27 . 2012-07-21 02:27 -------- d-----w- c:\users\Doug_2\AppData\Local\visi_coupon
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\programdata\W3i
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\program files (x86)\W3i
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\programdata\Yahoo!
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\users\Doug_2\AppData\Roaming\Yahoo!
2012-07-21 02:26 . 2012-07-23 23:03 -------- d-----w- c:\programdata\Yahoo! Companion
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\program files (x86)\Yahoo!
2012-07-21 02:07 . 2012-07-21 02:07 -------- d-----w- c:\users\Doug_2\AppData\Local\AVG Secure Search
2012-07-15 18:20 . 2012-07-15 18:20 -------- d-----w- c:\users\doug\AppData\Local\Macromedia
2012-07-14 17:29 . 2012-07-14 17:29 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-12 10:59 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 17:09 . 2012-04-17 23:35 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-28 17:09 . 2011-06-16 18:47 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 10:53 . 2011-08-14 16:23 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-02 23:43 . 2011-10-09 04:11 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-02 23:43 . 2012-01-21 19:00 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-07-02 23:43 . 2012-01-20 18:52 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-02 23:43 . 2011-12-10 17:13 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-06-02 22:19 . 2012-06-22 01:00 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 01:00 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 01:00 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 01:00 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 01:00 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 01:00 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 01:00 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 00:59 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 00:59 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-23 01:35 . 2011-10-09 04:11 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-05-23 01:35 . 2011-10-09 04:10 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-05-04 11:06 . 2012-06-14 03:59 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 03:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 03:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-14 03:59 209920 ----a-w- c:\windows\system32\profsvc.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-09 19:17 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-09 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-17 98304]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-09 1107552]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\doug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 136176]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-15 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-09-13 37456]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-10-07 283728]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-08-08 46672]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-07-11 375376]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-17 202752]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 1039360]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-09 935008]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-06-17 6403072]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-17 188928]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 120400]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 29776]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 17:09]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 14:31]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 14:31]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-828031243-2963740445-2646681652-1001Core.job
- c:\users\doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 23:54]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-828031243-2963740445-2646681652-1001UA.job
- c:\users\doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 23:54]
.
2012-07-28 c:\windows\Tasks\HPCeeScheduleFordoug.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]
.
2012-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files (x86)\Spybot - Search & Destroy\SpybotSD.exe [2011-03-12 21:31]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-03-21 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"lxdumon.exe"="c:\program files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [2010-02-04 676520]
"lxduamon"="c:\program files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [2010-02-04 16040]
"fssui"="c:\program files (x86)\Windows Live\Family Safety\fsui.exe" [2012-03-08 884584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://kidshealth.org/teen/sexual_health/girls/menstruation.html
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Video Converter... - c:\program files (x86)\Media Player Utilities 5.22\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=109936&tt=060612_8_&babsrc=HP_ss&mntrId=e24b91780000000000006e0f6e310db9
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04ae27d3-b243-48bd-b214-db703be9693b%7D&mid=dd937770430147d6914ab57816bfae0c-41703a7d52e139f598cda7297c5bbf77f1c1caa4&ds=AVG&v=11.1.0.7&lang=en&pr=fr&d=2011-09-27%2019%3A08%3A03&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109936&tt=060612_8_
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - e24b91780000000000006e0f6e310db9
FF - user.js: extensions.BabylonToolbar_i.hardId - e24b91780000000000006e0f6e310db9
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15503
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.176:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=hex:51,66,7a,6c,4c,1d,38,12,dc,dd,18,
cc,07,c9,a8,01,c2,43,e2,8c,d0,0b,22,6e
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{21608B66-026F-4DCB-9244-0DACA328DCED}"=hex:51,66,7a,6c,4c,1d,38,12,08,88,73,
25,5d,4c,a5,08,ed,52,4e,ec,a6,76,98,f9
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}"=hex:51,66,7a,6c,4c,1d,38,12,a5,b6,f7,
bb,c5,2d,3f,0f,ed,70,22,27,60,03,1f,5b
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}"=hex:51,66,7a,6c,4c,1d,38,12,7e,e6,d6,
d6,5f,f0,a2,07,e0,77,a7,b9,3c,59,c0,60
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Windows Live\Family Safety\fsssvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Lexmark 5600-6600 Series\lxduMsdMon.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
c:\program files (x86)\AVG\AVG2012\avgui.exe
.
**************************************************************************
.
Completion time: 2012-07-28 15:44:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-28 20:44
.
Pre-Run: 206,816,018,432 bytes free
Post-Run: 208,280,887,296 bytes free
.
- - End Of File - - C5387BC0B93C71FE3814881FB16CDF1D
 
Hello douglasvjohnson

Thank you for the log.

Before we continue, we need to find a suitable replacement for the infected services.exe file on the machine.

Please work your way through the following steps:


  1. Please download SystemLook by JPShortstuff

    • Please download SystemLook by JPShortstuff by clicking here and save the file (called SystemLook_x64.exe) to your desktop.
    • Right click on SystemLook.exe and select "Run as Administrator" to run the program.
    • Copy the content of the following codebox into the main textfield:

    Code: 
    :filefind
services.ex*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    • Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please post the systemlook log in your next reply.
 
Systemlook scan result. THANKS!!

SystemLook 30.07.11 by jpshortstuff
Log created at 21:46 on 29/07/2012 by doug
Administrator - Elevation successful

========== filefind ==========

Searching for "services.ex*"
C:\Windows\System32\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 014A9CB92514E27C0107614DF764BC06
C:\Windows\System32\en-US\services.exe.mui --a---- 17408 bytes [05:35 14/07/2009] [02:25 14/07/2009] 6507BF0DC2D1F5F32493C288EAA59277
C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468\services.exe.mui --a---- 17408 bytes [05:35 14/07/2009] [02:25 14/07/2009] 6507BF0DC2D1F5F32493C288EAA59277
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-
 
Hello douglasvjohnson

Excellent. That log gives us the information we need. Lets ensure the replacement is clean before proceeding, and I would also like to take a closer look at a couple of files before we move on.

  1. Please scan the following files


    • On the page you'll find a "Choose File" button.
    • Click on the Choose File button.
    • In the File Upload window which opens, copy and paste this into the File Name box.


    C:\Windows\System32\services.exe

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Repeat for the following files:



    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe


    c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe


    Please post the links to the Virus Total result pages in your next reply.
 
This is exceptionally frustrating. I opened the VirusTotal site, clicked the choose file option, pasted the location, and was told this file could not be found. I searched for the file in the proper location and it was not shown. There is a services.msc file, but no .exe. When I search for the file using windows explorer, I see the services.exe file. Any ideas? Thanks as always
 
Hello douglasvjohnson

I opened the VirusTotal site, clicked the choose file option, pasted the location, and was told this file could not be found.
Click to expand...
Thats most likely because of its location. Its nothing to worry about (I'm confident the replacement can be used).

Have you tried to scan the following file?

c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe


Please let me know how it goes in your next reply :)
 
Hello again.
I really repect you for your dedication and ability to persevere.
Here is the result of file C:\Program Files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe



https://www.virustotal.com/file/c0c...153ab8f591145f6f3a321de6/analysis/1343778524/


Be aware that when I tried to scan this file VirusTotal gave me a message that the file had already been scanned. I selected rescan which generated this result.
===================
Here is the result of the other requested scan from VirusTotal for file named C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe


https://www.virustotal.com/file/635...b52388d885f668cf42c5e7e2/analysis/1343779429/

This scan also indicated the file had been previously scanned, and this is the rescan result.

I sure hope one of these can help you in your quest!!

Thanks again for your attention to this matter
 
Hello douglasvjohnson

Thank you for the scan data.

Be aware that when I tried to scan this file VirusTotal gave me a message that the file had already been scanned
Click to expand...
Thats nothing to worry about. Selecting rescan was the right things to do.


Please make sure that Combofix is placed directly on your desktop (it is presently located in your downloads folder: c:\users\doug\Downloads\ComboFix.exe).

We need to use Combofix again but this time, we will be running it in a slightly different way.


  1. Please work through the following steps

    • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad and press Enter or click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      FCopy::
      C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | C:\Windows\System32\services.exe

      Reglock::
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

      Firefox::
      FF - ProfilePath - c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\
      FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
      FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=109936&tt=060612_8_&babsrc=HP_ss&mntrId=e24b91780000000000006e0f6e310db9
      FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109936&tt=060612_8_
      FF - user.js: extensions.BabylonToolbar_i.babExt -
      FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
      FF - user.js: extensions.BabylonToolbar_i.id - e24b91780000000000006e0f6e310db9
      FF - user.js: extensions.BabylonToolbar_i.hardId - e24b91780000000000006e0f6e310db9
      FF - user.js: extensions.BabylonToolbar_i.instlDay - 15503
      FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
      FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
      FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.176:57
      FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
      FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
      FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
      FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
      FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
      FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

      File::
      c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
      c:\program files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
      Click to expand...

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      CFScriptB-4.gif



    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.
 
Hello and thank you again for your attention and patience in this matter.
The log for this combofix session is attached.
Further information is that the owner of this infected laptop has just advised me that she has a set of back up cds that were created when the pc was given to her, could these be of use in this instance?
Sorry for this late news, I was just made aware of this myself....
As always, super many thanks
 
Hello douglasvjohnson

Thank you for the log.

Further information is that the owner of this infected laptop has just advised me that she has a set of back up cds that were created when the pc was given to her, could these be of use in this instance?
Sorry for this late news, I was just made aware of this myself....
Click to expand...
No problem. Those disks are always good to have in case a factory reset is required, but right now I don't think we will need them.

Is the machine still redirecting?


  1. Please perform the following scan:

    • Please download MalwareBytes AntiMalware by clicking here and save the file (called mbam-setup.exe) to your desktop.
    • Right click on the mbam-setup.exe icon and select "Run as Administrator" to install the program.
    • Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
    • Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  2. Temporary File Cleaner

    • Download TFC to your desktop.
    • Close any open windows.
    • Right click the TFC icon and select "Run as Administrator" to run the program.
    • TFC will close all open programs itself in order to run.
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish.
    • Once complete it should automatically reboot your machine.
    • If your machine does not reboot automatically, manually reboot to ensure a complete clean.
    • Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.

  3. Please run the following scan

    • Note: You will need to use Internet Explorer for this scan.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.

    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the
      esetOnline.png
      button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.

    • Check
      esetAcceptTerms.png
    • Click the
      esetStart.png
      button.
    • Accept any security warnings from your browser.
    • Check
      esetScanArchives.png
    • Make sure that the option to "Remove Found Threats" is UN checked.
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
      esetListThreats.png
    • Push
      esetExport.png
      , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the
      esetBack.png
      button.
    • Push
      esetFinish.png

    Please post the MBAM log and the ESET log in your next reply and let me know how the machine is running now.
 
Hello Again. I tried but may have screwed up the last step.
The 1st 2 steps went fine.
The ESET scan not so much.
I opened the site, and only options I saw were to run it online. Which I did. But I neglected to check the archive box, and never did see an option to not fix. SO... the scan ran, did not scan archives, and it deleted the 8 items it found. You asked how the machine is running. Know that I am very reluctant to do ANYTHING on this set for fear of compounding the problem.
So here is what I have:
MWB log
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Doug_2 :: DOUG-HP [administrator]

Protection: Enabled

8/2/2012 6:53:19 PM
mbam-log-2012-08-02 (18-53-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272236
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Doug_2\Desktop\soft_pcp_conduit.exe (PUP.BundleInstaller.IB) -> Quarantined and deleted successfully.
C:\Users\doug\Downloads\Unconfirmed 79974.crdownload (Adware.Gamevance) -> Quarantined and deleted successfully.

(end)

Here is the result of the REMOVED files from ESET:
C:\Qoobox\Quarantine\C\Windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\00000008.@.vir Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\000000cb.@.vir Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\80000000.@.vir Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{cd7802cc-a39a-b44f-b31f-f3425259e786}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan deleted - quarantined
C:\Users\doug\Downloads\mahjongg (1).exe a variant of Win32/InstallCore.W application cleaned by deleting - quarantined
C:\Users\doug\Downloads\mahjongg.exe a variant of Win32/InstallCore.W application cleaned by deleting - quarantined
C:\Users\Doug_2\AppData\LocalLow\FCTB000060231\Toolbar\Toolbar.dll Win32/Toolbar.BHO.B application cleaned by deleting - quarantined
=======================
Thank You for all, always!
 
Hello douglasvjohnson

Thank you for the logs.

I tried but may have screwed up the last step
Click to expand...
It looks fine to me.

Lets take care of the following leftovers:


  1. Please work through the following steps

    • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad and press Enter then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      File::
      C:\Windows\assembly\GAC_32\Desktop.ini
      C:\Windows\assembly\GAC_64\Desktop.ini
      Click to expand...

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      CFScriptB-4.gif



    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

    Please post the Combofix log along with a new aswMBR log in your next reply.

    You asked how the machine is running. Know that I am very reluctant to do ANYTHING on this set for fear of compounding the problem
    Click to expand...
    Once you have ran the Combofix script and a log has been saved, post it up for me to review. After you have posted it, please run the machine normally and see if it is still redirecting, then post back here to tell me how it is running. You will not make the problem worse. There's only one way to find out if the fix has worked and thats to see how things are running :)
 
Hello Again.
Once again, I have to thank you for your attention and patience.
I will hook it up and see how she works.

Here is the Combofix log as requested:
ComboFix 12-08-05.01 - Doug_2 08/04/2012 16:59:29.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1336 [GMT -5:00]
Running from: c:\users\Doug_2\Desktop\ComboFix.exe
Command switches used :: c:\users\Doug_2\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\assembly\GAC_32\Desktop.ini"
"c:\windows\assembly\GAC_64\Desktop.ini"
.
.
((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
.
.
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\users\Elizabeth\AppData\Local\temp
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\users\doug\AppData\Local\temp
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-04 22:17 . 2012-08-04 22:17 -------- d-----w- c:\users\1\AppData\Local\temp
2012-08-03 00:29 . 2012-08-03 00:29 -------- d-----w- c:\program files (x86)\ESET
2012-08-02 23:51 . 2012-08-02 23:51 -------- d-----w- c:\users\Doug_2\AppData\Roaming\Malwarebytes
2012-08-02 23:51 . 2012-08-02 23:51 -------- d-----w- c:\programdata\Malwarebytes
2012-08-02 23:51 . 2012-08-02 23:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-02 23:51 . 2012-07-03 18:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-28 20:44 . 2012-08-04 22:18 -------- d-----w- c:\users\Doug_2\AppData\Local\temp
2012-07-23 23:45 . 2012-07-23 23:45 -------- d-----w- c:\program files (x86)\ERUNT
2012-07-23 23:42 . 2012-07-23 23:42 -------- d-----w- c:\windows\Sun
2012-07-23 23:03 . 2012-07-23 23:03 -------- d-----w- c:\users\doug\AppData\Roaming\Yahoo!
2012-07-23 22:59 . 2012-07-23 23:14 -------- d-----w- c:\users\doug\AppData\Roaming\PerformerSoft
2012-07-21 02:31 . 2012-07-21 02:31 -------- d-----w- c:\programdata\IBUpdaterService
2012-07-21 02:31 . 2012-07-21 02:29 550048 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
2012-07-21 02:30 . 2012-07-21 02:29 550048 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
2012-07-21 02:30 . 2012-07-23 23:14 -------- d-----w- c:\users\Doug_2\AppData\Roaming\PerformerSoft
2012-07-21 02:30 . 2012-07-21 02:30 -------- d-----w- c:\program files (x86)\Conduit
2012-07-21 02:30 . 2012-03-14 20:47 19000 ----a-w- c:\windows\system32\roboot64.exe
2012-07-21 02:30 . 2012-07-23 23:12 -------- d-----w- c:\users\Doug_2\AppData\Local\Conduit
2012-07-21 02:27 . 2012-07-21 02:27 -------- d-----w- c:\users\Doug_2\AppData\Local\visi_coupon
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\programdata\W3i
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\program files (x86)\W3i
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\programdata\Yahoo!
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\users\Doug_2\AppData\Roaming\Yahoo!
2012-07-21 02:26 . 2012-07-23 23:03 -------- d-----w- c:\programdata\Yahoo! Companion
2012-07-21 02:26 . 2012-07-21 02:26 -------- d-----w- c:\program files (x86)\Yahoo!
2012-07-21 02:07 . 2012-07-21 02:07 -------- d-----w- c:\users\Doug_2\AppData\Local\AVG Secure Search
2012-07-15 18:20 . 2012-07-15 18:20 -------- d-----w- c:\users\doug\AppData\Local\Macromedia
2012-07-14 17:29 . 2012-07-14 17:29 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-12 10:59 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 02:09 . 2012-04-17 23:35 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-03 02:09 . 2011-06-16 18:47 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 10:53 . 2011-08-14 16:23 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-02 23:43 . 2011-10-09 04:11 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-02 23:43 . 2012-01-21 19:00 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-07-02 23:43 . 2012-01-20 18:52 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-02 23:43 . 2011-12-10 17:13 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-06-02 22:19 . 2012-06-22 01:00 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 01:00 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 01:00 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 01:00 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 01:00 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 01:00 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 01:00 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 00:59 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 00:59 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-23 01:35 . 2011-10-09 04:11 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-05-23 01:35 . 2011-10-09 04:10 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-28_20.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-03 00:20 . 2012-08-04 21:48 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-03 00:20 . 2012-08-04 21:48 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2012-08-03 00:20 . 2012-08-04 21:48 16384 c:\windows\Temp\Cookies\index.dat
+ 2010-07-11 03:12 . 2012-08-04 21:50 59566 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-04 21:49 50430 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-13 02:22 . 2012-07-31 23:43 18104 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-828031243-2963740445-2646681652-1001_UserData.bin
+ 2011-06-13 13:38 . 2012-08-04 21:49 7022 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-828031243-2963740445-2646681652-1004_UserData.bin
- 2012-07-28 20:26 . 2012-07-28 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-04 21:47 . 2012-08-04 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-04 21:47 . 2012-08-04 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-28 20:26 . 2012-07-28 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-03 02:09 . 2012-08-03 02:09 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_Plugin.exe
+ 2012-08-03 01:09 . 2012-08-03 01:09 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
+ 2012-08-03 01:09 . 2012-08-03 01:09 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
+ 2012-04-17 23:35 . 2012-08-03 02:09 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- 2012-04-17 23:35 . 2012-07-28 17:09 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2011-03-13 15:05 . 2012-08-04 22:15 354986 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-08-04 22:17 663816 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-04 22:17 122838 c:\windows\system32\perfc009.dat
+ 2012-08-03 02:09 . 2012-08-03 02:09 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_Plugin.exe
+ 2012-08-03 01:09 . 2012-08-03 01:09 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.exe
+ 2012-08-03 01:09 . 2012-08-03 01:09 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.dll
+ 2009-07-14 05:01 . 2012-08-03 02:24 258200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-28 20:25 258200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-07-31 23:30 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-31-2012\ERDNT.EXE
+ 2012-07-31 00:51 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-30-2012\ERDNT.EXE
+ 2012-07-30 02:38 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-29-2012\ERDNT.EXE
+ 2012-08-03 02:09 . 2012-08-03 02:09 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
+ 2012-08-03 02:09 . 2012-08-03 02:09 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
+ 2010-10-18 09:29 . 2012-08-03 00:01 2117776 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-10-18 09:29 . 2012-07-28 20:25 2117776 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-07-21 02:38 . 2012-08-03 02:24 2521960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-828031243-2963740445-2646681652-1004-12288.dat
+ 2011-03-14 04:10 . 2012-08-01 00:14 2667136 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-828031243-2963740445-2646681652-1001-12288.dat
+ 2012-07-31 23:30 . 2012-07-31 23:30 2912256 c:\windows\ERDNT\AutoBackup\7-31-2012\Users\00000002\UsrClass.dat
+ 2012-07-31 23:30 . 2012-07-31 23:30 3264512 c:\windows\ERDNT\AutoBackup\7-31-2012\Users\00000001\NTUSER.DAT
+ 2012-07-31 00:51 . 2012-07-31 00:51 2912256 c:\windows\ERDNT\AutoBackup\7-30-2012\Users\00000002\UsrClass.dat
+ 2012-07-31 00:51 . 2012-07-31 00:51 3264512 c:\windows\ERDNT\AutoBackup\7-30-2012\Users\00000001\NTUSER.DAT
+ 2012-07-30 02:38 . 2012-07-30 02:38 2912256 c:\windows\ERDNT\AutoBackup\7-29-2012\Users\00000002\UsrClass.dat
+ 2012-07-30 02:38 . 2012-07-30 02:38 3264512 c:\windows\ERDNT\AutoBackup\7-29-2012\Users\00000001\NTUSER.DAT
+ 2012-08-03 02:09 . 2012-08-03 02:09 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-09 19:17 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-09 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"InstallIQUpdater"="c:\program files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-17 98304]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-09 1107552]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\doug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]
R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 136176]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-15 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-09-13 37456]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-10-07 283728]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-08-08 46672]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-07-11 375376]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-17 202752]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 1039360]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-09 935008]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-06-17 6403072]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-17 188928]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 120400]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 29776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 02:09]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 14:31]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 14:31]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-828031243-2963740445-2646681652-1001Core.job
- c:\users\doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 23:54]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-828031243-2963740445-2646681652-1001UA.job
- c:\users\doug\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 23:54]
.
2012-07-28 c:\windows\Tasks\HPCeeScheduleFordoug.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]
.
2012-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files (x86)\Spybot - Search & Destroy\SpybotSD.exe [2011-03-12 21:31]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-03-21 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"lxdumon.exe"="c:\program files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [2010-02-04 676520]
"lxduamon"="c:\program files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [2010-02-04 16040]
"fssui"="c:\program files (x86)\Windows Live\Family Safety\fsui.exe" [2012-03-08 884584]
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login?.src=fpctx&.intl=us&.done=http://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\doug\AppData\Roaming\Mozilla\Firefox\Profiles\7o6nkz82.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04ae27d3-b243-48bd-b214-db703be9693b%7D&mid=dd937770430147d6914ab57816bfae0c-41703a7d52e139f598cda7297c5bbf77f1c1caa4&ds=AVG&v=11.1.0.7&lang=en&pr=fr&d=2011-09-27%2019%3A08%3A03&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{C80BDEB2-8735-44C6-BD55-A1CCD555667A} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=hex:51,66,7a,6c,4c,1d,38,12,dc,dd,18,
cc,07,c9,a8,01,c2,43,e2,8c,d0,0b,22,6e
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{21608B66-026F-4DCB-9244-0DACA328DCED}"=hex:51,66,7a,6c,4c,1d,38,12,08,88,73,
25,5d,4c,a5,08,ed,52,4e,ec,a6,76,98,f9
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}"=hex:51,66,7a,6c,4c,1d,38,12,a5,b6,f7,
bb,c5,2d,3f,0f,ed,70,22,27,60,03,1f,5b
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}"=hex:51,66,7a,6c,4c,1d,38,12,7e,e6,d6,
d6,5f,f0,a2,07,e0,77,a7,b9,3c,59,c0,60
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-04 17:26:59
ComboFix-quarantined-files.txt 2012-08-04 22:26
ComboFix2.txt 2012-08-02 01:39
ComboFix3.txt 2012-07-28 20:44
.
Pre-Run: 206,530,469,888 bytes free
Post-Run: 206,460,436,480 bytes free
.
- - End Of File - - A468FB62F2DF895D01605C3DF13F44AC
 
Status
Not open for further replies.
Back
Top