TechSpot

[Closed] Possible fake AVG and Security Shield virus

By dover1982
Aug 3, 2012
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Please go to VirSCAN.org FREE on-line scan service
    • Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\services.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
     
  2. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    I ran the VirScan for "c:\windows\system32\services.exe" but it wouldn't work. I tried it twice and once left it alone for three hours and there was no sign of progress in it's status bar. I was able to click "ReScan" but that was as far as I got. However, I didn't close Kaspersky and had both running at the same time just in case that matters. I did end up clicking "skip" on the objects that Kaspersky detected and the Kaspersky scan is now moving again and scanning files. So I guess I should just let Kaspersky finish?
     
  3. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    Ok the Kaspersky scan is done. Before I click "Disinfect all", I noticed that it has 8 objects listed as "Vulnerability", which includes things like QuickTime Player and iTunes. I was just wondering if those programs would be safe or not after clicking "Disinfect all"?
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  5. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    After clicking "Disinfect all" on the Kaspersky scan, it started disinfection and then upon completion it automatically restarted the computer, I was unable to click "Save" for the report. I reopened Kaspersky but couldn't find any report. There were a number of alerts in lower right hand corner of the screen from Kaspersky while it was disinfecting and I skipped over most of them, did I just ruin the scan and allow malicious objects to still be on my computer by "skipping" over them?

    I ran the virustotal.com scan for services.exe and it came up completely clean.
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Cool! :) They weren't malicious. ;)

    Let me know the overall picture of what we're looking at for your computer.
     
  7. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    - Well the most recent problem was a few resident shield detections. Though this was before the recent Kaspersky scan we ran that caught a bunch of stuff. One thing that resident shield still catches even after the Kaspersky scan is that services.exe file. I know the scan we ran for that file turned up clean but what do I do about AVG detecting it over and over again?

    ResidentShieldrepeats.JPG

    - Before we started doing the recent string of scans or at least attempts at scans, I posted a photo of a few questionable detections by resident shield including one object that read "May be infected by unknown virus Win32/DH{LgMPNg}". That just sounds odd to me and makes me wonder if it was actually cleaned or not? There was also an object in those detections that was supposedly removed successfully once but then was found again. I'll post a photo of that group of detections.

    ResidentShieldpic.JPG

    - I've had a lot of redirects while using Internet Explorer

    - Since I restarted the computer after Kaspersky's disinfection, I have a pop up on startup that reads "Windows cannot find '3404752.exe'. Make sure you typed the name correctly, and then try again." Don't know if this is a big deal or not.

    - One of the original problems I had was a pop in the lower right hand corner of the screen letting me know that User Account Control was off. I don't know how that happened whether it was part of any original virus or not, and I honestly don't know whether it was always off possibly or not. And now I went to the User Account Control settings and apparently the Control Panel icons and arrangement has changed from when I originally looked for whether it was off or not. I don't know how that happened but anyways it doesn't say whether UAC is off or on explicitly like before, I can still access it but I just can't tell what's it's setting.

    - The computer had made great progress and a lot of the original problems were gone and then one day I had a bunch of trouble and one of those things was a malware detection by AVG. I mentioned before but just incase it could help I'll mention it again with a couple of pictures of the alert and the details of the initial alert.

    ThreatRemoval.JPG

    IDProDetails.JPG

    - And I figured I'd just remind that one of the big problems from the start was a questionable alert from AVG's Identity Protection. I thought it might've been a fake but after a few scans, it seemed legit and it was as I moved the threat to the vault, which was listed as a certain backdoor trojan. Immediately after moving the threat to the vault ID Pro followed up with an alert saying it caught some malware. I assume AVG has taken care of those threats but since they seem significant I thought I'd let you know. I do have a photo of the alert, but not the details nor the malware alert that followed the trojan alert.

    AVGIDPROsnip.JPG
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Do a full scan with AVG, then take a screenshot of results, please.
     
  9. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    I took three pictures, one of the overview of the scan results. Another those under "infections" and third, those under "warnings". I didn't get all the objects in "warnings" in one photo since there was like 80 of them, but all are cookies. If you'd like to see the rest of those let me know and I'll take a couple more screenshots.

    I noticed that there was one "infection" that wasn't removed or healed, I'm assuming that's the services.exe? It's confusing because there's a green check mark on that object. I left the results open since it has the option to "remove all unhealed", should I click that or leave it alone?

    AVGscanoverview.JPG

    AVGscaninfections.JPG

    AVGscanwarnings.JPG
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    New log from ComboFix

    We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.
     
  11. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    I'm having trouble getting ComboFix to run. An alert comes up during the installation. I've tried ComboFix a number of times, even clicking "Ignore" on the alert which the installation seems to finish but after that a blue screen pops up for a split second and then that's it.

    combofixalert.JPG
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please try again in Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
     
  13. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    ComboFix 12-09-07.03 - Mary 09/07/2012 20:29:50.8.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2421 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\00000004.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\201d3dde
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@
    .
    c:\windows\system32\Services.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-08-04_19.13.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-08-16 07:02 . 2012-06-28 00:08 73216 c:\windows\SysWOW64\mshtmled.dll
    - 2012-07-11 07:01 . 2012-06-02 08:17 73216 c:\windows\SysWOW64\mshtmled.dll
    - 2012-07-11 07:01 . 2012-06-02 08:22 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    + 2012-08-16 07:02 . 2012-06-28 00:13 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    + 2012-08-16 07:02 . 2012-06-28 00:13 65024 c:\windows\SysWOW64\jsproxy.dll
    - 2012-07-11 07:01 . 2012-06-02 08:21 65024 c:\windows\SysWOW64\jsproxy.dll
    + 2012-08-21 06:03 . 2012-09-05 21:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
    + 2012-08-20 18:22 . 2012-08-20 18:22 49120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
    + 2012-08-20 18:22 . 2012-09-05 22:37 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2012-08-20 18:21 . 2012-09-05 22:37 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2008-01-21 02:23 . 2012-09-08 00:19 67980 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-06 22:32 10200 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2012-07-11 07:01 . 2012-06-02 11:57 96768 c:\windows\system32\mshtmled.dll
    + 2012-08-16 07:02 . 2012-06-28 03:13 96768 c:\windows\system32\mshtmled.dll
    + 2012-08-16 07:02 . 2012-06-28 03:18 86528 c:\windows\system32\migration\WininetPlugin.dll
    - 2012-07-11 07:01 . 2012-06-02 12:03 86528 c:\windows\system32\migration\WininetPlugin.dll
    - 2012-07-11 07:01 . 2012-06-02 12:03 85504 c:\windows\system32\jsproxy.dll
    + 2012-08-16 07:02 . 2012-06-28 03:17 85504 c:\windows\system32\jsproxy.dll
    - 2009-09-05 23:56 . 2012-08-02 15:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-31 07:57 . 2012-08-31 07:57 49120 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
    - 2012-05-10 07:04 . 2012-05-10 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    + 2012-08-16 07:04 . 2012-08-16 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    - 2012-05-10 07:15 . 2012-05-10 07:15 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2012-08-16 07:04 . 2012-08-16 07:04 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2010-01-01 01:13 . 2012-08-31 23:44 1808 c:\windows\system32\WDI\{95c162b7-5b71-44f8-82e4-abfd3108f40f}.bin
    + 2010-05-17 00:43 . 2012-08-19 20:02 2408 c:\windows\system32\WDI\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    + 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-11 07:01 . 2012-06-02 08:23 231936 c:\windows\SysWOW64\url.dll
    + 2012-08-16 07:02 . 2012-06-28 00:16 231936 c:\windows\SysWOW64\url.dll
    + 2012-08-16 00:17 . 2012-06-29 16:01 467968 c:\windows\SysWOW64\netapi32.dll
    + 2012-08-16 07:02 . 2012-06-28 00:10 717824 c:\windows\SysWOW64\jscript.dll
    - 2012-07-11 07:01 . 2012-06-02 08:20 142848 c:\windows\SysWOW64\ieUnatt.exe
    + 2012-08-16 07:02 . 2012-06-28 00:12 142848 c:\windows\SysWOW64\ieUnatt.exe
    + 2012-08-16 07:02 . 2012-06-28 00:04 176640 c:\windows\SysWOW64\ieui.dll
    - 2012-07-11 07:01 . 2012-06-02 08:14 176640 c:\windows\SysWOW64\ieui.dll
    + 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2012-08-16 07:02 . 2012-06-28 03:19 237056 c:\windows\system32\url.dll
    - 2012-07-11 07:01 . 2012-06-02 12:04 237056 c:\windows\system32\url.dll
    + 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-08-04 16:18 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-08-04 16:18 104202 c:\windows\system32\perfc009.dat
    + 2012-08-16 07:02 . 2012-06-28 03:16 816640 c:\windows\system32\jscript.dll
    + 2012-08-16 07:02 . 2012-06-28 03:16 173056 c:\windows\system32\ieUnatt.exe
    - 2012-07-11 07:01 . 2012-06-02 12:01 173056 c:\windows\system32\ieUnatt.exe
    - 2012-07-11 07:01 . 2012-06-02 11:54 248320 c:\windows\system32\ieui.dll
    + 2012-08-16 07:02 . 2012-06-28 03:08 248320 c:\windows\system32\ieui.dll
    - 2006-11-02 15:21 . 2012-07-11 17:11 303936 c:\windows\system32\FNTCACHE.DAT
    + 2006-11-02 15:21 . 2012-08-16 07:23 303936 c:\windows\system32\FNTCACHE.DAT
    + 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-08-04 16:09 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-08-16 07:02 . 2012-06-28 00:18 1129472 c:\windows\SysWOW64\wininet.dll
    - 2012-07-11 07:01 . 2012-06-02 08:25 1129472 c:\windows\SysWOW64\wininet.dll
    - 2012-07-11 07:01 . 2012-06-02 08:26 1103872 c:\windows\SysWOW64\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 00:18 1103872 c:\windows\SysWOW64\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 00:27 1800704 c:\windows\SysWOW64\jscript9.dll
    - 2012-07-11 07:01 . 2012-06-02 08:19 1793024 c:\windows\SysWOW64\iertutil.dll
    + 2012-08-16 07:02 . 2012-06-28 00:08 1793024 c:\windows\SysWOW64\iertutil.dll
    - 2012-07-11 07:01 . 2012-06-02 08:43 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2012-08-16 07:02 . 2012-06-28 00:28 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2012-07-11 07:01 . 2012-06-02 12:05 1392128 c:\windows\system32\wininet.dll
    + 2012-08-16 07:02 . 2012-06-28 03:21 1392128 c:\windows\system32\wininet.dll
    - 2012-07-11 07:01 . 2012-06-13 13:58 2769408 c:\windows\system32\win32k.sys
    + 2012-08-16 07:02 . 2012-07-04 14:33 2769408 c:\windows\system32\win32k.sys
    + 2012-08-16 07:02 . 2012-06-28 03:22 1346048 c:\windows\system32\urlmon.dll
    - 2012-07-11 07:01 . 2012-06-02 12:05 1346048 c:\windows\system32\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 03:28 2312704 c:\windows\system32\jscript9.dll
    - 2012-07-11 07:01 . 2012-06-02 11:59 2144768 c:\windows\system32\iertutil.dll
    + 2012-08-16 07:02 . 2012-06-28 03:14 2144768 c:\windows\system32\iertutil.dll
    + 2011-07-13 07:19 . 2012-09-06 22:32 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
    - 2011-07-13 07:19 . 2012-07-28 01:02 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
    + 2012-06-26 22:03 . 2012-06-26 22:03 3875840 c:\windows\Installer\dd0ee8f.msp
    + 2012-08-14 22:10 . 2012-08-14 22:10 3636224 c:\windows\Installer\6c2e056.msi
    + 2012-08-16 07:02 . 2012-06-28 00:50 12317184 c:\windows\SysWOW64\mshtml.dll
    + 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2006-11-02 12:33 . 2012-08-16 07:21 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    - 2006-11-02 12:33 . 2012-07-11 17:09 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2012-08-16 07:02 . 2012-06-28 04:10 17809920 c:\windows\system32\mshtml.dll
    + 2012-08-16 07:02 . 2012-06-28 03:39 10925568 c:\windows\system32\ieframe.dll
    + 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2012-01-28 03:02 . 2012-09-04 19:58 24881724 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-12288.dat
    + 2012-08-20 21:46 . 2012-09-06 22:32 13128116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
    + 2012-07-18 19:53 . 2012-07-18 19:53 10937344 c:\windows\Installer\dd0ee81.msp
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\AVG\AVG10\avgfws.exe
    c:\program files (x86)\AVG\AVG10\avgwdsvc.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
    c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    c:\program files (x86)\AVG\AVG10\avgam.exe
    c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    c:\windows\MHotKey.exe
    c:\windows\CNYHKey.exe
    c:\program files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    c:\windows\ModLedKey.exe
    c:\windows\ChiFuncExt.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-09 23:56:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-10 03:56
    ComboFix2.txt 2012-08-05 21:23
    ComboFix3.txt 2012-08-04 19:16
    ComboFix4.txt 2012-05-27 21:14
    ComboFix5.txt 2012-09-07 23:37
    .
    Pre-Run: 442,466,832,384 bytes free
    Post-Run: 441,782,059,008 bytes free
    .
    - - End Of File - - 5DE43D4B59F38B2608342FDCDE1FB7D1
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Not sure if I asked you, do you have the Windows Vista disc?
     
  15. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    I have a set of Windows Vista Recovery Disks
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, good. Just checking there.

    Please download the attached file (Vista.zip).

    Extract the contents of it, and transfer the file to the Desktop. You should see the file services.exe on the Desktop.

    Once that's done, run the following CFScript:

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     

    Attached Files:

  17. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    ComboFix 12-09-11.02 - Mary 09/11/2012 18:36:34.9.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1866 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    Command switches used :: c:\users\Mary\Desktop\CFScript.txt
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    .
    .
    --------------- FCopy ---------------
    .
    c:\users\Mary\desktop\services.exe --> c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\History\History.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Cookies\index.dat
    + 2008-01-21 02:23 . 2012-09-10 21:50 67988 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-10 21:50 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-10 21:50 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    + 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-09-06 14:43 . 2012-09-11 22:27 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-10 21:53 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-10 21:53 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    + 2011-02-16 22:00 . 2012-09-10 09:21 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2011-07-13 07:19 . 2012-09-10 09:21 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-09-11 18:52:19
    ComboFix-quarantined-files.txt 2012-09-11 22:52
    ComboFix2.txt 2012-09-10 03:56
    ComboFix3.txt 2012-08-05 21:23
    ComboFix4.txt 2012-08-04 19:16
    ComboFix5.txt 2012-09-11 22:34
    .
    Pre-Run: 442,411,524,096 bytes free
    Post-Run: 442,362,310,656 bytes free
    .
    - - End Of File - - 3D0C03148842C4C11BE44411B66925B2
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job...

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  19. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    ComboFix 12-09-14.03 - Mary 09/14/2012 17:14:48.10.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2221 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    Command switches used :: c:\users\Mary\Desktop\CFScript.txt
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\History\History.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Cookies\index.dat
    + 2008-01-21 02:23 . 2012-09-14 20:59 68004 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-14 20:59 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-14 20:59 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    + 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-09-06 14:43 . 2012-09-13 22:38 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-14 21:03 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-14 21:03 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    + 2011-02-16 22:00 . 2012-09-13 22:53 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2011-07-13 07:19 . 2012-09-13 22:53 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-09-14 17:30:13
    ComboFix-quarantined-files.txt 2012-09-14 21:30
    ComboFix2.txt 2012-09-11 22:52
    ComboFix3.txt 2012-09-10 03:56
    ComboFix4.txt 2012-08-05 21:23
    ComboFix5.txt 2012-09-14 21:11
    .
    Pre-Run: 442,362,130,432 bytes free
    Post-Run: 442,268,938,240 bytes free
    .
    - - End Of File - - 69D643B96D9DAB7098CF9168A528B075
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  21. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan deleted - quarantined
    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.AD trojan deleted - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@.vir Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@.vir Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@.vir Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@.vir Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@.vir Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@.vir Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B trojan deleted - quarantined
     
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please update us on the status of your PC. We'd still like to help.

    Topic marked inactive.
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    This is the last I ask about your inactivity. Please let us know if you want to continue disinfection.
     
  25. dover1982

    dover1982 TS Rookie Topic Starter Posts: 47

    Sorry for the inactivity, got a little busy and didn't keep up with the computer.

    The computer is much better. The reoccurring detection of the "system32" file by AVG is gone. I haven't any redirects on Internet Explorer.

    I do have two questions. One, for the objects that were detected by Resident Shield multiple times, can I "remove/clean" them in Resident Shield? The reason I ask is the system32 problem was partly due to me neutralizing that object when it was mistakenly quarantine by AVG correct?

    CanIRemovethese.JPG

    Two, specifically the one object found by Resident Shield "May be infected by unknown virus Win32/DH{LgMPNg}", can I be sure that this was actually removed successfully? The description of that infection is odd and makes me wonder....

    QuestionableVirusRemoval.JPG
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.