[Closed] Possible fake AVG and Security Shield virus

[Jay Pfoutz]

• Please go to VirSCAN.org FREE on-line scan service
• Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\services.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[dover1982]

I ran the VirScan for "c:\windows\system32\services.exe" but it wouldn't work. I tried it twice and once left it alone for three hours and there was no sign of progress in it's status bar. I was able to click "ReScan" but that was as far as I got. However, I didn't close Kaspersky and had both running at the same time just in case that matters. I did end up clicking "skip" on the objects that Kaspersky detected and the Kaspersky scan is now moving again and scanning files. So I guess I should just let Kaspersky finish?

 

[dover1982]

Ok the Kaspersky scan is done. Before I click "Disinfect all", I noticed that it has 8 objects listed as "Vulnerability", which includes things like QuickTime Player and iTunes. I was just wondering if those programs would be safe or not after clicking "Disinfect all"?

 

[Jay Pfoutz]

They'll be safe.

Try once more for services.exe, except do it on www.virustotal.com

 

[dover1982]

After clicking "Disinfect all" on the Kaspersky scan, it started disinfection and then upon completion it automatically restarted the computer, I was unable to click "Save" for the report. I reopened Kaspersky but couldn't find any report. There were a number of alerts in lower right hand corner of the screen from Kaspersky while it was disinfecting and I skipped over most of them, did I just ruin the scan and allow malicious objects to still be on my computer by "skipping" over them?

I ran the virustotal.com scan for services.exe and it came up completely clean.

 

[Jay Pfoutz]

Cool! They weren't malicious.

Let me know the overall picture of what we're looking at for your computer.

 

[dover1982]

- Well the most recent problem was a few resident shield detections. Though this was before the recent Kaspersky scan we ran that caught a bunch of stuff. One thing that resident shield still catches even after the Kaspersky scan is that services.exe file. I know the scan we ran for that file turned up clean but what do I do about AVG detecting it over and over again?



- Before we started doing the recent string of scans or at least attempts at scans, I posted a photo of a few questionable detections by resident shield including one object that read "May be infected by unknown virus Win32/DH{LgMPNg}". That just sounds odd to me and makes me wonder if it was actually cleaned or not? There was also an object in those detections that was supposedly removed successfully once but then was found again. I'll post a photo of that group of detections.



- I've had a lot of redirects while using Internet Explorer

- Since I restarted the computer after Kaspersky's disinfection, I have a pop up on startup that reads "Windows cannot find '3404752.exe'. Make sure you typed the name correctly, and then try again." Don't know if this is a big deal or not.

- One of the original problems I had was a pop in the lower right hand corner of the screen letting me know that User Account Control was off. I don't know how that happened whether it was part of any original virus or not, and I honestly don't know whether it was always off possibly or not. And now I went to the User Account Control settings and apparently the Control Panel icons and arrangement has changed from when I originally looked for whether it was off or not. I don't know how that happened but anyways it doesn't say whether UAC is off or on explicitly like before, I can still access it but I just can't tell what's it's setting.

- The computer had made great progress and a lot of the original problems were gone and then one day I had a bunch of trouble and one of those things was a malware detection by AVG. I mentioned before but just incase it could help I'll mention it again with a couple of pictures of the alert and the details of the initial alert.





- And I figured I'd just remind that one of the big problems from the start was a questionable alert from AVG's Identity Protection. I thought it might've been a fake but after a few scans, it seemed legit and it was as I moved the threat to the vault, which was listed as a certain backdoor trojan. Immediately after moving the threat to the vault ID Pro followed up with an alert saying it caught some malware. I assume AVG has taken care of those threats but since they seem significant I thought I'd let you know. I do have a photo of the alert, but not the details nor the malware alert that followed the trojan alert.

 

[Jay Pfoutz]

Do a full scan with AVG, then take a screenshot of results, please.

 

[dover1982]

I took three pictures, one of the overview of the scan results. Another those under "infections" and third, those under "warnings". I didn't get all the objects in "warnings" in one photo since there was like 80 of them, but all are cookies. If you'd like to see the rest of those let me know and I'll take a couple more screenshots.

I noticed that there was one "infection" that wasn't removed or healed, I'm assuming that's the services.exe? It's confusing because there's a green check mark on that object. I left the results open since it has the option to "remove all unhealed", should I click that or leave it alone?

 

[Jay Pfoutz]

New log from ComboFix

We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.

 

[dover1982]

I'm having trouble getting ComboFix to run. An alert comes up during the installation. I've tried ComboFix a number of times, even clicking "Ignore" on the alert which the installation seems to finish but after that a blue screen pops up for a split second and then that's it.

 

[Jay Pfoutz]

Please try again in Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

 

[dover1982]

ComboFix 12-09-07.03 - Mary 09/07/2012 20:29:50.8.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2421 [GMT -4:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\00000004.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\201d3dde
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@
c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@
.
c:\windows\system32\Services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
.
.
2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\AppData\AppData\Local\temp
2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((( SnapShot_2012-08-04_19.13.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
+ 2012-08-16 07:02 . 2012-06-28 00:08 73216 c:\windows\SysWOW64\mshtmled.dll
- 2012-07-11 07:01 . 2012-06-02 08:17 73216 c:\windows\SysWOW64\mshtmled.dll
- 2012-07-11 07:01 . 2012-06-02 08:22 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2012-08-16 07:02 . 2012-06-28 00:13 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2012-08-16 07:02 . 2012-06-28 00:13 65024 c:\windows\SysWOW64\jsproxy.dll
- 2012-07-11 07:01 . 2012-06-02 08:21 65024 c:\windows\SysWOW64\jsproxy.dll
+ 2012-08-21 06:03 . 2012-09-05 21:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-08-20 18:22 . 2012-08-20 18:22 49120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2012-08-20 18:22 . 2012-09-05 22:37 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-08-20 18:21 . 2012-09-05 22:37 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2008-01-21 02:23 . 2012-09-08 00:19 67980 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-09-10 08:50 . 2012-09-06 22:32 10200 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
- 2012-07-11 07:01 . 2012-06-02 11:57 96768 c:\windows\system32\mshtmled.dll
+ 2012-08-16 07:02 . 2012-06-28 03:13 96768 c:\windows\system32\mshtmled.dll
+ 2012-08-16 07:02 . 2012-06-28 03:18 86528 c:\windows\system32\migration\WininetPlugin.dll
- 2012-07-11 07:01 . 2012-06-02 12:03 86528 c:\windows\system32\migration\WininetPlugin.dll
- 2012-07-11 07:01 . 2012-06-02 12:03 85504 c:\windows\system32\jsproxy.dll
+ 2012-08-16 07:02 . 2012-06-28 03:17 85504 c:\windows\system32\jsproxy.dll
- 2009-09-05 23:56 . 2012-08-02 15:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-05 23:56 . 2012-09-01 07:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-05 23:56 . 2012-09-01 07:30 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-05 23:56 . 2012-09-01 07:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-31 07:57 . 2012-08-31 07:57 49120 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- 2012-05-10 07:04 . 2012-05-10 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2012-08-16 07:04 . 2012-08-16 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2012-05-10 07:15 . 2012-05-10 07:15 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-08-16 07:04 . 2012-08-16 07:04 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-01-01 01:13 . 2012-08-31 23:44 1808 c:\windows\system32\WDI\{95c162b7-5b71-44f8-82e4-abfd3108f40f}.bin
+ 2010-05-17 00:43 . 2012-08-19 20:02 2408 c:\windows\system32\WDI\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
+ 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-11 07:01 . 2012-06-02 08:23 231936 c:\windows\SysWOW64\url.dll
+ 2012-08-16 07:02 . 2012-06-28 00:16 231936 c:\windows\SysWOW64\url.dll
+ 2012-08-16 00:17 . 2012-06-29 16:01 467968 c:\windows\SysWOW64\netapi32.dll
+ 2012-08-16 07:02 . 2012-06-28 00:10 717824 c:\windows\SysWOW64\jscript.dll
- 2012-07-11 07:01 . 2012-06-02 08:20 142848 c:\windows\SysWOW64\ieUnatt.exe
+ 2012-08-16 07:02 . 2012-06-28 00:12 142848 c:\windows\SysWOW64\ieUnatt.exe
+ 2012-08-16 07:02 . 2012-06-28 00:04 176640 c:\windows\SysWOW64\ieui.dll
- 2012-07-11 07:01 . 2012-06-02 08:14 176640 c:\windows\SysWOW64\ieui.dll
+ 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2012-08-16 07:02 . 2012-06-28 03:19 237056 c:\windows\system32\url.dll
- 2012-07-11 07:01 . 2012-06-02 12:04 237056 c:\windows\system32\url.dll
+ 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-08-04 16:18 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-08-04 16:18 104202 c:\windows\system32\perfc009.dat
+ 2012-08-16 07:02 . 2012-06-28 03:16 816640 c:\windows\system32\jscript.dll
+ 2012-08-16 07:02 . 2012-06-28 03:16 173056 c:\windows\system32\ieUnatt.exe
- 2012-07-11 07:01 . 2012-06-02 12:01 173056 c:\windows\system32\ieUnatt.exe
- 2012-07-11 07:01 . 2012-06-02 11:54 248320 c:\windows\system32\ieui.dll
+ 2012-08-16 07:02 . 2012-06-28 03:08 248320 c:\windows\system32\ieui.dll
- 2006-11-02 15:21 . 2012-07-11 17:11 303936 c:\windows\system32\FNTCACHE.DAT
+ 2006-11-02 15:21 . 2012-08-16 07:23 303936 c:\windows\system32\FNTCACHE.DAT
+ 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-16 22:00 . 2012-08-04 16:09 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-16 07:02 . 2012-06-28 00:18 1129472 c:\windows\SysWOW64\wininet.dll
- 2012-07-11 07:01 . 2012-06-02 08:25 1129472 c:\windows\SysWOW64\wininet.dll
- 2012-07-11 07:01 . 2012-06-02 08:26 1103872 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-16 07:02 . 2012-06-28 00:18 1103872 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-16 07:02 . 2012-06-28 00:27 1800704 c:\windows\SysWOW64\jscript9.dll
- 2012-07-11 07:01 . 2012-06-02 08:19 1793024 c:\windows\SysWOW64\iertutil.dll
+ 2012-08-16 07:02 . 2012-06-28 00:08 1793024 c:\windows\SysWOW64\iertutil.dll
- 2012-07-11 07:01 . 2012-06-02 08:43 9737728 c:\windows\SysWOW64\ieframe.dll
+ 2012-08-16 07:02 . 2012-06-28 00:28 9737728 c:\windows\SysWOW64\ieframe.dll
+ 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-07-11 07:01 . 2012-06-02 12:05 1392128 c:\windows\system32\wininet.dll
+ 2012-08-16 07:02 . 2012-06-28 03:21 1392128 c:\windows\system32\wininet.dll
- 2012-07-11 07:01 . 2012-06-13 13:58 2769408 c:\windows\system32\win32k.sys
+ 2012-08-16 07:02 . 2012-07-04 14:33 2769408 c:\windows\system32\win32k.sys
+ 2012-08-16 07:02 . 2012-06-28 03:22 1346048 c:\windows\system32\urlmon.dll
- 2012-07-11 07:01 . 2012-06-02 12:05 1346048 c:\windows\system32\urlmon.dll
+ 2012-08-16 07:02 . 2012-06-28 03:28 2312704 c:\windows\system32\jscript9.dll
- 2012-07-11 07:01 . 2012-06-02 11:59 2144768 c:\windows\system32\iertutil.dll
+ 2012-08-16 07:02 . 2012-06-28 03:14 2144768 c:\windows\system32\iertutil.dll
+ 2011-07-13 07:19 . 2012-09-06 22:32 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
- 2011-07-13 07:19 . 2012-07-28 01:02 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
+ 2012-06-26 22:03 . 2012-06-26 22:03 3875840 c:\windows\Installer\dd0ee8f.msp
+ 2012-08-14 22:10 . 2012-08-14 22:10 3636224 c:\windows\Installer\6c2e056.msi
+ 2012-08-16 07:02 . 2012-06-28 00:50 12317184 c:\windows\SysWOW64\mshtml.dll
+ 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 12:33 . 2012-08-16 07:21 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2006-11-02 12:33 . 2012-07-11 17:09 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2012-08-16 07:02 . 2012-06-28 04:10 17809920 c:\windows\system32\mshtml.dll
+ 2012-08-16 07:02 . 2012-06-28 03:39 10925568 c:\windows\system32\ieframe.dll
+ 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
+ 2012-01-28 03:02 . 2012-09-04 19:58 24881724 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-12288.dat
+ 2012-08-20 21:46 . 2012-09-06 22:32 13128116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2012-07-18 19:53 . 2012-07-18 19:53 10937344 c:\windows\Installer\dd0ee81.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
"KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
.
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG10\avgfws.exe
c:\program files (x86)\AVG\AVG10\avgwdsvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
c:\program files (x86)\AVG\AVG10\avgam.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
c:\windows\MHotKey.exe
c:\windows\CNYHKey.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\windows\ModLedKey.exe
c:\windows\ChiFuncExt.exe
.
**************************************************************************
.
Completion time: 2012-09-09 23:56:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-10 03:56
ComboFix2.txt 2012-08-05 21:23
ComboFix3.txt 2012-08-04 19:16
ComboFix4.txt 2012-05-27 21:14
ComboFix5.txt 2012-09-07 23:37
.
Pre-Run: 442,466,832,384 bytes free
Post-Run: 441,782,059,008 bytes free
.
- - End Of File - - 5DE43D4B59F38B2608342FDCDE1FB7D1

 

[Jay Pfoutz]

Not sure if I asked you, do you have the Windows Vista disc?

 

[dover1982]

I have a set of Windows Vista Recovery Disks

 

[Jay Pfoutz]

Okay, good. Just checking there.

Please download the attached file (Vista.zip).

Extract the contents of it, and transfer the file to the Desktop. You should see the file services.exe on the Desktop.

Once that's done, run the following CFScript:

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  FCopy::
  c:\users\Mary\desktop\services.exe | c:\windows\system32\services.exe

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

 

[dover1982]

ComboFix 12-09-11.02 - Mary 09/11/2012 18:36:34.9.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1866 [GMT -4:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary\Desktop\CFScript.txt
AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
--------------- FCopy ---------------
.
c:\users\Mary\desktop\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\AppData\AppData\Local\temp
2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\History\History.IE5\index.dat
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
+ 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Cookies\index.dat
+ 2008-01-21 02:23 . 2012-09-10 21:50 67988 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2006-11-02 15:45 . 2012-09-10 21:50 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-09-05 23:57 . 2012-09-10 21:50 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
- 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
+ 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-09-06 14:43 . 2012-09-11 22:27 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-10 21:53 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-10 21:53 104202 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
+ 2011-02-16 22:00 . 2012-09-10 09:21 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
+ 2011-07-13 07:19 . 2012-09-10 09:21 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
"KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
.
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-09-11 18:52:19
ComboFix-quarantined-files.txt 2012-09-11 22:52
ComboFix2.txt 2012-09-10 03:56
ComboFix3.txt 2012-08-05 21:23
ComboFix4.txt 2012-08-04 19:16
ComboFix5.txt 2012-09-11 22:34
.
Pre-Run: 442,411,524,096 bytes free
Post-Run: 442,362,310,656 bytes free
.
- - End Of File - - 3D0C03148842C4C11BE44411B66925B2

 

[Jay Pfoutz]

Good job...

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  ClearJavaCache::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

 

[dover1982]

ComboFix 12-09-14.03 - Mary 09/14/2012 17:14:48.10.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2221 [GMT -4:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary\Desktop\CFScript.txt
AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\AppData\AppData\Local\temp
2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\History\History.IE5\index.dat
- 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
+ 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Cookies\index.dat
+ 2008-01-21 02:23 . 2012-09-14 20:59 68004 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2006-11-02 15:45 . 2012-09-14 20:59 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-09-05 23:57 . 2012-09-14 20:59 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
- 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
+ 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-09-06 14:43 . 2012-09-13 22:38 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-14 21:03 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-14 21:03 104202 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
+ 2011-02-16 22:00 . 2012-09-13 22:53 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
+ 2011-07-13 07:19 . 2012-09-13 22:53 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
"KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
.
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
2012-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-09-14 17:30:13
ComboFix-quarantined-files.txt 2012-09-14 21:30
ComboFix2.txt 2012-09-11 22:52
ComboFix3.txt 2012-09-10 03:56
ComboFix4.txt 2012-08-05 21:23
ComboFix5.txt 2012-09-14 21:11
.
Pre-Run: 442,362,130,432 bytes free
Post-Run: 442,268,938,240 bytes free
.
- - End Of File - - 69D643B96D9DAB7098CF9168A528B075

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

 

[dover1982]

C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.AD trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@.vir Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@.vir Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@.vir Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@.vir Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@.vir Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@.vir Win64/Sirefef.AN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B trojan deleted - quarantined

 

[Jay Pfoutz]

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

 

[Jay Pfoutz]

Please update us on the status of your PC. We'd still like to help.

Topic marked inactive.

 

[Jay Pfoutz]

This is the last I ask about your inactivity. Please let us know if you want to continue disinfection.

 

[dover1982]

Sorry for the inactivity, got a little busy and didn't keep up with the computer.

The computer is much better. The reoccurring detection of the "system32" file by AVG is gone. I haven't any redirects on Internet Explorer.

I do have two questions. One, for the objects that were detected by Resident Shield multiple times, can I "remove/clean" them in Resident Shield? The reason I ask is the system32 problem was partly due to me neutralizing that object when it was mistakenly quarantine by AVG correct?



Two, specifically the one object found by Resident Shield "May be infected by unknown virus Win32/DH{LgMPNg}", can I be sure that this was actually removed successfully? The description of that infection is odd and makes me wonder....