also @ TechSpot: Google launches Top Charts to show what the world is searching for

[Closed] Possible fake AVG and Security Shield virus

Discussion in 'Virus and Malware Removal' started by dover1982, Aug 3, 2012.

Page 4 of 5

  1. dover1982 Newcomer, in training Posts: 47

    I'm having trouble getting ComboFix to run. An alert comes up during the installation. I've tried ComboFix a number of times, even clicking "Ignore" on the alert which the installation seems to finish but after that a blue screen pops up for a split second and then that's it.

    combofixalert.JPG
    dover1982, Sep 6, 2012
    #61

  2. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please try again in Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
    Jay Pfoutz, Sep 7, 2012
    #62

  3. dover1982 Newcomer, in training Posts: 47

    ComboFix 12-09-07.03 - Mary 09/07/2012 20:29:50.8.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2421 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\00000004.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\201d3dde
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@
    c:\windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@
    .
    c:\windows\system32\Services.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-09 04:32 . 2012-09-09 04:32 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-08-04_19.13.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-08-16 07:02 . 2012-06-28 00:08 73216 c:\windows\SysWOW64\mshtmled.dll
    - 2012-07-11 07:01 . 2012-06-02 08:17 73216 c:\windows\SysWOW64\mshtmled.dll
    - 2012-07-11 07:01 . 2012-06-02 08:22 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    + 2012-08-16 07:02 . 2012-06-28 00:13 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    + 2012-08-16 07:02 . 2012-06-28 00:13 65024 c:\windows\SysWOW64\jsproxy.dll
    - 2012-07-11 07:01 . 2012-06-02 08:21 65024 c:\windows\SysWOW64\jsproxy.dll
    + 2012-08-21 06:03 . 2012-09-05 21:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
    + 2012-08-20 18:22 . 2012-08-20 18:22 49120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
    + 2012-08-20 18:22 . 2012-09-05 22:37 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2012-08-20 18:21 . 2012-09-05 22:37 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2008-01-21 02:23 . 2012-09-08 00:19 67980 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-06 22:32 10200 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2012-07-11 07:01 . 2012-06-02 11:57 96768 c:\windows\system32\mshtmled.dll
    + 2012-08-16 07:02 . 2012-06-28 03:13 96768 c:\windows\system32\mshtmled.dll
    + 2012-08-16 07:02 . 2012-06-28 03:18 86528 c:\windows\system32\migration\WininetPlugin.dll
    - 2012-07-11 07:01 . 2012-06-02 12:03 86528 c:\windows\system32\migration\WininetPlugin.dll
    - 2012-07-11 07:01 . 2012-06-02 12:03 85504 c:\windows\system32\jsproxy.dll
    + 2012-08-16 07:02 . 2012-06-28 03:17 85504 c:\windows\system32\jsproxy.dll
    - 2009-09-05 23:56 . 2012-08-02 15:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-09-05 23:56 . 2012-09-01 07:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-31 07:57 . 2012-08-31 07:57 49120 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
    - 2012-05-10 07:04 . 2012-05-10 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    + 2012-08-16 07:04 . 2012-08-16 07:04 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    - 2012-05-10 07:15 . 2012-05-10 07:15 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2012-08-16 07:04 . 2012-08-16 07:04 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2010-01-01 01:13 . 2012-08-31 23:44 1808 c:\windows\system32\WDI\{95c162b7-5b71-44f8-82e4-abfd3108f40f}.bin
    + 2010-05-17 00:43 . 2012-08-19 20:02 2408 c:\windows\system32\WDI\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    + 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-04 16:11 . 2012-08-04 16:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-11 07:01 . 2012-06-02 08:23 231936 c:\windows\SysWOW64\url.dll
    + 2012-08-16 07:02 . 2012-06-28 00:16 231936 c:\windows\SysWOW64\url.dll
    + 2012-08-16 00:17 . 2012-06-29 16:01 467968 c:\windows\SysWOW64\netapi32.dll
    + 2012-08-16 07:02 . 2012-06-28 00:10 717824 c:\windows\SysWOW64\jscript.dll
    - 2012-07-11 07:01 . 2012-06-02 08:20 142848 c:\windows\SysWOW64\ieUnatt.exe
    + 2012-08-16 07:02 . 2012-06-28 00:12 142848 c:\windows\SysWOW64\ieUnatt.exe
    + 2012-08-16 07:02 . 2012-06-28 00:04 176640 c:\windows\SysWOW64\ieui.dll
    - 2012-07-11 07:01 . 2012-06-02 08:14 176640 c:\windows\SysWOW64\ieui.dll
    + 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2012-08-16 07:02 . 2012-06-28 03:19 237056 c:\windows\system32\url.dll
    - 2012-07-11 07:01 . 2012-06-02 12:04 237056 c:\windows\system32\url.dll
    + 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-08-04 16:18 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-08-04 16:18 104202 c:\windows\system32\perfc009.dat
    + 2012-08-16 07:02 . 2012-06-28 03:16 816640 c:\windows\system32\jscript.dll
    + 2012-08-16 07:02 . 2012-06-28 03:16 173056 c:\windows\system32\ieUnatt.exe
    - 2012-07-11 07:01 . 2012-06-02 12:01 173056 c:\windows\system32\ieUnatt.exe
    - 2012-07-11 07:01 . 2012-06-02 11:54 248320 c:\windows\system32\ieui.dll
    + 2012-08-16 07:02 . 2012-06-28 03:08 248320 c:\windows\system32\ieui.dll
    - 2006-11-02 15:21 . 2012-07-11 17:11 303936 c:\windows\system32\FNTCACHE.DAT
    + 2006-11-02 15:21 . 2012-08-16 07:23 303936 c:\windows\system32\FNTCACHE.DAT
    + 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-08-04 16:09 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-08-16 07:02 . 2012-06-28 00:18 1129472 c:\windows\SysWOW64\wininet.dll
    - 2012-07-11 07:01 . 2012-06-02 08:25 1129472 c:\windows\SysWOW64\wininet.dll
    - 2012-07-11 07:01 . 2012-06-02 08:26 1103872 c:\windows\SysWOW64\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 00:18 1103872 c:\windows\SysWOW64\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 00:27 1800704 c:\windows\SysWOW64\jscript9.dll
    - 2012-07-11 07:01 . 2012-06-02 08:19 1793024 c:\windows\SysWOW64\iertutil.dll
    + 2012-08-16 07:02 . 2012-06-28 00:08 1793024 c:\windows\SysWOW64\iertutil.dll
    - 2012-07-11 07:01 . 2012-06-02 08:43 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2012-08-16 07:02 . 2012-06-28 00:28 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2012-07-11 07:01 . 2012-06-02 12:05 1392128 c:\windows\system32\wininet.dll
    + 2012-08-16 07:02 . 2012-06-28 03:21 1392128 c:\windows\system32\wininet.dll
    - 2012-07-11 07:01 . 2012-06-13 13:58 2769408 c:\windows\system32\win32k.sys
    + 2012-08-16 07:02 . 2012-07-04 14:33 2769408 c:\windows\system32\win32k.sys
    + 2012-08-16 07:02 . 2012-06-28 03:22 1346048 c:\windows\system32\urlmon.dll
    - 2012-07-11 07:01 . 2012-06-02 12:05 1346048 c:\windows\system32\urlmon.dll
    + 2012-08-16 07:02 . 2012-06-28 03:28 2312704 c:\windows\system32\jscript9.dll
    - 2012-07-11 07:01 . 2012-06-02 11:59 2144768 c:\windows\system32\iertutil.dll
    + 2012-08-16 07:02 . 2012-06-28 03:14 2144768 c:\windows\system32\iertutil.dll
    + 2011-07-13 07:19 . 2012-09-06 22:32 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
    - 2011-07-13 07:19 . 2012-07-28 01:02 1350296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-8192.dat
    + 2012-06-26 22:03 . 2012-06-26 22:03 3875840 c:\windows\Installer\dd0ee8f.msp
    + 2012-08-14 22:10 . 2012-08-14 22:10 3636224 c:\windows\Installer\6c2e056.msi
    + 2012-08-16 07:02 . 2012-06-28 00:50 12317184 c:\windows\SysWOW64\mshtml.dll
    + 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2006-11-02 12:33 . 2012-08-16 07:21 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    - 2006-11-02 12:33 . 2012-07-11 17:09 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2012-08-16 07:02 . 2012-06-28 04:10 17809920 c:\windows\system32\mshtml.dll
    + 2012-08-16 07:02 . 2012-06-28 03:39 10925568 c:\windows\system32\ieframe.dll
    + 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2012-01-28 03:02 . 2012-09-04 19:58 24881724 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-12288.dat
    + 2012-08-20 21:46 . 2012-09-06 22:32 13128116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
    + 2012-07-18 19:53 . 2012-07-18 19:53 10937344 c:\windows\Installer\dd0ee81.msp
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\AVG\AVG10\avgfws.exe
    c:\program files (x86)\AVG\AVG10\avgwdsvc.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
    c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    c:\program files (x86)\AVG\AVG10\avgam.exe
    c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    c:\windows\MHotKey.exe
    c:\windows\CNYHKey.exe
    c:\program files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    c:\windows\ModLedKey.exe
    c:\windows\ChiFuncExt.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-09 23:56:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-10 03:56
    ComboFix2.txt 2012-08-05 21:23
    ComboFix3.txt 2012-08-04 19:16
    ComboFix4.txt 2012-05-27 21:14
    ComboFix5.txt 2012-09-07 23:37
    .
    Pre-Run: 442,466,832,384 bytes free
    Post-Run: 441,782,059,008 bytes free
    .
    - - End Of File - - 5DE43D4B59F38B2608342FDCDE1FB7D1
    dover1982, Sep 10, 2012
    #63

  4. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Not sure if I asked you, do you have the Windows Vista disc?
    Jay Pfoutz, Sep 10, 2012
    #64

  5. dover1982 Newcomer, in training Posts: 47

    I have a set of Windows Vista Recovery Disks
    dover1982, Sep 10, 2012
    #65

  6. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, good. Just checking there.

    Please download the attached file (Vista.zip).

    Extract the contents of it, and transfer the file to the Desktop. You should see the file services.exe on the Desktop.

    Once that's done, run the following CFScript:

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Attached Files:

    Jay Pfoutz, Sep 11, 2012
    #66
     

  7. dover1982 Newcomer, in training Posts: 47

    ComboFix 12-09-11.02 - Mary 09/11/2012 18:36:34.9.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1866 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    Command switches used :: c:\users\Mary\Desktop\CFScript.txt
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    .
    .
    --------------- FCopy ---------------
    .
    c:\users\Mary\desktop\services.exe --> c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-11 22:49 . 2012-09-11 22:49 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    2012-08-14 22:10 . 2012-08-14 22:10 -------- d-----w- c:\program files (x86)\Kaspersky Lab
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\History\History.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-09-11 22:49 . 2012-09-10 21:47 16384 c:\windows\temp\Cookies\index.dat
    + 2008-01-21 02:23 . 2012-09-10 21:50 67988 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-10 21:50 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-10 21:50 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    + 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-09-10 21:47 . 2012-09-10 21:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-09-06 14:43 . 2012-09-11 22:27 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-10 21:53 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-10 21:53 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    + 2011-02-16 22:00 . 2012-09-10 09:21 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2011-07-13 07:19 . 2012-09-10 09:21 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-09-11 18:52:19
    ComboFix-quarantined-files.txt 2012-09-11 22:52
    ComboFix2.txt 2012-09-10 03:56
    ComboFix3.txt 2012-08-05 21:23
    ComboFix4.txt 2012-08-04 19:16
    ComboFix5.txt 2012-09-11 22:34
    .
    Pre-Run: 442,411,524,096 bytes free
    Post-Run: 442,362,310,656 bytes free
    .
    - - End Of File - - 3D0C03148842C4C11BE44411B66925B2
    dover1982, Sep 11, 2012
    #67

  8. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job...

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
    Jay Pfoutz, Sep 12, 2012
    #68

  9. dover1982 Newcomer, in training Posts: 47

    ComboFix 12-09-14.03 - Mary 09/14/2012 17:14:48.10.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2221 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\ComboFix.exe
    Command switches used :: c:\users\Mary\Desktop\CFScript.txt
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-14 21:27 . 2012-09-14 21:27 -------- d-----w- c:\users\AppData\AppData\Local\temp
    2012-08-20 18:21 . 2012-08-20 18:21 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-08-20 18:16 . 2012-08-21 03:17 -------- d-----w- c:\users\Mary\AppData\Roaming\xsecva
    2012-08-16 00:17 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
    2012-08-16 00:17 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
    2012-08-16 00:17 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-11 22:29 . 2009-12-03 15:32 384512 ----a-w- c:\windows\system32\services.exe
    2012-07-03 17:46 . 2012-01-26 01:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-09-10_03.50.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\History\History.IE5\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\History\History.IE5\index.dat
    - 2012-09-09 04:32 . 2012-09-08 00:17 16384 c:\windows\temp\Cookies\index.dat
    + 2012-09-14 21:27 . 2012-09-14 20:58 16384 c:\windows\temp\Cookies\index.dat
    + 2008-01-21 02:23 . 2012-09-14 20:59 68004 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-09-10 08:50 . 2012-09-10 09:21 12806 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2006-11-02 15:45 . 2012-09-14 20:59 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 15:45 . 2012-09-08 00:19 91656 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-05 23:57 . 2012-09-14 20:59 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    - 2009-09-05 23:57 . 2012-09-08 00:19 17258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2407127360-2681154229-4036151088-1000_UserData.bin
    + 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-09-14 20:57 . 2012-09-14 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-09-09 04:36 . 2012-09-09 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 06:01 . 2012-09-10 21:47 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-28 06:01 . 2012-09-09 04:36 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-06 14:43 . 2012-09-10 03:50 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-09-06 14:43 . 2012-09-13 22:38 644424 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2006-11-02 12:46 . 2012-09-09 04:43 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-14 21:03 604502 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-09-14 21:03 104202 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-09-09 04:43 104202 c:\windows\system32\perfc009.dat
    + 2011-02-16 22:00 . 2012-09-13 22:53 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-02-16 22:00 . 2012-09-09 04:34 287624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 5210112 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-09-10 21:47 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-09-09 04:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-13 07:19 . 2012-09-06 22:32 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    + 2011-07-13 07:19 . 2012-09-13 22:53 58378044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2407127360-2681154229-4036151088-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-11 06:07 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-11 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-05 68856]
    "KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-25 202296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-11 1107552]
    "ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-27 928096]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    _uninst_75988437.lnk - c:\users\Mary\AppData\Local\temp\_uninst_75988437.bat [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    S0 91660647;91660647;c:\windows\system32\DRIVERS\91660647.sys [2012-02-04 460888]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 18:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-10 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-10 7212576]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1006&m=sx2800
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B666f7fc8-a785-4d1b-9863-eb4fc40822e1%7D&mid=ef9351033a2cf750a079032fbdd642b8-c98eeb274289a88edf12d9eb252238c58951ab67&ds=AVG&v=11.1.0.12&lang=us&pr=pa&d=2012-02-25%2019%3A43%3A16&sap=ku&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-09-14 17:30:13
    ComboFix-quarantined-files.txt 2012-09-14 21:30
    ComboFix2.txt 2012-09-11 22:52
    ComboFix3.txt 2012-09-10 03:56
    ComboFix4.txt 2012-08-05 21:23
    ComboFix5.txt 2012-09-14 21:11
    .
    Pre-Run: 442,362,130,432 bytes free
    Post-Run: 442,268,938,240 bytes free
    .
    - - End Of File - - 69D643B96D9DAB7098CF9168A528B075
    dover1982, Sep 14, 2012
    #69

  10. Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
    Jay Pfoutz, Sep 15, 2012
    #70

  11. dover1982 Newcomer, in training Posts: 47

    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan deleted - quarantined
    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.AD trojan deleted - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000004.@.vir Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\00000008.@.vir Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\000000cb.@.vir Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000000.@.vir Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000032.@.vir Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\Installer\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\80000064.@.vir Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B trojan deleted - quarantined
    dover1982, Sep 18, 2012
    #71

  12. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
    Jay Pfoutz, Sep 19, 2012
    #72

  13. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please update us on the status of your PC. We'd still like to help.

    Topic marked inactive.
    Jay Pfoutz, Sep 25, 2012
    #73

  14. Jay Pfoutz Malware Helper Posts: 4,286   +49

    This is the last I ask about your inactivity. Please let us know if you want to continue disinfection.
    Jay Pfoutz, Sep 27, 2012
    #74

  15. dover1982 Newcomer, in training Posts: 47

    Sorry for the inactivity, got a little busy and didn't keep up with the computer.

    The computer is much better. The reoccurring detection of the "system32" file by AVG is gone. I haven't any redirects on Internet Explorer.

    I do have two questions. One, for the objects that were detected by Resident Shield multiple times, can I "remove/clean" them in Resident Shield? The reason I ask is the system32 problem was partly due to me neutralizing that object when it was mistakenly quarantine by AVG correct?

    CanIRemovethese.JPG

    Two, specifically the one object found by Resident Shield "May be infected by unknown virus Win32/DH{LgMPNg}", can I be sure that this was actually removed successfully? The description of that infection is odd and makes me wonder....

    QuestionableVirusRemoval.JPG
    dover1982, Oct 5, 2012
    #75

  16. Jay Pfoutz Malware Helper Posts: 4,286   +49

    We should check it out one last time...

    Please download Hitman Pro


    • After the download completes please double click the program to run it.
    • Accept the terms of the license agreement and click Next
    • Let the scan run. It will not take long
    • When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
    • Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
    • Upload log.xml here for review please
    Jay Pfoutz, Oct 6, 2012
    #76

  17. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello! Are you still with us? Your topic is now marked inactive, because you have lacked to reply.

    However, we'd like to still help. Please update us on the state of your PC.
    Jay Pfoutz, Oct 11, 2012
    #77

  18. dover1982 Newcomer, in training Posts: 47

    Code:
    HitmanPro 3.6.2.171
[URL='http://www.hitmanpro.com']www.hitmanpro.com[/URL]
   Computer name . . . . : MARY-PC
   Windows . . . . . . . : 6.0.2.6002.X64/4
   User name . . . . . . : Mary-PC\Mary
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)
   Scan date . . . . . . : 2012-10-11 10:56:15
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 3s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 3
   Traces  . . . . . . . : 18
   Objects scanned . . . : 6,881,921
   Files scanned . . . . : 47,427
   Remnants scanned  . . : 2,201,085 files / 4,633,409 keys
Malware remnants ____________________________________________________________
   C:\Users\Mary\AppData\Local\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\@ (ZeroAccess) -> Deleted
   C:\Users\Mary\AppData\Local\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\L\ (ZeroAccess) -> Deleted
   C:\Users\Mary\AppData\Local\{8bf7e6e5-22a7-2d02-9ec4-ee60b2f264cd}\U\ (ZeroAccess) -> Deleted
Cookies _____________________________________________________________________
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:ad.360yield.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:ads.pointroll.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:ads.pubmatic.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:apmebf.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:ar.atwola.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:at.atwola.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:atwola.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:collective-media.net
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:doubleclick.net
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:invitemedia.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:kaspersky.122.2o7.net
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:media6degrees.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:tacoda.at.atwola.com
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:track.prd1.netshelter.net
   C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\axfc2q7p.default\cookies.sqlite:xiti.com
    dover1982, Oct 11, 2012
    #78

  19. Jay Pfoutz Malware Helper Posts: 4,286   +49

    We need to find out where this thing is hiding and exterminate it for good... please do the following:

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
    Jay Pfoutz, Oct 12, 2012
    #79

  20. dover1982 Newcomer, in training Posts: 47

    I have a set of Recovery Disks and on the disk it says "Warning: This process erases all data and files from the hard drive". Does this happen once I insert the disk? I haven't yet backed up my files so I was wondering if I should do that now.
    dover1982, Oct 16, 2012
    #80
Page 4 of 5
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.