TechSpot

Error code 0x80070424:Rootkit 0 access virus

By krazeefly
Aug 16, 2012
  1. Hello there,:)
    Some 6 days ago, I found that the windows media player was not starting at all.Tried to start it in every way, but failed...then googled about the problem and found Microsoft Fixit for WMP and it stated that the registry entry was corrupted and fixed all the problems. After that,while I was checking my computer, I saw that the firewall was turned off,defender is also turned off, updates not starting and action center not working at all with the security center turned off.I tried to start all the functions and encountered the above mentioned error code.I had the Avira free antivirus installed then,but it did not found any infections.....so uninstalled it and installed AVG antivirus and MBAM.

    After updating and running both, I found my pc is infected with the above mentioned virus. Followed all the instructions and deleted the infected files and did some googling again to remove the virus from my pc.Came through a lot of topics with various methods, but didn't apply anything.But I did make one mistake....I did read in another forum about combofix and did end up running the tool in my PC.Didn't realise it was wrong to do without supervision !!!:confused:
    Combofix ran well and generated a message about C:\windows\system32\services.exe being corrupted and attempting to patch it and then created a log about the files being patched and new files created...but at that time there was a freak powercut in my area and the log file was erased. So, I did run combofix one more time and the log file is pasted here......

    After running combofix, my machine was working great...all services were back to normal,but,today morning again found the rootkit virus message popping up from MBAM and all the services have stopped again. After lot of search found your forum.....was really amazed to see how you people volunteered to help others.Did the 5 steps mentioned...and is pasting all the logs below one after other.......
    Thanks in advance for your help...:)
    ---------------------------------------------------------------------------------------------------------------------------

    ComboFix 12-08-13.01 - Desktop 14-Aug-12 17:44:03.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2773 [GMT 5.5:30]
    Running from: c:\users\Desktop\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Desktop\AppData\Local\TempDIR
    c:\users\Desktop\AppData\Roaming\110ab52f
    c:\users\Desktop\AppData\Roaming\118494bb
    c:\users\Desktop\AppData\Roaming\1247491f
    c:\users\Desktop\AppData\Roaming\145bcc7
    c:\users\Desktop\AppData\Roaming\14b1c720
    c:\users\Desktop\AppData\Roaming\14d8b220
    c:\users\Desktop\AppData\Roaming\1506a031
    c:\users\Desktop\AppData\Roaming\15be8edf
    c:\users\Desktop\AppData\Roaming\15ecacfa
    c:\users\Desktop\AppData\Roaming\15efa89e
    c:\users\Desktop\AppData\Roaming\161af501
    c:\users\Desktop\AppData\Roaming\16c656f7
    c:\users\Desktop\AppData\Roaming\18057ff9
    c:\users\Desktop\AppData\Roaming\1816b214
    c:\users\Desktop\AppData\Roaming\1856daa
    c:\users\Desktop\AppData\Roaming\1896ebc8
    c:\users\Desktop\AppData\Roaming\191b9c54
    c:\users\Desktop\AppData\Roaming\1965f68
    c:\users\Desktop\AppData\Roaming\19ea700b
    c:\users\Desktop\AppData\Roaming\1afb2a27
    c:\users\Desktop\AppData\Roaming\1b158729
    c:\users\Desktop\AppData\Roaming\1bf5152a
    c:\users\Desktop\AppData\Roaming\1c3a3b2d
    c:\users\Desktop\AppData\Roaming\1cbbd0ee
    c:\users\Desktop\AppData\Roaming\1d6cde3e
    c:\users\Desktop\AppData\Roaming\1eae1606
    c:\users\Desktop\AppData\Roaming\1f5927d5
    c:\users\Desktop\AppData\Roaming\2478fd99
    c:\users\Desktop\AppData\Roaming\253b74
    c:\users\Desktop\AppData\Roaming\260c4d9e
    c:\users\Desktop\AppData\Roaming\270f0f9e
    c:\users\Desktop\AppData\Roaming\27f355c4
    c:\users\Desktop\AppData\Roaming\284d4587
    c:\users\Desktop\AppData\Roaming\28f69cec
    c:\users\Desktop\AppData\Roaming\298c3c6c
    c:\users\Desktop\AppData\Roaming\29a72cc8
    c:\users\Desktop\AppData\Roaming\2a6063cf
    c:\users\Desktop\AppData\Roaming\2a655a8
    c:\users\Desktop\AppData\Roaming\2a92b305
    c:\users\Desktop\AppData\Roaming\2b13b33
    c:\users\Desktop\AppData\Roaming\2c2233
    c:\users\Desktop\AppData\Roaming\2f96b0ae
    c:\users\Desktop\AppData\Roaming\2faa25c
    c:\users\Desktop\AppData\Roaming\30a36d49
    c:\users\Desktop\AppData\Roaming\325ea1bd
    c:\users\Desktop\AppData\Roaming\335d658
    c:\users\Desktop\AppData\Roaming\3458b729
    c:\users\Desktop\AppData\Roaming\3560bc01
    c:\users\Desktop\AppData\Roaming\3650d68d
    c:\users\Desktop\AppData\Roaming\37691bc9
    c:\users\Desktop\AppData\Roaming\386bbb3d
    c:\users\Desktop\AppData\Roaming\39cde08
    c:\users\Desktop\AppData\Roaming\3a597b3
    c:\users\Desktop\AppData\Roaming\3d4eee1c
    c:\users\Desktop\AppData\Roaming\3e2072a1
    c:\users\Desktop\AppData\Roaming\3eea7afb
    c:\users\Desktop\AppData\Roaming\3f37fdb1
    c:\users\Desktop\AppData\Roaming\3f3b128
    c:\users\Desktop\AppData\Roaming\411a0827
    c:\users\Desktop\AppData\Roaming\41c1789f
    c:\users\Desktop\AppData\Roaming\4232ea67
    c:\users\Desktop\AppData\Roaming\440e8180
    c:\users\Desktop\AppData\Roaming\47128dc6
    c:\users\Desktop\AppData\Roaming\471a2a79
    c:\users\Desktop\AppData\Roaming\48a4eed2
    c:\users\Desktop\AppData\Roaming\49c02ee3
    c:\users\Desktop\AppData\Roaming\4a0b6b7
    c:\users\Desktop\AppData\Roaming\4b380798
    c:\users\Desktop\AppData\Roaming\4b53d497
    c:\users\Desktop\AppData\Roaming\4b61b6d9
    c:\users\Desktop\AppData\Roaming\4b64601
    c:\users\Desktop\AppData\Roaming\4c7ab50b
    c:\users\Desktop\AppData\Roaming\4cfc1060
    c:\users\Desktop\AppData\Roaming\4e6ce37
    c:\users\Desktop\AppData\Roaming\596a25b
    c:\users\Desktop\AppData\Roaming\5e08a60
    c:\users\Desktop\AppData\Roaming\5e310e45
    c:\users\Desktop\AppData\Roaming\5f697a27
    c:\users\Desktop\AppData\Roaming\607286e0
    c:\users\Desktop\AppData\Roaming\620ef67d
    c:\users\Desktop\AppData\Roaming\62c5bb1d
    c:\users\Desktop\AppData\Roaming\6332c5b9
    c:\users\Desktop\AppData\Roaming\6c4f6882
    c:\users\Desktop\AppData\Roaming\6df71825
    c:\users\Desktop\AppData\Roaming\6e3ba91
    c:\users\Desktop\AppData\Roaming\75669402
    c:\users\Desktop\AppData\Roaming\7dec157
    c:\users\Desktop\AppData\Roaming\85e36a01
    c:\users\Desktop\AppData\Roaming\867f4207
    c:\users\Desktop\AppData\Roaming\880d790d
    c:\users\Desktop\AppData\Roaming\884bb93b
    c:\users\Desktop\AppData\Roaming\9564557d
    c:\users\Desktop\AppData\Roaming\97ce75d8
    c:\users\Desktop\AppData\Roaming\97d4f8a3
    c:\users\Desktop\AppData\Roaming\990e24e1
    c:\users\Desktop\AppData\Roaming\995ab09b
    c:\users\Desktop\AppData\Roaming\9bc577df
    c:\users\Desktop\AppData\Roaming\9e2d83e8
    c:\users\Desktop\AppData\Roaming\a12d5826
    c:\users\Desktop\AppData\Roaming\a25cdf5f
    c:\users\Desktop\AppData\Roaming\a3e19362
    c:\users\Desktop\AppData\Roaming\a5677138
    c:\users\Desktop\AppData\Roaming\af1c832
    c:\users\Desktop\AppData\Roaming\b254f00e
    c:\users\Desktop\AppData\Roaming\b2f81783
    c:\users\Desktop\AppData\Roaming\b4e61bea
    c:\users\Desktop\AppData\Roaming\b592600b
    c:\users\Desktop\AppData\Roaming\b7e81e7
    c:\users\Desktop\AppData\Roaming\b848f6d8
    c:\users\Desktop\AppData\Roaming\b8530f2d
    c:\users\Desktop\AppData\Roaming\b9b5fd42
    c:\users\Desktop\AppData\Roaming\bbddf538
    c:\users\Desktop\AppData\Roaming\bbf4c325
    c:\users\Desktop\AppData\Roaming\bd647d71
    c:\users\Desktop\AppData\Roaming\bf3c1566
    c:\users\Desktop\AppData\Roaming\c0541eb6
    c:\users\Desktop\AppData\Roaming\c24630e0
    c:\users\Desktop\AppData\Roaming\c35a034c
    c:\users\Desktop\AppData\Roaming\c46d6b13
    c:\users\Desktop\AppData\Roaming\c5640c5c
    c:\users\Desktop\AppData\Roaming\c8feae72
    c:\users\Desktop\AppData\Roaming\c92752a
    c:\users\Desktop\AppData\Roaming\c958a10
    c:\users\Desktop\AppData\Roaming\ca2d1445
    c:\users\Desktop\AppData\Roaming\ca625864
    c:\users\Desktop\AppData\Roaming\cb24aa75
    c:\users\Desktop\AppData\Roaming\cb6d7bee
    c:\users\Desktop\AppData\Roaming\cd09cb25
    c:\users\Desktop\AppData\Roaming\cd8000d0
    c:\users\Desktop\AppData\Roaming\cde151b9
    c:\users\Desktop\AppData\Roaming\ce33e2c1
    c:\users\Desktop\AppData\Roaming\cf2c3336
    c:\users\Desktop\AppData\Roaming\cf72c69c
    c:\users\Desktop\AppData\Roaming\cf7d6a37
    c:\users\Desktop\AppData\Roaming\chrtmp
    c:\users\Desktop\AppData\Roaming\d0969c44
    c:\users\Desktop\AppData\Roaming\d09f4e7f
    c:\users\Desktop\AppData\Roaming\d19030c3
    c:\users\Desktop\AppData\Roaming\d28a6067
    c:\users\Desktop\AppData\Roaming\d2c6d69a
    c:\users\Desktop\AppData\Roaming\d2eb6fb4
    c:\users\Desktop\AppData\Roaming\d3a4b93a
    c:\users\Desktop\AppData\Roaming\d4493a08
    c:\users\Desktop\AppData\Roaming\d5c47c93
    c:\users\Desktop\AppData\Roaming\d635c736
    c:\users\Desktop\AppData\Roaming\d6f27a63
    c:\users\Desktop\AppData\Roaming\d8cae6ad
    c:\users\Desktop\AppData\Roaming\daee34a7
    c:\users\Desktop\AppData\Roaming\dc359bdf
    c:\users\Desktop\AppData\Roaming\dce30b55
    c:\users\Desktop\AppData\Roaming\dd54e89b
    c:\users\Desktop\AppData\Roaming\de0b0e37
    c:\users\Desktop\AppData\Roaming\df13d14f
    c:\users\Desktop\AppData\Roaming\dfa321f7
    c:\users\Desktop\AppData\Roaming\e092892b
    c:\users\Desktop\AppData\Roaming\e0b963b3
    c:\users\Desktop\AppData\Roaming\e196ec7
    c:\users\Desktop\AppData\Roaming\e1dae2f7
    c:\users\Desktop\AppData\Roaming\e2dec85f
    c:\users\Desktop\AppData\Roaming\e66269f
    c:\users\Desktop\AppData\Roaming\e780c75a
    c:\users\Desktop\AppData\Roaming\e7d8073b
    c:\users\Desktop\AppData\Roaming\e8915c65
    c:\users\Desktop\AppData\Roaming\e8adb1c4
    c:\users\Desktop\AppData\Roaming\e8fc5c12
    c:\users\Desktop\AppData\Roaming\e928d42e
    c:\users\Desktop\AppData\Roaming\e9c6b7fc
    c:\users\Desktop\AppData\Roaming\ea3cb8a2
    c:\users\Desktop\AppData\Roaming\eab870dc
    c:\users\Desktop\AppData\Roaming\eadb7c2f
    c:\users\Desktop\AppData\Roaming\eb3d40ee
    c:\users\Desktop\AppData\Roaming\ec44c5ca
    c:\users\Desktop\AppData\Roaming\ed02fb4b
    c:\users\Desktop\AppData\Roaming\ed43c43a
    c:\users\Desktop\AppData\Roaming\ee2000cb
    c:\users\Desktop\AppData\Roaming\ee9ffdce
    c:\users\Desktop\AppData\Roaming\ef316c03
    c:\users\Desktop\AppData\Roaming\efbdf0a5
    c:\users\Desktop\AppData\Roaming\f04e30cb
    c:\users\Desktop\AppData\Roaming\f15ff377
    c:\users\Desktop\AppData\Roaming\f1adf267
    c:\users\Desktop\AppData\Roaming\f25929ab
    c:\users\Desktop\AppData\Roaming\f2d34aad
    c:\users\Desktop\AppData\Roaming\f2e2a803
    c:\users\Desktop\AppData\Roaming\f40d9b1f
    c:\users\Desktop\AppData\Roaming\f439e845
    c:\users\Desktop\AppData\Roaming\f44d901b
    c:\users\Desktop\AppData\Roaming\f568b92c
    c:\users\Desktop\AppData\Roaming\f62a3dd9
    c:\users\Desktop\AppData\Roaming\f70b7ca4
    c:\users\Desktop\AppData\Roaming\f809a603
    c:\users\Desktop\AppData\Roaming\f819a2b9
    c:\users\Desktop\AppData\Roaming\f84a50a
    c:\users\Desktop\AppData\Roaming\f921bfb0
    c:\users\Desktop\AppData\Roaming\f9632998
    c:\users\Desktop\AppData\Roaming\fa142e2f
    c:\users\Desktop\AppData\Roaming\fbb65c86
    c:\users\Desktop\AppData\Roaming\fd30b46e
    c:\users\Desktop\AppData\Roaming\fd66a206
    c:\users\Desktop\AppData\Roaming\feb5582e
    c:\users\Desktop\AppData\Roaming\fecb4a58
    c:\users\Desktop\AppData\Roaming\msthnv.dll
    c:\users\Desktop\AppData\Roaming\nhcaps.dll
    c:\users\Desktop\AppData\Roaming\qmcts.dll
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\L\00000004.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000004.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@
    c:\windows\SysWow64\1065\inf1065.dat
    c:\windows\SysWow64\1077
    c:\windows\SysWow64\1077\inf1077.dat
    c:\windows\SysWow64\1079\inf1079.dat
    .
    ----- File Replicators -----
    .
    c:\windows\System32\usser.exe
    c:\windows\System32\ussser.exe
    c:\windows\System32\usssser.exe
    c:\windows\System32\ussssser.exe
    c:\windows\System32\usssssser.exe
    c:\windows\System32\ussssssser.exe
    c:\windows\System32\usssssssser.exe
    c:\windows\System32\ussssssssser.exe
    c:\windows\System32\usssssssssser.exe
    c:\windows\System32\ussssssssssser.exe
    c:\windows\System32\usssssssssssser.exe
    c:\windows\System32\ussssssssssssser.exe
    c:\windows\System32\usssssssssssssser.exe
    c:\windows\System32\ussssssssssssssser.exe
    c:\windows\System32\usssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssser.exe
    c:\windows\System32\usssssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssssser.exe
    c:\windows\System32\usssssssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssssssser.exe
    c:\windows\System32\usssssssssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssssssssser.exe
    c:\windows\System32\usssssssssssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssssssssssser.exe
    c:\windows\System32\usssssssssssssssssssssssssser.exe
    c:\windows\System32\ussssssssssssssssssssssssssser.exe
    c:\windows\SysWOW64\usser.exe
    c:\windows\SysWOW64\ussser.exe
    c:\windows\SysWOW64\usssser.exe
    c:\windows\SysWOW64\ussssser.exe
    c:\windows\SysWOW64\usssssser.exe
    c:\windows\SysWOW64\ussssssser.exe
    c:\windows\SysWOW64\usssssssser.exe
    c:\windows\SysWOW64\ussssssssser.exe
    c:\windows\SysWOW64\usssssssssser.exe
    c:\windows\SysWOW64\ussssssssssser.exe
    c:\windows\SysWOW64\usssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssssssssssser.exe
    c:\windows\SysWOW64\usssssssssssssssssssssssssser.exe
    c:\windows\SysWOW64\ussssssssssssssssssssssssssser.exe
    .
    Infected copy of c:\windows\system32\services.exe was found and disinfected
    Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy2_!Windows!System32!services.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-14 12:18 . 2012-08-14 12:18--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-14 10:11 . 2012-08-14 10:20--------d-----w-c:\users\Desktop\AppData\Roaming\Wise Registry Cleaner
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\SymbolSourceSymbols
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\RefSrcSymbols
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\JetBrains
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Roaming\JetBrains
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\windows\SysWow64\1082
    2012-08-11 13:00 . 2012-08-11 13:00679936----a-w-c:\windows\system32\Rede1389.scr
    2012-08-11 13:00 . 2012-08-11 13:00679936------w-c:\windows\SysWow64\Rede1389.scr
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\programdata\Screentime
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\users\Desktop\AppData\Local\Screentime
    2012-08-11 12:57 . 2012-08-11 12:57--------d-----w-c:\windows\SysWow64\1081
    2012-08-11 12:41 . 2012-08-11 12:47--------d-----w-c:\program files (x86)\Free Registry Cleaner For Seven
    2012-08-11 09:39 . 2012-08-11 09:39--------d-----w-c:\windows\SysWow64\1080
    2012-08-11 08:46 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1079
    2012-08-11 08:33 . 2012-08-11 08:41--------d-----w-c:\users\Desktop\AppData\Roaming\Error Fix
    2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\windows\ehome
    2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\users\Default\AppData\Roaming\Media Center Programs
    2012-08-11 08:01 . 2012-08-11 08:01--------d-----w-c:\windows\SysWow64\1078
    2012-08-11 07:52 . 2012-08-11 07:52--------d-----w-c:\windows\SysWow64\1076
    2012-08-10 09:47 . 2012-08-10 09:47--------d-----w-c:\windows\SysWow64\1075
    2012-08-10 09:33 . 2012-08-10 09:33--------d-----w-c:\windows\SysWow64\1074
    2012-08-10 09:08 . 2012-08-10 09:08--------d-----w-c:\windows\SysWow64\1073
    2012-08-10 09:05 . 2012-08-10 09:05--------d-----w-c:\windows\SysWow64\1072
    2012-08-10 08:53 . 2012-08-10 08:53--------d-----w-c:\windows\SysWow64\1071
    2012-08-10 08:34 . 2012-08-10 08:34--------d-----w-c:\windows\SysWow64\1070
    2012-08-10 08:32 . 2012-08-10 08:32--------d-----w-c:\users\Desktop\AppData\Roaming\flashInstall
    2012-08-10 07:08 . 2012-08-10 07:09--------d-----w-c:\users\Desktop\AppData\Roaming\PE Explorer
    2012-08-10 06:38 . 2012-08-10 06:38--------d-----w-c:\windows\SysWow64\1069
    2012-08-10 06:30 . 2012-08-10 06:30--------d-----w-c:\windows\SysWow64\1068
    2012-08-10 06:19 . 2012-08-10 06:19--------d-----w-c:\windows\SysWow64\1067
    2012-08-10 06:18 . 2012-08-10 06:18--------d-----w-c:\windows\SysWow64\1066
    2012-08-10 06:15 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1065
    2012-08-09 11:26 . 2012-08-09 11:26--------d-----w-c:\windows\SysWow64\1064
    2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1063
    2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1062
    2012-08-09 10:10 . 2012-08-09 10:10--------d-----w-c:\windows\SysWow64\1061
    2012-08-09 10:09 . 2012-08-09 10:09--------d-----w-c:\windows\SysWow64\1060
    2012-08-09 10:01 . 2012-08-09 10:01--------d-----w-c:\windows\SysWow64\1059
    2012-08-09 10:00 . 2012-08-09 10:00--------d-----w-c:\windows\SysWow64\1058
    2012-08-09 09:59 . 2012-08-09 09:59--------d-----w-c:\windows\SysWow64\1057
    2012-08-06 10:56 . 2011-11-09 12:08189608----a-w-c:\windows\system32\IPROSetMonitor.exe
    2012-08-06 10:56 . 2012-08-06 10:56--------d-----w-c:\program files\Intel
    2012-08-06 10:54 . 2012-02-01 21:13509104----a-w-c:\windows\system32\drivers\e1k62x64.sys
    2012-08-06 10:54 . 2012-01-19 21:1199520----a-w-c:\windows\system32\NicInstK.dll
    2012-08-06 10:54 . 2012-01-18 21:0768264----a-w-c:\windows\system32\e1kmsg.dll
    2012-08-02 14:33 . 2012-06-18 08:0419032------w-c:\windows\system32\pwdrvio.sys
    2012-08-02 14:33 . 2012-06-18 08:042966720----a-w-c:\windows\system32\pwNative.exe
    2012-08-02 14:33 . 2012-06-18 08:0412384------w-c:\windows\system32\pwdspio.sys
    2012-08-01 13:20 . 2012-08-03 02:56--------d-----w-c:\users\Desktop\.android
    2012-08-01 13:12 . 2012-08-01 13:12--------d-----w-c:\program files\Oracle
    2012-08-01 13:12 . 2012-08-01 13:11268784----a-w-c:\windows\system32\javaws.exe
    2012-08-01 13:12 . 2012-08-01 13:11189424----a-w-c:\windows\system32\javaw.exe
    2012-08-01 13:12 . 2012-08-01 13:11188912----a-w-c:\windows\system32\java.exe
    2012-08-01 13:10 . 2012-08-01 13:11--------d-----w-c:\program files\Java
    2012-08-01 13:10 . 2012-08-02 14:04--------d-----w-c:\users\Desktop\jdk1.7.0_05_combo
    2012-07-27 13:39 . 2012-08-02 18:03--------d-----w-c:\programdata\LGMOBILEAX
    2012-07-26 11:49 . 2012-07-26 11:55--------d-----w-c:\program files (x86)\YourFileDownloader
    2012-07-26 11:49 . 2012-07-26 11:49--------d-----w-c:\users\Desktop\AppData\Roaming\YourFileDownloader
    2012-07-26 11:21 . 2012-07-26 11:21--------d-----w-c:\program files (x86)\uTorrent
    2012-07-25 15:15 . 2012-07-25 15:15--------d-----w-c:\program files (x86)\LG Electronics
    2012-07-25 14:31 . 2012-08-02 18:33--------d-----w-c:\users\Desktop\AppData\Roaming\LG Electronics
    2012-07-25 14:30 . 2012-07-25 14:30--------d-----w-c:\users\Desktop\AppData\Local\LG Electronics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-13 10:36 . 2012-04-04 06:17426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-13 10:36 . 2011-06-02 02:3970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-09 06:36 . 2009-07-13 23:19328704----a-w-c:\windows\system32\services.exe
    2012-07-03 08:16 . 2011-06-14 07:2924904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-06 04:06 . 2012-06-06 04:062174976----a-w-c:\program files (x86)\Common Files\atimpenc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-11-05 297808]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    2010-11-05 01:58297808----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "Smart File Advisor"="c:\program files (x86)\Smart File Advisor\sfa.exe" [2011-04-04 280824]
    "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]
    "CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-13 84464]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680]
    "Malwarebytes' Anti-Malware"="d:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\users\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7619\Launcher.exe [2011-9-12 157088]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-07-16 354288]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
    R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys [2012-03-06 31744]
    R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys [2012-03-06 29184]
    R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys [2012-03-06 36352]
    R3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys [2012-03-06 93184]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-08 129976]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-06-18 19032]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-06-18 12384]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-07-16 1099248]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc; [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub; [x]
    R3 VGPU;VGPU; [x]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384]
    R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2007-03-18 301824]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-05 1255736]
    R3 ZSMC0303;INTEX Game Camera;c:\windows\system32\Drivers\usbVM303.sys [2007-03-25 1494656]
    R4 Ireniceaesse;Ireniceaesse; [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-18 55856]
    S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys [2009-06-01 27120]
    S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys [2009-06-01 19952]
    S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys [2009-06-01 27632]
    S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-06-02 457200]
    S2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
    S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-07-13 32240]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-02-01 509104]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-03 271872]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-30 c:\windows\Tasks\SidebarExecute.job
    - c:\program files\Windows Sidebar\sidebar.exe [2011-04-09 13:25]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.co.in/
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8}: NameServer = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\zpqxsszw.default\
    FF - prefs.js: browser.startup.homepage - www.google.co.in
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-whtpd - (no file)
    Wow6432Node-HKCU-Run-nhcaps - (no file)
    Wow6432Node-HKCU-Run-qmcts - (no file)
    Wow6432Node-HKCU-Run-msthnv - (no file)
    Wow6432Node-HKCU-Run-wladmg - (no file)
    WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-msthnv - (no file)
    HKLM-Run-wladmg - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Network Associates]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-14 17:52:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-14 12:22
    .
    Pre-Run: 64,696,188,928 bytes free
    Post-Run: 64,522,870,784 bytes free
    .
    - - End Of File - - DBDDD338056EA51EA6BCCAF12E7952E9
     
  2. krazeefly

    krazeefly TS Member Topic Starter

    This is the GMER log file.....................

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-16 13:05:52
    Windows 6.1.7601 Service Pack 1
    Running: jd5fjk2p.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup.exe 1
    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\RedemptionCemetery3_GraveTestimonyCE.exe 8
    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\flashInstall.exe 1
    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Desktop\Desktop\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\RedemptionCemetery3_GraveTestimonyCE.exe 8

    ---- EOF - GMER 1.0.15 ----

    The DDS Logfile with both DDS and Attach.........

    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by Desktop at 13:06:51 on 2012-08-16
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2363 [GMT 5.5:30]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe
    C:\Program Files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe
    D:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\IProsetMonitor.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\PROGRA~2\Webshots\315~1.761\webshots.scr
    C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe
    C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe
    D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    D:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
    D:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.in/
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    TB: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun: [Smart File Advisor] "C:\Program Files (x86)\Smart File Advisor\sfa.exe" /checkassoc
    mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"
    mRun: [CPMonitor] "C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe"
    mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe"
    mRun: [Malwarebytes' Anti-Malware] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [AVG_TRAY] "D:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    StartupFolder: C:\Users\Desktop\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\3.1.5.7619\Launcher.exe
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.5.0.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8} : NameServer = 208.67.222.222,208.67.220.220
    TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8} : DhcpNameServer = 192.168.1.1 192.168.1.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    BHO-X64: AVG Do Not Track - No File
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
    BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    TB-X64: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun-x64: [Smart File Advisor] "C:\Program Files (x86)\Smart File Advisor\sfa.exe" /checkassoc
    mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"
    mRun-x64: [CPMonitor] "C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe"
    mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [AVG_TRAY] "D:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R0 Sahdad64;HDD Filter Driver;C:\Windows\system32\Drivers\Sahdad64.sys --> C:\Windows\system32\Drivers\Sahdad64.sys [?]
    R0 Saibad64;Volume Filter Driver;C:\Windows\system32\Drivers\Saibad64.sys --> C:\Windows\system32\Drivers\Saibad64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R1 SaibVdAd64;Virtual Disk Driver;C:\Windows\system32\Drivers\SaibVdAd64.sys --> C:\Windows\system32\Drivers\SaibVdAd64.sys [?]
    R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-6-2 457200]
    R2 AGCoreService;AG Core Services;C:\Program Files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2011-9-12 20480]
    R2 avgwd;AVG WatchDog;D:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
    R2 BOT4Service;BOT4Service;C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-7-14 32240]
    R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]
    R2 MBAMService;MBAMService;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-2-21 2320920]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;D:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-7-16 354288]
    S3 andnetadb;ADB Interface DriverNet;C:\Windows\system32\Drivers\lgandnetadb.sys --> C:\Windows\system32\Drivers\lgandnetadb.sys [?]
    S3 AndNetDiag;LGE AndroidNet USB Serial Port;C:\Windows\system32\DRIVERS\lgandnetdiag64.sys --> C:\Windows\system32\DRIVERS\lgandnetdiag64.sys [?]
    S3 ANDNetModem;LGE AndroidNet USB Modem;C:\Windows\system32\DRIVERS\lgandnetmodem64.sys --> C:\Windows\system32\DRIVERS\lgandnetmodem64.sys [?]
    S3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;C:\Windows\system32\DRIVERS\lgandnetndis64.sys --> C:\Windows\system32\DRIVERS\lgandnetndis64.sys [?]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
    S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]
    S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 RoxMediaDB13;RoxMediaDB13;C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-7-16 1099248]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 vpcuxd;USB Virtualization Stub Service;C:\Windows\system32\DRIVERS\vpcuxd.sys --> C:\Windows\system32\DRIVERS\vpcuxd.sys [?]
    S3 vvftav303;vvftav303;C:\Windows\system32\drivers\vvftav303.sys --> C:\Windows\system32\drivers\vvftav303.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 ZSMC0303;INTEX Game Camera;C:\Windows\system32\Drivers\usbVM303.sys --> C:\Windows\system32\Drivers\usbVM303.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-08-15 08:11:52 -------- d-----w- C:\Users\Desktop\AppData\Roaming\AVG2012
    2012-08-15 08:10:48 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
    2012-08-15 08:10:16 -------- d--h--w- C:\$AVG
    2012-08-15 08:10:16 -------- d-----w- C:\Windows\System32\drivers\AVG
    2012-08-15 08:10:16 -------- d-----w- C:\ProgramData\AVG2012
    2012-08-15 08:07:36 -------- d--h--w- C:\ProgramData\Common Files
    2012-08-15 08:07:35 -------- d-----w- C:\ProgramData\MFAData
    2012-08-15 06:21:14 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{31259DA6-BF84-4755-8713-068D445F5CAA}\mpengine.dll
    2012-08-15 05:49:22 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-08-15 05:49:11 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-08-15 05:49:01 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-08-15 05:49:01 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-08-14 15:56:08 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-08-14 12:12:57 98816 ----a-w- C:\Windows\sed.exe
    2012-08-14 12:12:57 518144 ----a-w- C:\Windows\SWREG.exe
    2012-08-14 12:12:57 256000 ----a-w- C:\Windows\PEV.exe
    2012-08-14 12:12:57 208896 ----a-w- C:\Windows\MBR.exe
    2012-08-11 13:29:50 -------- d-----w- C:\Users\Desktop\AppData\Local\SymbolSourceSymbols
    2012-08-11 13:29:50 -------- d-----w- C:\Users\Desktop\AppData\Local\RefSrcSymbols
    2012-08-11 13:29:49 -------- d-----w- C:\Users\Desktop\AppData\Local\JetBrains
    2012-08-11 13:29:48 -------- d-----w- C:\Users\Desktop\AppData\Roaming\JetBrains
    2012-08-11 13:00:53 -------- d-----w- C:\Windows\SysWow64\1082
    2012-08-11 13:00:23 679936 ----a-w- C:\Windows\System32\Rede1389.scr
    2012-08-11 13:00:22 679936 ------w- C:\Windows\SysWow64\Rede1389.scr
    2012-08-11 13:00:22 -------- d-----w- C:\ProgramData\Screentime
    2012-08-11 13:00:19 -------- d-----w- C:\Users\Desktop\AppData\Local\Screentime
    2012-08-11 12:57:45 -------- d-----w- C:\Windows\SysWow64\1081
    2012-08-11 09:39:35 -------- d-----w- C:\Windows\SysWow64\1080
    2012-08-11 08:46:39 -------- d-----w- C:\Windows\SysWow64\1079
    2012-08-11 08:10:06 -------- d-----w- C:\Windows\ehome
    2012-08-11 08:01:14 -------- d-----w- C:\Windows\SysWow64\1078
    2012-08-11 07:52:55 -------- d-----w- C:\Windows\SysWow64\1076
    2012-08-10 09:47:56 -------- d-----w- C:\Windows\SysWow64\1075
    2012-08-10 09:33:56 -------- d-----w- C:\Windows\SysWow64\1074
    2012-08-10 09:08:18 -------- d-----w- C:\Windows\SysWow64\1073
    2012-08-10 09:05:34 -------- d-----w- C:\Windows\SysWow64\1072
    2012-08-10 08:53:07 -------- d-----w- C:\Windows\SysWow64\1071
    2012-08-10 08:34:01 -------- d-----w- C:\Windows\SysWow64\1070
    2012-08-10 08:32:15 -------- d-----w- C:\Users\Desktop\AppData\Roaming\flashInstall
    2012-08-10 07:08:40 -------- d-----w- C:\Users\Desktop\AppData\Roaming\PE Explorer
    2012-08-10 06:38:06 -------- d-----w- C:\Windows\SysWow64\1069
    2012-08-10 06:30:09 -------- d-----w- C:\Windows\SysWow64\1068
    2012-08-10 06:19:07 -------- d-----w- C:\Windows\SysWow64\1067
    2012-08-10 06:18:24 -------- d-----w- C:\Windows\SysWow64\1066
    2012-08-10 06:15:11 -------- d-----w- C:\Windows\SysWow64\1065
    2012-08-09 11:26:40 -------- d-----w- C:\Windows\SysWow64\1064
    2012-08-09 10:24:54 -------- d-----w- C:\Windows\SysWow64\1063
    2012-08-09 10:24:37 -------- d-----w- C:\Windows\SysWow64\1062
    2012-08-09 10:10:43 -------- d-----w- C:\Windows\SysWow64\1061
    2012-08-09 10:09:34 -------- d-----w- C:\Windows\SysWow64\1060
    2012-08-09 10:01:14 -------- d-----w- C:\Windows\SysWow64\1059
    2012-08-09 10:00:14 -------- d-----w- C:\Windows\SysWow64\1058
    2012-08-09 09:59:49 -------- d-----w- C:\Windows\SysWow64\1057
    2012-08-06 10:56:41 189608 ----a-w- C:\Windows\System32\IPROSetMonitor.exe
    2012-08-06 10:54:03 99520 ----a-w- C:\Windows\System32\NicInstK.dll
    2012-08-06 10:54:03 68264 ----a-w- C:\Windows\System32\e1kmsg.dll
    2012-08-06 10:54:03 509104 ----a-w- C:\Windows\System32\drivers\e1k62x64.sys
    2012-08-02 14:33:55 2966720 ----a-w- C:\Windows\System32\pwNative.exe
    2012-08-02 14:33:55 19032 ------w- C:\Windows\System32\pwdrvio.sys
    2012-08-02 14:33:54 12384 ------w- C:\Windows\System32\pwdspio.sys
    2012-08-01 13:20:43 -------- d-----w- C:\Users\Desktop\.android
    2012-08-01 13:12:43 -------- d-----w- C:\Program Files\Oracle
    2012-08-01 13:10:34 -------- d-----w- C:\Users\Desktop\jdk1.7.0_05_combo
    2012-07-27 13:39:10 -------- d-----w- C:\ProgramData\LGMOBILEAX
    2012-07-26 11:49:06 -------- d-----w- C:\Users\Desktop\AppData\Roaming\YourFileDownloader
    2012-07-26 11:49:06 -------- d-----w- C:\Program Files (x86)\YourFileDownloader
    2012-07-25 15:15:28 -------- d-----w- C:\Program Files (x86)\LG Electronics
    2012-07-25 14:31:06 -------- d-----w- C:\Users\Desktop\AppData\Roaming\LG Electronics
    2012-07-25 14:30:49 -------- d-----w- C:\Users\Desktop\AppData\Local\LG Electronics
    .
    ==================== Find3M ====================
    .
    2012-08-16 04:37:39 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-16 04:37:39 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-09 06:36:12 329216 ----a-w- C:\Windows\System32\services.exe
    2012-07-03 08:16:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-06-06 04:06:50 2174976 ----a-w- C:\Program Files (x86)\Common Files\atimpenc.dll
    2012-05-31 06:55:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
    .
    ============= FINISH: 13:07:14.69 ===============

    The Attach log file........

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 21-Feb-11 6:24:04 PM
    System Uptime: 16-Aug-12 12:46:38 PM (1 hours ago)
    .
    Motherboard: Intel Corporation | | DH55TC
    Processor: Intel(R) Core(TM) i3 CPU 540 @ 3.07GHz | XU1 | 3059/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 116 GiB total, 61.883 GiB free.
    D: is FIXED (NTFS) - 116 GiB total, 106.564 GiB free.
    E: is FIXED (NTFS) - 233 GiB total, 206.682 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Intel(R) 82578DC Gigabit Network Connection
    Device ID: PCI\VEN_8086&DEV_10F0&SUBSYS_00368086&REV_06\3&11583659&0&C8
    Manufacturer: Intel
    Name: Intel(R) 82578DC Gigabit Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_10F0&SUBSYS_00368086&REV_06\3&11583659&0&C8
    Service: e1kexpress
    .
    ==== System Restore Points ===================
    .
    RP258: 15-Aug-12 1:39:19 PM - Installed AVG 2012
    RP259: 15-Aug-12 1:39:54 PM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    4Media Ringtone Maker
    7-Zip 9.22beta
    Adobe AIR
    Adobe Community Help
    Adobe Connect Add-in
    Adobe Digital Editions
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe PageMaker 7.0
    Adobe Photoshop CS5
    Adobe Reader 9.4.3
    Adobe Shockwave Player 11.5
    Advanced Video Compressor 2012
    Avro Keyboard 5.1.0
    BanglaWord v1.9.0
    DivX Setup
    DjVu Viewer version 1.0
    File Splitter and Joiner (FFSJ v3.3)
    FlyteDownloadManager version 1.1.0.0
    Golden Trails 3 The Guardians Creed 1.00
    Google Chrome
    Google Talk Plugin
    Google Update Helper
    ImagXpress
    Intel(R) Desktop Utilities
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Integrator Assistant
    Intel(R) IPP Run-Time Installer 5.2 for Windows* on IA-32
    Intel(R) Management Engine Components
    INTEX Game Camera
    LG PC Suite
    LG United Mobile Drivers
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Reader
    Microsoft Report Viewer Redistributable 2005
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft_VC100_CRT_SP1_x86
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVC80_x86_v2
    MSVC90_x86
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 4.0 SP3 Parser
    neroxml
    PDF Settings CS5
    PL-2303 USB-to-Serial
    PowerDVD
    Real Alternative 2.0.2
    Realtek High Definition Audio Driver
    Redemption Cemetery Grave Testimony - Menu Screen Saver
    Roxio BackOnTrack
    Roxio BackOnTrackPE
    Roxio Burn - Secure
    Roxio CinePlayer
    Roxio CinePlayer Decoder Pack
    Roxio Creator 2011 Pro
    Roxio PhotoShow
    Roxio Video Capture USB
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Skype™ 5.1
    Smart File Advisor 1.1.1
    SmartSound Common Data
    SmartSound Quicktracks 5
    System Requirements Lab for Intel
    Update for 2007 Microsoft Office System (KB967642)
    Update for Outlook 2007 Junk Email Filter (KB2522999)
    USB Disk Win98 Driver
    VC80CRTRedist - 8.0.50727.4053
    Visual Studio 2008 x64 Redistributables
    VLC media player 2.0.1
    Webshots Desktop
    Winamp
    Winamp Detector Plug-in
    Windows Media Player Firefox Plugin
    WinRAR archiver
    WinZip 12.0
    Xilisoft AVI MPEG Joiner 2
    Xilisoft Video Cutter
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    16-Aug-12 12:49:07 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    16-Aug-12 12:49:07 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    16-Aug-12 12:47:44 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 12 service to connect.
    16-Aug-12 12:47:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    16-Aug-12 12:47:12 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    16-Aug-12 12:47:11 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    16-Aug-12 10:09:12 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {46986115-84D6-459C-8F95-52DD653E532E}. The error: "740" Happened while starting this command: "C:\Program Files (x86)\Winamp\winamp.exe" -Embedding
    15-Aug-12 3:21:19 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    15-Aug-12 3:21:19 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    15-Aug-12 12:12:47 AM, Error: Service Control Manager [7034] - The Roxio SAIB Service service terminated unexpectedly. It has done this 1 time(s).
    14-Aug-12 9:21:36 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
    14-Aug-12 9:20:15 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    14-Aug-12 9:19:53 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    14-Aug-12 8:47:05 PM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    14-Aug-12 8:47:03 PM, Error: Microsoft Antimalware [5008] -
    14-Aug-12 5:39:13 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
    14-Aug-12 5:07:10 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
    14-Aug-12 5:07:10 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    14-Aug-12 5:06:07 PM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    14-Aug-12 5:06:07 PM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    14-Aug-12 3:49:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    11-Aug-12 1:37:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {0B5A2C52-3EB9-470A-96E2-6C6D4570E40F}
    11-Aug-12 1:28:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    11-Aug-12 1:24:12 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    11-Aug-12 1:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11-Aug-12 1:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11-Aug-12 1:22:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11-Aug-12 1:22:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr discache SaibVdAd64 spldr vpcvmm Wanarpv6
    11-Aug-12 1:22:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11-Aug-12 1:22:14 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    .
    ==== End Of File ===========================
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello!

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
     
  4. krazeefly

    krazeefly TS Member Topic Starter

    Thanks for your quick reply..... :)
    Tried copying the log file, but it was a large one......so as per your instruction, I am attaching it with this reply.
     

    Attached Files:

  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please download aswMBR from here

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

    [​IMG]

    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
     
  6. krazeefly

    krazeefly TS Member Topic Starter

    Here is the AswMBR log file.........

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-17 12:26:19
    -----------------------------
    12:26:19.263 OS Version: Windows x64 6.1.7601 Service Pack 1
    12:26:19.263 Number of processors: 4 586 0x2505
    12:26:19.263 ComputerName: DESKTOP-PC UserName: Desktop
    12:26:21.229 Initialize success
    13:01:35.637 AVAST engine defs: 12081601
    13:13:07.903 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    13:13:07.919 Disk 0 Vendor: ST3500418AS CC46 Size: 476940MB BusType: 3
    13:13:07.919 Disk 0 MBR read successfully
    13:13:07.935 Disk 0 MBR scan
    13:13:07.966 Disk 0 Windows 7 default MBR code
    13:13:07.981 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    13:13:07.997 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 119134 MB offset 206848
    13:13:08.013 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 119235 MB offset 244193280
    13:13:08.028 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 238469 MB offset 488386560
    13:13:08.059 Disk 0 scanning C:\Windows\system32\drivers
    13:13:17.981 Service scanning
    13:13:33.550 Modules scanning
    13:13:33.550 Disk 0 trace - called modules:
    13:13:34.049 ntoskrnl.exe CLASSPNP.SYS disk.sys Sahdad64.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    13:13:34.049 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048b7060]
    13:13:34.049 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa800474ba20]
    13:13:34.065 5 Sahdad64.sys[fffff8800199be25] -> nt!IofCallDriver -> [0xfffffa800463f520]
    13:13:34.065 7 ACPI.sys[fffff88000d897a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004640680]
    13:13:39.135 AVAST engine scan C:\Windows
    13:13:41.334 AVAST engine scan C:\Windows\system32
    13:15:16.884 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    13:15:18.647 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    13:16:05.557 AVAST engine scan C:\Windows\system32\drivers
    13:16:20.158 AVAST engine scan C:\Users\Desktop
    13:18:24.459 AVAST engine scan C:\ProgramData
    13:19:21.805 Scan finished successfully
    13:19:33.240 Disk 0 MBR has been saved successfully to "C:\Users\Desktop\Desktop\MBR.dat"
    13:19:33.240 The log file has been saved successfully to "C:\Users\Desktop\Desktop\aswMBR.txt"
     
  7. krazeefly

    krazeefly TS Member Topic Starter

    Thought about mentioning one point, since yesterday my AVG free antivirus has also started popping up messages about c:\Windows\System32\services.exe being corrupted, I don't know if they are True or False Positives.........So thought of adding the detection file.................

    Resident Shield detection
    "Trojan horse Patched_c.LXT""c:\Windows\System32\services.exe""Object is white-listed (critical/system file that should not be removed)""17-Aug-12, 1:58:58 PM""file""C:\Windows\System32\svchost.exe"
    "Trojan horse Patched_c.LXT""c:\Windows\System32\services.exe""Object is white-listed (critical/system file that should not be removed)""17-Aug-12, 1:26:16 PM""file""C:\Windows\System32\svchost.exe"
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    New log from ComboFix

    We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.
     
  9. krazeefly

    krazeefly TS Member Topic Starter

    Below is the new Combofix log,which I ran today morning........

    ComboFix 12-08-17.03 - Desktop 18-Aug-12 10:06:26.3.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2585 [GMT 5.5:30]
    Running from: c:\users\Desktop\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\L\00000004.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000004.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@
    c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@
    .
    Infected copy of c:\windows\system32\services.exe was found and disinfected
    Restored copy from - c:\windows\erdnt\cache64\services.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Guest\AppData\Local\temp
    2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Administrator\AppData\Local\temp
    2012-08-17 08:35 . 2012-08-17 08:35--------d-----w-c:\program files (x86)\Common Files\Java
    2012-08-17 08:35 . 2012-08-17 08:34821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
    2012-08-17 08:35 . 2012-08-17 08:3495208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-08-17 08:34 . 2012-08-17 08:34--------d-----w-c:\program files (x86)\Java
    2012-08-16 05:17 . 2012-08-16 08:41--------d-----w-c:\program files\Recuva
    2012-08-15 08:11 . 2012-08-15 08:11--------d-----w-c:\users\Desktop\AppData\Roaming\AVG2012
    2012-08-15 08:10 . 2012-08-18 04:27--------d-----w-c:\programdata\AVG2012
    2012-08-15 08:10 . 2012-08-18 04:25--------d-----w-C:\$AVG
    2012-08-15 08:07 . 2012-08-15 08:07--------d--h--w-c:\programdata\Common Files
    2012-08-15 08:07 . 2012-08-18 04:25--------d-----w-c:\programdata\MFAData
    2012-08-15 06:21 . 2012-07-15 21:109133488----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{31259DA6-BF84-4755-8713-068D445F5CAA}\mpengine.dll
    2012-08-15 05:49 . 2012-06-02 22:192428952----a-w-c:\windows\system32\wuaueng.dll
    2012-08-15 05:49 . 2012-06-02 22:1957880----a-w-c:\windows\system32\wuauclt.exe
    2012-08-15 05:49 . 2012-06-02 22:1944056----a-w-c:\windows\system32\wups2.dll
    2012-08-15 05:49 . 2012-06-02 22:152622464----a-w-c:\windows\system32\wucltux.dll
    2012-08-15 05:49 . 2012-06-02 22:1938424----a-w-c:\windows\system32\wups.dll
    2012-08-15 05:49 . 2012-06-02 22:19701976----a-w-c:\windows\system32\wuapi.dll
    2012-08-15 05:49 . 2012-06-02 22:1599840----a-w-c:\windows\system32\wudriver.dll
    2012-08-15 05:49 . 2012-06-02 09:49186752----a-w-c:\windows\system32\wuwebv.dll
    2012-08-15 05:49 . 2012-06-02 09:4536864----a-w-c:\windows\system32\wuapp.exe
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\SymbolSourceSymbols
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\RefSrcSymbols
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\JetBrains
    2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Roaming\JetBrains
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\windows\SysWow64\1082
    2012-08-11 13:00 . 2012-08-11 13:00679936----a-w-c:\windows\system32\Rede1389.scr
    2012-08-11 13:00 . 2012-08-11 13:00679936------w-c:\windows\SysWow64\Rede1389.scr
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\programdata\Screentime
    2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\users\Desktop\AppData\Local\Screentime
    2012-08-11 12:57 . 2012-08-11 12:57--------d-----w-c:\windows\SysWow64\1081
    2012-08-11 09:39 . 2012-08-11 09:39--------d-----w-c:\windows\SysWow64\1080
    2012-08-11 08:46 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1079
    2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\windows\ehome
    2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\users\Default\AppData\Roaming\Media Center Programs
    2012-08-11 08:01 . 2012-08-11 08:01--------d-----w-c:\windows\SysWow64\1078
    2012-08-11 07:52 . 2012-08-11 07:52--------d-----w-c:\windows\SysWow64\1076
    2012-08-10 09:47 . 2012-08-10 09:47--------d-----w-c:\windows\SysWow64\1075
    2012-08-10 09:33 . 2012-08-10 09:33--------d-----w-c:\windows\SysWow64\1074
    2012-08-10 09:08 . 2012-08-10 09:08--------d-----w-c:\windows\SysWow64\1073
    2012-08-10 09:05 . 2012-08-10 09:05--------d-----w-c:\windows\SysWow64\1072
    2012-08-10 08:53 . 2012-08-10 08:53--------d-----w-c:\windows\SysWow64\1071
    2012-08-10 08:34 . 2012-08-10 08:34--------d-----w-c:\windows\SysWow64\1070
    2012-08-10 08:32 . 2012-08-10 08:32--------d-----w-c:\users\Desktop\AppData\Roaming\flashInstall
    2012-08-10 07:08 . 2012-08-10 07:09--------d-----w-c:\users\Desktop\AppData\Roaming\PE Explorer
    2012-08-10 06:38 . 2012-08-10 06:38--------d-----w-c:\windows\SysWow64\1069
    2012-08-10 06:30 . 2012-08-10 06:30--------d-----w-c:\windows\SysWow64\1068
    2012-08-10 06:19 . 2012-08-10 06:19--------d-----w-c:\windows\SysWow64\1067
    2012-08-10 06:18 . 2012-08-10 06:18--------d-----w-c:\windows\SysWow64\1066
    2012-08-10 06:15 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1065
    2012-08-09 11:26 . 2012-08-09 11:26--------d-----w-c:\windows\SysWow64\1064
    2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1063
    2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1062
    2012-08-09 10:10 . 2012-08-09 10:10--------d-----w-c:\windows\SysWow64\1061
    2012-08-09 10:09 . 2012-08-09 10:09--------d-----w-c:\windows\SysWow64\1060
    2012-08-09 10:01 . 2012-08-09 10:01--------d-----w-c:\windows\SysWow64\1059
    2012-08-09 10:00 . 2012-08-09 10:00--------d-----w-c:\windows\SysWow64\1058
    2012-08-09 09:59 . 2012-08-09 09:59--------d-----w-c:\windows\SysWow64\1057
    2012-08-06 10:56 . 2011-11-09 12:08189608----a-w-c:\windows\system32\IPROSetMonitor.exe
    2012-08-06 10:56 . 2012-08-06 10:56--------d-----w-c:\program files\Intel
    2012-08-06 10:54 . 2012-02-01 21:13509104----a-w-c:\windows\system32\drivers\e1k62x64.sys
    2012-08-06 10:54 . 2012-01-19 21:1199520----a-w-c:\windows\system32\NicInstK.dll
    2012-08-06 10:54 . 2012-01-18 21:0768264----a-w-c:\windows\system32\e1kmsg.dll
    2012-08-02 14:33 . 2012-06-18 08:0419032------w-c:\windows\system32\pwdrvio.sys
    2012-08-02 14:33 . 2012-06-18 08:042966720----a-w-c:\windows\system32\pwNative.exe
    2012-08-02 14:33 . 2012-06-18 08:0412384------w-c:\windows\system32\pwdspio.sys
    2012-08-01 13:20 . 2012-08-03 02:56--------d-----w-c:\users\Desktop\.android
    2012-08-01 13:12 . 2012-08-01 13:12--------d-----w-c:\program files\Oracle
    2012-08-01 13:12 . 2012-08-01 13:11268784----a-w-c:\windows\system32\javaws.exe
    2012-08-01 13:12 . 2012-08-01 13:11189424----a-w-c:\windows\system32\javaw.exe
    2012-08-01 13:12 . 2012-08-01 13:11188912----a-w-c:\windows\system32\java.exe
    2012-08-01 13:10 . 2012-08-01 13:11--------d-----w-c:\program files\Java
    2012-08-01 13:10 . 2012-08-02 14:04--------d-----w-c:\users\Desktop\jdk1.7.0_05_combo
    2012-07-27 13:39 . 2012-08-02 18:03--------d-----w-c:\programdata\LGMOBILEAX
    2012-07-26 11:49 . 2012-07-26 11:55--------d-----w-c:\program files (x86)\YourFileDownloader
    2012-07-26 11:49 . 2012-07-26 11:49--------d-----w-c:\users\Desktop\AppData\Roaming\YourFileDownloader
    2012-07-25 15:15 . 2012-07-25 15:15--------d-----w-c:\program files (x86)\LG Electronics
    2012-07-25 14:31 . 2012-08-02 18:33--------d-----w-c:\users\Desktop\AppData\Roaming\LG Electronics
    2012-07-25 14:30 . 2012-07-25 14:30--------d-----w-c:\users\Desktop\AppData\Local\LG Electronics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-17 08:34 . 2011-02-22 05:31746984----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-08-16 04:37 . 2012-04-04 06:17426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-16 04:37 . 2011-06-02 02:3970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-09 06:36 . 2009-07-13 23:19328704----a-w-c:\windows\system32\services.exe
    2012-07-03 08:16 . 2011-06-14 07:2924904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-06 04:06 . 2012-06-06 04:062174976----a-w-c:\program files (x86)\Common Files\atimpenc.dll
    2012-05-31 06:55 . 2011-02-21 14:37279656------w-c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-11-05 297808]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    2010-11-05 01:58297808----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "Smart File Advisor"="c:\program files (x86)\Smart File Advisor\sfa.exe" [2011-04-04 280824]
    "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]
    "CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-13 84464]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680]
    "Malwarebytes' Anti-Malware"="d:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    c:\users\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7619\Launcher.exe [2011-9-12 157088]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-07-16 354288]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
    R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys [2012-03-06 31744]
    R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys [2012-03-06 29184]
    R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys [2012-03-06 36352]
    R3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys [2012-03-06 93184]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-06-18 19032]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-06-18 12384]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-07-16 1099248]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc; [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub; [x]
    R3 VGPU;VGPU; [x]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384]
    R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2007-03-18 301824]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-05 1255736]
    R3 ZSMC0303;INTEX Game Camera;c:\windows\system32\Drivers\usbVM303.sys [2007-03-25 1494656]
    R4 Ireniceaesse;Ireniceaesse; [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-18 55856]
    S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys [2009-06-01 27120]
    S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys [2009-06-01 19952]
    S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys [2009-06-01 27632]
    S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-06-02 457200]
    S2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
    S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-07-13 32240]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-02-01 509104]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-03 271872]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-30 c:\windows\Tasks\SidebarExecute.job
    - c:\program files\Windows Sidebar\sidebar.exe [2011-04-09 13:25]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.co.in/
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8}: NameServer = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\zpqxsszw.default\
    FF - prefs.js: browser.startup.homepage - www.google.co.in
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-msthnv - (no file)
    HKLM-Run-wladmg - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-Adobe Connect Add-in - c:\users\Desktop\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Network Associates]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-18 10:14:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-18 04:44
    ComboFix2.txt 2012-08-14 15:54
    .
    Pre-Run: 64,101,474,304 bytes free
    Post-Run: 64,003,125,248 bytes free
    .
    - - End Of File - - 98FA337365362CC746FE14B943863608
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    There are other potentially serious infections on your computer.. Time to bring out a power tool... *nerd*

    Kaspersky Virus Removal Tool

    The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

    Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

    • Double-click the Setup file to install it on your computer.
    • Once it has installed, review and accept the agreement and press the Start button.
    • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
      [​IMG]
    • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
      [​IMG]
    • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
      [​IMG]
    • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
    • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
      [​IMG]
    • Then, choose Save. Also, in the Automatic Report tab, select Save:
      [​IMG]
    • Please post the reports in your next reply.
    • Once you exit, the tool should uninstall automatically.
     
  11. krazeefly

    krazeefly TS Member Topic Starter

    Am having some problem with Bband connection.......will post the report in a day or two !!! :)
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    OKie dokie. See you then.
     
  13. krazeefly

    krazeefly TS Member Topic Starter

    Solved Bband problem & ran the tool............:) (took more than 2 hrs.)
    This is the detected threats report......
    Status: Disinfected (events: 1)
    20-Aug-12 2:36:37 PMDisinfectedvirus Virus.Win64.ZAccess.aC:\Qoobox\Quarantine\C\Windows\System32\services.exe.virHigh
    Status: Deleted (events: 5)
    20-Aug-12 2:36:16 PMDeletedTrojan program Trojan.Win32.Miner.dwC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@.virHigh
    20-Aug-12 2:36:16 PMDeletedTrojan program Trojan.Win32.Miner.dwC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@.vir//data0000.resHigh
    20-Aug-12 2:36:03 PMDeletedTrojan program Backdoor.Win32.ZAccess.mbsC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@.virHigh
    20-Aug-12 2:36:16 PMDeletedTrojan program Backdoor.Win32.ZAccess.xulC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@.virHigh
    20-Aug-12 2:36:16 PMDeletedTrojan program Backdoor.Win32.ZAccess.xukC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@.virHigh
    Status: Quarantined (events: 1)
    20-Aug-12 2:35:56 PMQuarantinedTrojan program HEUR:Backdoor.Win64.GenericC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@.virHigh
    Status: Vulnerability (events: 12)
    20-Aug-12 2:06:51 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exeLow
    20-Aug-12 2:09:51 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457C:\Program Files (x86)\Adobe\Adobe Photoshop CS5\Photoshop.exeLow
    20-Aug-12 2:10:33 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/47133C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exeLow
    20-Aug-12 2:15:09 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835C:\Program Files (x86)\VideoLAN\VLC\vlc-cache-gen.exeLow
    20-Aug-12 2:15:09 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835C:\Program Files (x86)\VideoLAN\VLC\vlc.exeLow
    20-Aug-12 2:15:22 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/46624C:\Program Files (x86)\Winamp\winamp.exeLow
    20-Aug-12 2:48:12 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/50283C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exeLow
    20-Aug-12 3:15:55 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/47133c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exeLow
    20-Aug-12 3:16:13 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457c:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exeLow
    20-Aug-12 3:16:21 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/46624c:\Program Files (x86)\Winamp\winamp.exeLow
    20-Aug-12 3:16:56 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835c:\Program Files (x86)\VideoLAN\VLC\vlc.exeLow
    20-Aug-12 3:20:26 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457c:\program files\Adobe\adobe photoshop cs5 (64 bit)\photoshop.exeLow
     
  14. krazeefly

    krazeefly TS Member Topic Starter

    It is mentioned in the rules not to attach or zip any report,but the Kaspersky Virus removal tool ran for more than 2 hours and the report generated was a whopping 108 MB on notepad. I tried to split the report and then to copy it, but my browser got frozen every time I tried to do that,so I tried zipping it, but the forum won't let me upload it saying it is a very large zip file.....:(

    Please let me know, how can I post the Scan report in the forum ???:confused:
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay. It looked like most of it found quarantined files anyway.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  16. krazeefly

    krazeefly TS Member Topic Starter

    No, Thank You......No more issues at present !!!! :)

    After running combofix for second time, and applying all the tools you recommended,my PC is back to normal.Firewall, defender and action center is back to normal & windows have again started updating itself........Thanks once again !!! :D
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Let's finish up now... so you can prevent malware.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  18. krazeefly

    krazeefly TS Member Topic Starter

    I have performed all the tasks you have mentioned..........
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Below is the Checkup log.....But I would like to mention 1 thing, my security service center is up and working. I have checked in the services menu, it is shown to be working and also my adobe reader is up-to date.Donno why it is mentioned as outdated !!! :confused:

    Results of screen317's Security Check version 0.99.46
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (3.0.0.3001)
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java 7 Update 6
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (14.0.1)
    Google Chrome 21.0.1180.60
    Google Chrome 21.0.1180.79
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamgui.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    It's not outdated. It should be fine.

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?
     
  20. krazeefly

    krazeefly TS Member Topic Starter

    Thanks for all your help and tips....Presently my PC is working like before. (y) The start-up speed has also improved.......Don't have words to Thank You !!!! May GOD BLESS you all for all the efforts you people take to help others.:D

    Did what you said....installed new Adobe reader,also removed the older version of Chrome , below is the latest Security Check Log !!

    Results of screen317's Security Check version 0.99.46
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (3.0.0.3001)
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java 7 Update 6
    Adobe Reader X (10.1.4)
    Mozilla Firefox (14.0.1)
    Google Chrome 21.0.1180.83
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome and thank you! Marked as solved. √
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...