TechSpot

Malware infection

By BlueDragon
Nov 17, 2011
  1. My problems sound strikingly similar to those posted by jhoward318. My son came home yesterday to find all kinds of warning messages had popped up about the harddrive having slowed 20% and other critical errors. On another PC I visited your website and tried following the 5-step removal process. I'm challenged when it comese to these things. AVG and Malwarebytes detected problems which were isolated or removed. The virus/malware (or whatever it is) appears to have partitiioned (just guessing) my harddrive. None of the programs or files appear when I pull up the programs from the menu bar. I finally managed to find a way to the control panel and it shows that there are still lots of things on the drive. Anyway, the only programs that now appear on the menu of programs are those that I added while trying to remove the malware. I saved logs from DDS and gmer. What should I do next?

    Thanks for any help or advice.

    (By the way, I thought this PC had Kaspersky Internet Security 2012 installed on it but I can't confirm that because I can't see what's on the harddrive.)
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================================================

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.

    In addition, post all logs you have.
     
  3. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni ... I ran unhide and that seems to have brought my files back. Thanks!

    Here are are the logs:
    DDS TXT LOG

    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/16/2011 5:07:22 PM
    System Uptime: 11/16/2011 8:20:43 PM (0 hours ago)
    .
    Motherboard: First International Computer, Inc. | | KTBC51G
    Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2400/237mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 186 GiB total, 88.739 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP17: 1/8/2005 1:51:27 AM - Windows Modules Installer
    RP2: 8/16/2011 5:29:16 PM - Installed NVIDIA 3D Vision Controller Driver
    RP3: 8/16/2011 5:43:38 PM - Windows Update
    RP4: 8/16/2011 5:46:22 PM - Installed DirectX
    RP5: 8/16/2011 5:46:55 PM - Installed DirectX
    RP6: 8/16/2011 5:48:43 PM - Installed DirectX
    RP7: 8/16/2011 5:54:05 PM - Installed DirectX
    RP8: 8/18/2011 5:24:54 PM - Windows Update
    RP9: 8/18/2011 5:34:15 PM - Installed Realtek High Definition Audio Driver
    RP10: 8/18/2011 5:59:26 PM - Windows Update
    RP11: 9/30/2011 9:08:10 PM - Installed DirectX
    RP12: 10/1/2011 9:09:52 PM - Installed League of Legends
    RP13: 10/14/2011 7:05:16 AM - Restore Operation
    RP14: 10/15/2011 9:38:43 AM - Installed DirectX
    RP15: 10/16/2011 6:04:00 PM - Installed Java(TM) 6 Update 27
    RP16: 10/16/2011 6:04:43 PM - Installed Java Runtime Environment
    RP18: 11/13/2011 7:05:58 AM - Installed DirectX
    RP19: 11/16/2011 7:00:56 PM - Installed AVG 2012
    RP20: 11/16/2011 7:01:29 PM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Borderlands
    Call of Duty: Modern Warfare 3
    Call of Duty: Modern Warfare 3 - Multiplayer
    Game Master 2.1 Toolbar
    Java Auto Updater
    Java(TM) 6 Update 27
    Killing Floor
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    NVIDIA 3D Vision Controller Driver
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    ShopAtHome.com Toolbar
    Steam
    Team Fortress 2
    Trine
    Visual Studio 2008 x64 Redistributables
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/16/2011 8:23:02 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: Access is denied.
    11/16/2011 8:23:02 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: Access is denied.
    11/16/2011 8:23:02 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80070005.
    11/16/2011 8:22:42 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
    11/16/2011 8:21:18 PM, Error: Service Control Manager [7000] - The FLEXnet Licensing Manager for Adobe Products service failed to start due to the following error: The system cannot find the path specified.
    11/16/2011 7:19:39 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer NELLIE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{CCCDBC8F-E023-4BB9-A73D-830BADC07EFC}. The master browser is stopping or an election is being forced.
    11/16/2011 6:36:21 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    11/16/2011 6:35:57 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the FLEXnet Licensing Manager for Adobe Products service to connect.
    11/16/2011 6:35:57 PM, Error: Service Control Manager [7000] - The FLEXnet Licensing Manager for Adobe Products service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/13/2011 7:04:50 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    11/13/2011 7:04:50 AM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/12/2011 7:23:10 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    11/12/2011 11:36:56 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    .
    ==== End Of File ===========================


    DDS LOG

    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by TMan at 20:37:34 on 2011-11-16
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1534.495 [GMT -6:00]
    .
    AV: AVG Anti-Virus 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
    C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
    C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\SysWOW64\CtHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\AVG Secure Search\vprot.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uURLSearchHooks: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    mURLSearchHooks: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO: ShopAtHome.com Toolbar: {66516a07-f617-488a-90cf-4e690cfb3c5f} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    TB: ShopAtHome.com Toolbar: {311b58dc-a4dc-4b04-b1b5-60299ad3d803} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
    dRun: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{CCCDBC8F-E023-4BB9-A73D-830BADC07EFC} : DhcpNameServer = 192.168.0.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
    BHO-X64: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    BHO-X64: Game Master 2.1 - No File
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: ShopAtHome.com Toolbar: {66516A07-F617-488A-90CF-4E690CFB3C5F} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll
    BHO-X64: ShopAtHome.com Toolbar - No File
    BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll
    TB-X64: ShopAtHome.com Toolbar: {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll
    TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun-x64: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
    mRun-x64: [CTHelper] CTHELPER.EXE
    mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-8-16 2255464]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-3 379496]
    R2 vToolbarUpdater;vToolbarUpdater;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-11-16 246624]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    S2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products; [x]
    .
    =============== Created Last 30 ================
    .
    2011-11-17 02:06:15 -------- d-----w- C:\Users\TMan\AppData\Roaming\Malwarebytes
    2011-11-17 02:05:57 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-11-17 02:05:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-11-17 01:27:45 18 ----a-w- C:\Windows\system\msg.bat
    2011-11-17 01:27:45 1646 ----a-w- C:\Windows\system\msg.reg
    2011-11-17 01:25:24 -------- d--h--w- C:\$AVG
    2011-11-17 01:07:31 -------- d-----w- C:\Users\TMan\AppData\Roaming\AVG2012
    2011-11-17 01:02:54 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
    2011-11-17 01:02:54 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
    2011-11-17 01:02:51 -------- d--h--w- C:\ProgramData\Common Files
    2011-11-17 01:02:45 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
    2011-11-17 01:02:04 -------- d-----w- C:\Windows\System32\drivers\AVG
    2011-11-17 01:02:04 -------- d-----w- C:\ProgramData\AVG2012
    2011-11-17 01:01:21 -------- d-----w- C:\Program Files (x86)\AVG
    2011-11-17 00:56:08 -------- d-----w- C:\ProgramData\MFAData
    2011-11-13 13:07:59 5631312 ----a-w- C:\Windows\System32\D3DX9_40.dll
    2011-11-13 13:06:59 3767504 ----a-w- C:\Windows\System32\d3dx9_26.dll
    2011-11-13 13:06:59 2297552 ---ha-w- C:\Windows\SysWow64\d3dx9_26.dll
    .
    ==================== Find3M ====================
    .
    2011-11-13 03:55:08 414368 ---ha-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-16 23:04:32 472808 ---ha-w- C:\Windows\SysWow64\deployJava1.dll
    2011-10-07 12:23:46 283728 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2011-09-13 12:30:08 37456 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
    .
    ============= FINISH: 20:46:13.58 ==============
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Can you run GMER?

    Can you update and run MBAM?
     
  5. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Okay, I think I have it.


    GMER LOG:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-18 20:22:09
    Windows 6.1.7600
    Running: q96qpm33.exe


    ---- Files - GMER 1.0.15 ----

    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YOZ8YZB\fw-nonplayer-bannerCA144COP.htm 388 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YOZ8YZB\fw-nonplayer-bannerCAUEK3FJ.htm 386 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YOZ8YZB\fw-nonplayer-bannerCAVX6G0B.htm 386 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\beacon[2].txt 69 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\fw-nonplayer-banner[9].htm 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\common-from-happy-feet-two[1].txt 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\fw-nonplayer-banner[10].htm 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\fw-nonplayer-banner[11].htm 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\login_status[3].php 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OJU3D3Q\1974021685[1].htm 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\imp[1].txt 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\crossdomain[7].xml 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\meviomusicvideos_mevio_com[1].txt 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\if[2].txt 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\if[3].txt 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\397399976[1].htm 0 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\musicscenetv-277681-04-24-2011[1].mp4 707884 bytes
    File C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVCOZXED\musicscenetv_mevio_com[1].txt 752971 bytes
    File C:\Users\TMan\AppData\Local\Temp\fla74BD.tmp 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@meebo[3].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@rubiconproject[3].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@network.realmedia[3].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@advertising[3].txt 1469 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@mevio[2].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@mmismm[2].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@fastclick[3].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@voicefive[3].txt 0 bytes
    File C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Cookies\tman@www.mevio[2].txt 341 bytes
    File C:\Windows\Temp\avg-3ee23e25-bae2-4432-99a8-7e351874c20b.tmp 0 bytes
    File C:\Windows\Temp\avg-44f33b44-03ad-4327-adc0-5c60af05de7a.tmp 0 bytes
    File C:\Windows\Temp\avg-4a0f490a-51e5-467e-8eaf-560db76cee09.tmp 0 bytes
    File C:\Windows\Temp\avg-4eba0510-3c46-483e-ab76-e4297a3d4157.tmp 0 bytes
    File C:\Windows\Temp\avg-5599330e-5490-4544-86b2-4d086fb8b60b.tmp 0 bytes
    File C:\Windows\Temp\avg-5a5a9347-3369-4634-b0ef-8545f526e940.tmp 0 bytes
    File C:\Windows\Temp\avg-5acce72a-8089-4e24-8805-b2736433eb77.tmp 0 bytes
    File C:\Windows\Temp\avg-5bfba42c-7d70-4231-ae43-9178f0e5934f.tmp 0 bytes
    File C:\Windows\Temp\avg-5dd8f92f-42a6-451e-b4e6-254d5558652a.tmp 0 bytes
    File C:\Windows\Temp\avg-c6ce4b13-2985-4a33-987c-837fea15a667.tmp 0 bytes
    File C:\Windows\Temp\avg-92b9da68-ae6b-4253-a242-9642fe266370.tmp 0 bytes
    File C:\Windows\Temp\avg-9853a345-1848-4c3f-8f1e-795cdbe62b0e.tmp 0 bytes
    File C:\Windows\Temp\avg-9a6b9308-5c83-430f-b377-2f2efba10f6d.tmp 0 bytes
    File C:\Windows\Temp\avg-a15a5472-7498-4658-b4fb-4253b68c8628.tmp 0 bytes
    File C:\Windows\Temp\avg-a355f069-1123-4751-9f66-9429b4489460.tmp 0 bytes
    File C:\Windows\Temp\avg-aa2e3a6a-3e7d-4433-a714-9b44c7af536b.tmp 0 bytes
    File C:\Windows\Temp\avg-aa553d58-450a-4b1f-96cc-880911e56c2e.tmp 0 bytes
    File C:\Windows\Temp\avg-d512897e-8d0a-402f-aaec-b45c3f744d20.tmp 0 bytes
    File C:\Windows\Temp\avg-e115915b-03b4-4365-a3bb-3050df367150.tmp 0 bytes
    File C:\Windows\Temp\avg-e3e08279-6a79-4614-a9db-0c3897fa927e.tmp 0 bytes
    File C:\Windows\Temp\avg-ea5f6e62-b103-4a08-84ea-3a59d93c887a.tmp 0 bytes
    File C:\Windows\Temp\avg-ec5d7535-e16a-4e5c-af1d-da4214f02b5a.tmp 0 bytes
    File C:\Windows\Temp\avg-0248682e-76a1-4c52-8498-211f16671c30.tmp 0 bytes
    File C:\Windows\Temp\avg-0840b03f-d0a5-4455-8482-c40c1a5af477.tmp 0 bytes
    File C:\Windows\Temp\avg-088f9e5c-1d7e-426a-9d2b-fd261456541e.tmp 0 bytes
    File C:\Windows\Temp\avg-26b2d25e-a0f8-4d3a-84b0-8f7616265f54.tmp 0 bytes
    File C:\Windows\Temp\avg-33f9a855-3c36-417e-a784-5b3b32ee6613.tmp 0 bytes
    File C:\Windows\Temp\avg-f5d2bd15-ce82-440c-b224-fd66500b9178.tmp 0 bytes
    File C:\Windows\Temp\avg-fc57974e-fa74-4872-8dce-0650e856ca1b.tmp 0 bytes
    File C:\Windows\Temp\avg-18825172-c8ea-4452-bdb6-0307b79ce633.tmp 0 bytes
    File C:\Windows\Temp\avg-1c7f2525-7443-4625-a3b1-3e52d070df1f.tmp 0 bytes
    File C:\Windows\Temp\avg-1dcdf52b-3a2b-4916-a4fd-566cae277f31.tmp 0 bytes

    ---- EOF - GMER 1.0.15 ----



    MBAM:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8191

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    11/18/2011 8:32:28 PM
    mbam-log-2011-11-18 (20-32-28).txt

    Scan type: Quick scan
    Objects scanned: 182590
    Time elapsed: 4 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Broni,

    I had exited out of the internet while running these and all of the sudden the internet launched and opened on site http://www.mevio.com/login/#loginOverlay
    In fact, the PC is launching the internet irregularly.

    Thanks for your help.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    I have run the MBR scan and now have an MBR.dat file on my desktop. Do you need that file? I tried to open it but I got the "windows cannot open file" message because it did not recognize the file type.

    As for ComboFix, I have downloaded it but am not sure about how to turn off AVG and anything else that is running in the background (see, I am a noobie!).

    Thank you for your efforts.
     
  8. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    I think I managed to disable everything. Here is the ComboFix log:

    ComboFix 11-11-19.03 - TMan 11/19/2011 8:58.1.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1534.831 [GMT -6:00]
    Running from: c:\users\TMan\Desktop\ComboFix.exe
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\TMan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    c:\users\TMan\Desktop\System Fix.lnk
    c:\windows\TEMP\~21FC.tmp
    c:\windows\TEMP\~E082.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-19 15:36 . 2011-11-19 15:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2011-11-19 15:36 . 2011-11-19 15:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-11-17 22:54 . 2011-11-17 22:54 -------- d-----w- c:\users\TMan\AppData\Local\ElevatedDiagnostics
    2011-11-17 02:06 . 2011-11-17 02:06 -------- d-----w- c:\users\TMan\AppData\Roaming\Malwarebytes
    2011-11-17 02:05 . 2011-11-17 02:05 -------- d-----w- c:\programdata\Malwarebytes
    2011-11-17 02:05 . 2011-11-19 02:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-11-17 01:27 . 2011-11-17 01:27 18 ----a-w- c:\windows\system\msg.bat
    2011-11-17 01:27 . 2011-11-17 01:27 1646 ----a-w- c:\windows\system\msg.reg
    2011-11-17 01:25 . 2011-11-17 01:25 -------- d-----w- C:\$AVG
    2011-11-17 01:07 . 2011-11-17 01:07 -------- d-----w- c:\users\TMan\AppData\Roaming\AVG2012
    2011-11-17 01:02 . 2011-11-17 01:03 -------- d-----w- c:\program files (x86)\AVG Secure Search
    2011-11-17 01:02 . 2011-11-17 01:02 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    2011-11-17 01:02 . 2011-11-17 01:02 -------- d-----w- c:\programdata\Common Files
    2011-11-17 01:02 . 2011-11-17 01:02 -------- d-----w- c:\windows\SysWow64\drivers\AVG
    2011-11-17 01:02 . 2011-11-19 13:20 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-11-17 01:02 . 2011-11-17 01:29 -------- d-----w- c:\programdata\AVG2012
    2011-11-17 01:01 . 2011-11-17 01:01 -------- d-----w- c:\program files (x86)\AVG
    2011-11-17 00:56 . 2011-11-19 13:20 -------- d-----w- c:\programdata\MFAData
    2011-11-16 22:58 . 2011-11-16 22:58 -------- d-----w- c:\windows\Sun
    2011-11-13 13:07 . 2008-10-15 12:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
    2011-11-13 13:06 . 2005-05-26 21:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll
    2011-11-13 13:06 . 2005-05-26 21:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
    2011-11-13 03:55 . 2011-11-13 03:55 -------- d-----w- c:\windows\system32\Macromed
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-13 03:55 . 2011-08-18 22:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-16 23:04 . 2011-10-16 23:04 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-10-07 12:23 . 2011-10-07 12:23 283728 ----a-w- c:\windows\system32\drivers\avgldx64.sys
    2011-09-13 12:30 . 2011-09-13 12:30 37456 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{22dfbf5b-a7cd-4b25-9471-3dc68c71855f}"= "c:\program files (x86)\Game_Master_2.1\prxtbGame.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{22dfbf5b-a7cd-4b25-9471-3dc68c71855f}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{22dfbf5b-a7cd-4b25-9471-3dc68c71855f}]
    2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Game_Master_2.1\prxtbGame.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66516A07-F617-488A-90CF-4E690CFB3C5F}]
    2011-10-26 16:27 3974040 ----a-w- c:\program files (x86)\ShopAtHome\tbcore3U.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2011-11-17 01:02 1451336 ----a-w- c:\program files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{22dfbf5b-a7cd-4b25-9471-3dc68c71855f}"= "c:\program files (x86)\Game_Master_2.1\prxtbGame.dll" [2011-05-09 176936]
    "{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\program files (x86)\ShopAtHome\tbcore3U.dll" [2011-10-26 3974040]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-11-17 1451336]
    .
    [HKEY_CLASSES_ROOT\clsid\{22dfbf5b-a7cd-4b25-9471-3dc68c71855f}]
    .
    [HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
    [HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-10-14 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AsioThk32Reg"="CTASIO.DLL" [2007-04-09 80896]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2011-11-17 218464]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DevconDefaultDB"="c:\windows\system32\READREG" [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    R2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products; [x]
    R3 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
    S2 vToolbarUpdater;vToolbarUpdater;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-11-17 246624]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.0.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{22DFBF5B-A7CD-4B25-9471-3DC68C71855F} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{311B58DC-A4DC-4B04-B1B5-60299AD3D803} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKLM-Run-AsioReg - CTASIO.DLL
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Internet Explorer\iexplore.exe
    c:\program files (x86)\Common Files\Steam\SteamService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-19 10:07:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-19 16:07
    .
    Pre-Run: 94,187,659,264 bytes free
    Post-Run: 95,028,547,584 bytes free
    .
    - - End Of File - - FFDF41E924F7BCB63B580144DD5F5D67
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    I still need aswMBR log.
     
  10. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni:

    The latest is the picture on the monitor is sort of blue/green. More fun.

    Hope this is the file you need:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-19 08:03:29
    -----------------------------
    08:03:29.126 OS Version: Windows x64 6.1.7600
    08:03:29.126 Number of processors: 1 586 0x3702
    08:03:29.127 ComputerName: TMAN-PC UserName: TMan
    08:03:34.271 Initialize success
    08:05:03.166 AVAST engine defs: 11111900
    08:05:18.975 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    08:05:18.980 Disk 0 Vendor: ST3200827A 3.AAE Size: 190782MB BusType: 3
    08:05:21.028 Disk 0 MBR read successfully
    08:05:21.034 Disk 0 MBR scan
    08:05:21.044 Disk 0 Windows 7 default MBR code
    08:05:21.049 Disk 0 MBR hidden
    08:05:21.053 Service scanning
    08:05:30.676 Modules scanning
    08:05:30.682 Disk 0 trace - called modules:
    08:05:30.706 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800224b334]<<
    08:05:30.710 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800222e060]
    08:05:30.714 3 CLASSPNP.SYS[fffff8800195b43f] -> nt!IofCallDriver -> [0xfffffa8001e51520]
    08:05:30.720 5 ACPI.sys[fffff88000ef0781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8001e57060]
    08:05:31.084 \Driver\atapi[0xfffffa8001e4ae70] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800224b334
    08:05:33.007 AVAST engine scan C:\Windows
    08:05:35.189 AVAST engine scan C:\Windows\system32
    08:08:36.004 AVAST engine scan C:\Windows\system32\drivers
    08:08:48.787 AVAST engine scan C:\Users\TMan
    08:12:52.168 Disk 0 MBR has been saved successfully to "C:\Users\TMan\Desktop\MBR.dat"
    08:12:52.177 The log file has been saved successfully to "C:\Users\TMan\Desktop\aswMBR.txt"
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Both logs look good.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    AS soon as OTL started to install, AVG popped up "Threat Detected" and identified it as "Trojan horse Agent3.AXVV". So, do I continue by selecting "Ignore the Threat" or is this something different?

    Color problem on monitor ended up being a loose cable.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)

    Yes, ignore AVG warnings.
     
  14. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    I have double clicked on the icon and told AVG to ignore the threat, but I can't tell than anything is happening. Waited several minutes without seeing any activity or receiving any messages. Opened Task Manager and it reflects minimal CPU usage 3-5% and I see nothing that would be make me think OTL is running. I guess I'll leave it till morning and see if anything happened. Thanks.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Possibly AVG removed something.

    Delete your OTL file, disable AVG, download fresh copy and try again.
     
  16. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni:

    Here is the OTL scan:

    OTL logfile created on: 11/20/2011 8:39:30 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\TMan\Desktop
    64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.50 Gb Total Physical Memory | 0.58 Gb Available Physical Memory | 38.70% Memory free
    3.00 Gb Paging File | 1.46 Gb Available in Paging File | 48.81% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 186.21 Gb Total Space | 89.21 Gb Free Space | 47.91% Space Free | Partition Type: NTFS

    Computer Name: TMAN-PC | User Name: TMan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/11/20 08:35:51 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\TMan\Desktop\OTL.exe
    PRC - [2011/11/16 19:02:58 | 000,246,624 | ---- | M] () -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
    PRC - [2011/11/16 19:02:54 | 000,218,464 | ---- | M] () -- C:\Program Files (x86)\AVG Secure Search\vprot.exe
    PRC - [2011/11/13 07:04:35 | 000,419,624 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    PRC - [2011/10/24 20:29:16 | 002,415,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    PRC - [2011/10/14 16:16:50 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
    PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    PRC - [2011/08/03 05:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    PRC - [2011/08/03 02:31:42 | 000,379,496 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    PRC - [2007/04/09 11:32:32 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\CtHelper.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/11/16 19:02:54 | 001,451,336 | ---- | M] () -- C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
    MOD - [2011/11/16 19:02:54 | 000,218,464 | ---- | M] () -- C:\Program Files (x86)\AVG Secure Search\vprot.exe
    MOD - [2011/11/13 07:04:35 | 014,410,024 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
    MOD - [2011/11/13 07:04:33 | 000,914,216 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-52.dll
    MOD - [2011/11/13 07:04:33 | 000,194,344 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
    MOD - [2011/11/13 07:04:33 | 000,155,432 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-52.dll
    MOD - [2011/11/13 07:04:33 | 000,091,432 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-50.dll
    MOD - [2011/10/26 10:27:04 | 000,307,096 | ---- | M] () -- C:\Program Files (x86)\ShopAtHome\tbhelper.dll
    MOD - [2011/10/26 10:27:02 | 000,238,488 | ---- | M] () -- C:\Program Files (x86)\ShopAtHome\HttpHandle302.dll


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/03/27 21:10:16 | 000,016,896 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agr64svc.exe -- (AgereModemAudio)
    SRV - [2011/11/16 19:02:58 | 000,246,624 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe -- (vToolbarUpdater)
    SRV - [2011/11/13 07:04:35 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2011/08/03 05:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/08/03 02:31:42 | 000,379,496 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
    SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2011/10/07 06:23:46 | 000,283,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
    DRV:64bit: - [2011/09/13 06:30:08 | 000,037,456 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
    DRV:64bit: - [2011/08/08 06:08:58 | 000,046,672 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
    DRV:64bit: - [2011/07/11 01:14:36 | 000,375,376 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
    DRV:64bit: - [2011/07/11 01:14:08 | 000,029,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV:64bit: - [2011/07/11 01:14:06 | 000,120,400 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV:64bit: - [2011/07/11 01:14:06 | 000,026,704 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AVGIDSEH.sys -- (AVGIDSEH)
    DRV:64bit: - [2011/05/10 03:41:27 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
    DRV:64bit: - [2009/08/13 14:20:46 | 001,209,856 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
    DRV:64bit: - [2009/07/13 19:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2009/07/13 19:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 19:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 14:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
    DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2007/04/12 07:10:28 | 000,151,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\COMMONFX.DLL -- (COMMONFX.DLL)
    DRV:64bit: - [2007/04/10 05:07:54 | 000,580,904 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ctac32k.sys -- (ctac32k)
    DRV:64bit: - [2007/04/10 03:41:54 | 000,295,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\haP17v2k.sys -- (hap17v2k)
    DRV:64bit: - [2007/04/10 03:41:20 | 000,259,880 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\haP16v2k.sys -- (hap16v2k)
    DRV:64bit: - [2007/04/10 03:40:24 | 001,359,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ha10kx2k.sys -- (ha10kx2k)
    DRV:64bit: - [2007/04/10 03:39:48 | 000,147,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\emupia2k.sys -- (emupia)
    DRV:64bit: - [2007/04/10 03:38:40 | 000,290,600 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k)
    DRV:64bit: - [2007/04/10 03:38:10 | 000,017,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k)
    DRV:64bit: - [2007/04/10 03:37:36 | 000,218,408 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctoss2k.sys -- (ossrv)
    DRV:64bit: - [2007/04/10 03:35:28 | 000,863,016 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
    DRV:64bit: - [2007/04/10 03:17:22 | 000,123,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTHWIUT.DLL -- (CTHWIUT.DLL)
    DRV:64bit: - [2007/04/10 03:17:00 | 000,252,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CT20XUT.DLL -- (CT20XUT.DLL)
    DRV:64bit: - [2007/04/10 03:16:20 | 001,571,112 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
    DRV:64bit: - [2007/04/10 03:15:44 | 000,363,304 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
    DRV:64bit: - [2007/04/10 03:15:10 | 000,190,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
    DRV:64bit: - [2007/04/10 03:14:28 | 000,142,120 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTERFXFX.DLL -- (CTERFXFX.DLL)
    DRV:64bit: - [2007/04/10 03:13:38 | 000,321,832 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
    DRV:64bit: - [2007/04/10 03:13:08 | 000,219,432 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
    DRV:64bit: - [2007/04/10 03:12:22 | 000,681,256 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\CTSBLFX.DLL -- (CTSBLFX.DLL)
    DRV:64bit: - [2007/04/10 03:11:46 | 000,700,200 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\CTAUDFX.DLL -- (CTAUDFX.DLL)
    DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\URLSearchHook: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll (Conduit Ltd.)


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 7F 3A 19 59 75 CC 01 [binary data]
    IE - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\..\URLSearchHook: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll (Conduit Ltd.)
    IE - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG2012\Firefox4\ [2011/11/16 19:03:21 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/11/19 09:45:51 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (Game Master 2.1 Toolbar) - {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll (Conduit Ltd.)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (ShopAtHome.com Toolbar) - {66516A07-F617-488A-90CF-4E690CFB3C5F} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll (ShopAtHome.com)
    O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll ()
    O3 - HKLM\..\Toolbar: (Game Master 2.1 Toolbar) - {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll (ShopAtHome.com)
    O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll ()
    O3 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\..\Toolbar\WebBrowser: (Game Master 2.1 Toolbar) - {22DFBF5B-A7CD-4B25-9471-3DC68C71855F} - C:\Program Files (x86)\Game_Master_2.1\prxtbGame.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Program Files (x86)\ShopAtHome\tbcore3U.dll (ShopAtHome.com)
    O4:64bit: - HKLM..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL File not found
    O4 - HKLM..\Run: [AsioThk32Reg] C:\Windows\SysWow64\ctasio.dll (Creative Technology Ltd)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [CTHelper] C:\Windows\SysWow64\CtHelper.exe (Creative Technology Ltd)
    O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\SysWow64\Ctxfihlp.exe (Creative Technology Ltd)
    O4 - HKLM..\Run: [vProt] C:\Program Files (x86)\AVG Secure Search\vprot.exe ()
    O4 - HKU\.DEFAULT..\Run: [DevconDefaultDB] C:\Windows\SysWow64\READREG.exe (Creative Technology Limited)
    O4 - HKU\S-1-5-18..\Run: [DevconDefaultDB] C:\Windows\SysWow64\READREG.exe (Creative Technology Limited)
    O4 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
    O4 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-3987978806-1211868978-1138045319-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CCCDBC8F-E023-4BB9-A73D-830BADC07EFC}: DhcpNameServer = 192.168.0.1
    O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)
    O18:64bit: - Protocol\Handler\viprotocol - No CLSID value found
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll ()
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*


    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/11/20 05:30:20 | 000,000,000 | -H-D | C] -- C:\Windows\AxInstSV
    [2011/11/19 20:17:55 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\TMan\Desktop\OTL.exe
    [2011/11/19 10:08:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/11/19 09:46:07 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2011/11/19 08:50:12 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/11/19 08:50:12 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/11/19 08:50:12 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/11/19 08:49:07 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/11/19 08:49:01 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2011/11/19 08:47:59 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/11/19 08:15:41 | 004,301,841 | R--- | C] (Swearware) -- C:\Users\TMan\Desktop\ComboFix.exe
    [2011/11/19 08:02:50 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\TMan\Desktop\aswMBR.exe
    [2011/11/17 16:54:26 | 000,000,000 | ---D | C] -- C:\Users\TMan\AppData\Local\ElevatedDiagnostics
    [2011/11/16 20:37:02 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\TMan\Desktop\dds.scr
    [2011/11/16 20:06:15 | 000,000,000 | ---D | C] -- C:\Users\TMan\AppData\Roaming\Malwarebytes
    [2011/11/16 20:05:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/11/16 20:05:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/11/16 20:05:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2011/11/16 20:00:00 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\TMan\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/16 19:25:24 | 000,000,000 | ---D | C] -- C:\$AVG
    [2011/11/16 19:07:31 | 000,000,000 | ---D | C] -- C:\Users\TMan\AppData\Roaming\AVG2012
    [2011/11/16 19:03:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2012
    [2011/11/16 19:02:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\AVG Secure Search
    [2011/11/16 19:02:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG Secure Search
    [2011/11/16 19:02:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Files
    [2011/11/16 19:02:45 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\AVG
    [2011/11/16 19:02:04 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
    [2011/11/16 19:02:04 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\AVG
    [2011/11/16 19:01:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
    [2011/11/16 18:56:08 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2011/11/16 17:57:02 | 000,000,000 | ---D | C] -- C:\Users\TMan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
    [2011/11/16 16:58:50 | 000,000,000 | ---D | C] -- C:\Windows\Sun
    [2011/11/15 06:35:07 | 000,000,000 | ---D | C] -- C:\Users\TMan\Desktop\Pics 11-16-11
    [2011/11/13 10:28:52 | 000,000,000 | ---D | C] -- C:\Users\TMan\Desktop\Pics 11-13-11
    [2011/11/12 21:55:06 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
    [2007/04/09 11:32:58 | 000,034,816 | ---- | C] ( ) -- C:\Windows\SysWow64\a3d.dll
    [2007/04/09 11:19:16 | 000,010,240 | ---- | C] ( ) -- C:\Windows\SysWow64\killapps.exe

    ========== Files - Modified Within 30 Days ==========

    [2011/11/20 08:35:51 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\TMan\Desktop\OTL.exe
    [2011/11/20 07:37:48 | 110,299,221 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2011/11/20 06:55:43 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/11/20 06:55:43 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/11/20 06:50:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/11/20 06:50:12 | 1206,771,712 | -HS- | M] () -- C:\hiberfil.sys
    [2011/11/19 23:12:25 | 000,032,744 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
    [2011/11/19 10:16:26 | 000,034,240 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000003-00000000-00000007-00001102-00000004-20041102}.rfx
    [2011/11/19 10:16:26 | 000,034,240 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000003-00000000-00000007-00001102-00000004-20041102}.rfx
    [2011/11/19 10:16:26 | 000,030,528 | ---- | M] () -- C:\Windows\SysNative\BMXCtrlState-{00000003-00000000-00000007-00001102-00000004-20041102}.rfx
    [2011/11/19 10:16:26 | 000,030,528 | ---- | M] () -- C:\Windows\SysNative\BMXBkpCtrlState-{00000003-00000000-00000007-00001102-00000004-20041102}.rfx
    [2011/11/19 10:16:26 | 000,011,564 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000003-00000000-00000007-00001102-00000004-20041102}.rfx
    [2011/11/19 09:45:51 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2011/11/19 08:15:48 | 004,301,841 | R--- | M] (Swearware) -- C:\Users\TMan\Desktop\ComboFix.exe
    [2011/11/19 08:12:52 | 000,000,512 | ---- | M] () -- C:\Users\TMan\Desktop\MBR.dat
    [2011/11/19 08:03:21 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\TMan\Desktop\aswMBR.exe
    [2011/11/18 20:27:30 | 000,001,137 | ---- | M] () -- C:\Users\TMan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/18 20:27:30 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/18 20:25:05 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\TMan\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/18 20:06:47 | 000,302,592 | ---- | M] () -- C:\Users\TMan\Desktop\q96qpm33.exe
    [2011/11/18 07:02:44 | 000,684,297 | ---- | M] () -- C:\Users\TMan\Desktop\unhide.exe
    [2011/11/16 20:37:02 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\TMan\Desktop\dds.scr
    [2011/11/16 20:32:11 | 000,302,592 | ---- | M] () -- C:\Users\TMan\Desktop\qbliknbe.exe
    [2011/11/16 20:29:12 | 000,000,208 | ---- | M] () -- C:\Users\TMan\Desktop\Yahoo!.url
    [2011/11/16 19:27:45 | 000,001,646 | ---- | M] () -- C:\Windows\System\msg.reg
    [2011/11/16 19:27:45 | 000,000,018 | ---- | M] () -- C:\Windows\System\msg.bat
    [2011/11/16 19:03:21 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
    [2011/11/16 19:02:45 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
    [2011/11/16 19:02:45 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
    [2011/11/16 19:00:15 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2011/11/16 19:00:15 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2011/11/16 19:00:15 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2011/11/16 17:57:03 | 000,000,296 | ---- | M] () -- C:\ProgramData\~sqebj8ZSQWmRki
    [2011/11/16 17:57:03 | 000,000,216 | ---- | M] () -- C:\ProgramData\~sqebj8ZSQWmRkir
    [2011/11/16 17:56:59 | 000,000,336 | ---- | M] () -- C:\ProgramData\sqebj8ZSQWmRki
    [2011/11/14 07:58:18 | 000,000,178 | ---- | M] () -- C:\Users\TMan\Desktop\Tman.url
    [2011/11/12 23:37:21 | 000,000,334 | ---- | M] () -- C:\Users\TMan\Desktop\server.properties
    [2011/11/12 20:33:39 | 000,299,099 | ---- | M] () -- C:\Windows\System\tubelist.dat
    [2011/11/12 20:33:38 | 000,000,124 | ---- | M] () -- C:\Windows\System\update.dat
    [2011/11/12 17:41:52 | 000,000,221 | ---- | M] () -- C:\Users\TMan\Desktop\Call of Duty Modern Warfare 3.url
    [2011/11/12 17:41:52 | 000,000,221 | ---- | M] () -- C:\Users\TMan\Desktop\Call of Duty Modern Warfare 3 - Multiplayer.url

    ========== Files Created - No Company Name ==========

    [2011/11/20 07:37:48 | 110,299,221 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2011/11/19 23:12:25 | 000,032,744 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
    [2011/11/19 08:50:12 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/11/19 08:50:12 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/11/19 08:50:12 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/11/19 08:50:12 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/11/19 08:50:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/11/19 08:12:52 | 000,000,512 | ---- | C] () -- C:\Users\TMan\Desktop\MBR.dat
    [2011/11/18 20:27:30 | 000,001,137 | ---- | C] () -- C:\Users\TMan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/18 20:06:10 | 000,302,592 | ---- | C] () -- C:\Users\TMan\Desktop\q96qpm33.exe
    [2011/11/18 07:18:30 | 000,684,297 | ---- | C] () -- C:\Users\TMan\Desktop\unhide.exe
    [2011/11/16 20:31:20 | 000,302,592 | ---- | C] () -- C:\Users\TMan\Desktop\qbliknbe.exe
    [2011/11/16 20:29:11 | 000,000,208 | ---- | C] () -- C:\Users\TMan\Desktop\Yahoo!.url
    [2011/11/16 20:06:00 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/16 19:27:45 | 000,001,646 | ---- | C] () -- C:\Windows\System\msg.reg
    [2011/11/16 19:27:45 | 000,000,018 | ---- | C] () -- C:\Windows\System\msg.bat
    [2011/11/16 19:03:21 | 000,000,965 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2012.lnk
    [2011/11/16 19:02:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
    [2011/11/16 19:02:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
    [2011/11/16 17:57:03 | 000,000,216 | ---- | C] () -- C:\ProgramData\~sqebj8ZSQWmRkir
    [2011/11/16 17:57:02 | 000,000,296 | ---- | C] () -- C:\ProgramData\~sqebj8ZSQWmRki
    [2011/11/16 17:56:59 | 000,000,336 | ---- | C] () -- C:\ProgramData\sqebj8ZSQWmRki
    [2011/11/12 23:37:12 | 000,000,334 | ---- | C] () -- C:\Users\TMan\Desktop\server.properties
    [2011/11/12 20:33:38 | 000,000,124 | ---- | C] () -- C:\Windows\System\update.dat
    [2011/11/12 17:41:52 | 000,000,221 | ---- | C] () -- C:\Users\TMan\Desktop\Call of Duty Modern Warfare 3.url
    [2011/11/12 17:41:52 | 000,000,221 | ---- | C] () -- C:\Users\TMan\Desktop\Call of Duty Modern Warfare 3 - Multiplayer.url
    [2011/10/15 11:01:21 | 000,003,584 | ---- | C] () -- C:\Users\TMan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/08/18 16:25:50 | 000,000,051 | ---- | C] () -- C:\Windows\SysWow64\everest_cpl.ini
    [2011/08/03 02:31:54 | 000,311,912 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
    [2009/07/13 23:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/13 20:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
    [2009/07/13 20:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
    [2009/07/13 18:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
    [2009/07/13 15:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
    [2009/06/10 15:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
    [2007/04/12 07:10:28 | 000,105,728 | ---- | C] () -- C:\Windows\SysWow64\APOMgrH.dll
    [2007/04/09 11:55:14 | 000,097,785 | ---- | C] () -- C:\Windows\SysWow64\instwdm.ini
    [2007/04/09 11:55:14 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\ctzapxx.ini
    [2007/04/09 11:33:50 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CTBurst.dll
    [2007/04/09 11:32:32 | 000,037,888 | ---- | C] () -- C:\Windows\SysWow64\psconv.exe
    [2007/04/09 11:24:30 | 000,325,821 | ---- | C] () -- C:\Windows\SysWow64\ctdlang.dat
    [2007/04/09 11:24:30 | 000,046,273 | ---- | C] () -- C:\Windows\SysWow64\ctdnlstr.dat
    [2007/04/09 11:19:20 | 000,313,207 | ---- | C] () -- C:\Windows\SysWow64\ctstatic.dat
    [2007/04/09 11:19:20 | 000,053,932 | ---- | C] () -- C:\Windows\SysWow64\ctdaught.dat
    [2007/04/09 11:19:18 | 000,005,120 | ---- | C] () -- C:\Windows\SysWow64\enlocstr.exe
    [2006/10/02 08:25:18 | 000,000,307 | ---- | C] () -- C:\Windows\SysWow64\kill.ini
    [2005/06/16 09:17:16 | 000,071,680 | ---- | C] () -- C:\Windows\SysWow64\ctmmactl.dll

    ========== LOP Check ==========

    [2011/10/16 17:07:31 | 000,000,000 | ---D | M] -- C:\Users\TMan\AppData\Roaming\.minecraft
    [2011/11/16 19:07:31 | 000,000,000 | ---D | M] -- C:\Users\TMan\AppData\Roaming\AVG2012
    [2011/10/02 05:59:08 | 000,000,000 | ---D | M] -- C:\Users\TMan\AppData\Roaming\LolClient
    [2009/07/13 23:08:49 | 000,016,442 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2011/08/16 16:12:58 | 000,000,003 | ---- | M] () -- C:\7Loader.TAG
    [2011/11/19 10:07:51 | 000,013,182 | ---- | M] () -- C:\ComboFix.txt
    [2011/11/20 06:50:12 | 1206,771,712 | -HS- | M] () -- C:\hiberfil.sys
    [2011/11/20 06:50:15 | 1609,031,680 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2009/07/13 23:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 23:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 23:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 23:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 14:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/13 22:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/08/16 16:15:18 | 000,000,221 | -HS- | M] () -- C:\Users\TMan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/11/19 08:03:21 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\TMan\Desktop\aswMBR.exe
    [2011/11/19 08:15:48 | 004,301,841 | R--- | M] (Swearware) -- C:\Users\TMan\Desktop\ComboFix.exe
    [2011/11/18 20:25:05 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\TMan\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/20 08:35:51 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\TMan\Desktop\OTL.exe
    [2011/11/18 20:06:47 | 000,302,592 | ---- | M] () -- C:\Users\TMan\Desktop\q96qpm33.exe
    [2011/11/16 20:32:11 | 000,302,592 | ---- | M] () -- C:\Users\TMan\Desktop\qbliknbe.exe
    [2011/11/18 07:02:44 | 000,684,297 | ---- | M] () -- C:\Users\TMan\Desktop\unhide.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 15:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2011/08/16 16:28:42 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
    [2011/08/16 16:28:42 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
    [2011/08/16 16:28:42 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
    [2011/08/16 16:28:42 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs
    [2011/08/16 16:28:42 | 000,786,432 | ---- | M] () -- C:\Windows\SECURITY\Database\edbtmp.log
    [2011/08/16 16:28:42 | 001,056,768 | ---- | M] () -- C:\Windows\SECURITY\Database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/08/16 16:08:07 | 000,000,402 | -HS- | M] () -- C:\Users\TMan\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/11/16 17:56:59 | 000,000,336 | ---- | M] () -- C:\ProgramData\sqebj8ZSQWmRki
    [2011/11/16 17:57:03 | 000,000,296 | ---- | M] () -- C:\ProgramData\~sqebj8ZSQWmRki
    [2011/11/16 17:57:03 | 000,000,216 | ---- | M] () -- C:\ProgramData\~sqebj8ZSQWmRkir

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >



    Thanks for your patience.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      [2011/11/16 17:57:03 | 000,000,216 | ---- | C] () -- C:\ProgramData\~sqebj8ZSQWmRkir
      [2011/11/16 17:57:02 | 000,000,296 | ---- | C] () -- C:\ProgramData\~sqebj8ZSQWmRki
      [2011/11/16 17:56:59 | 000,000,336 | ---- | C] () -- C:\ProgramData\sqebj8ZSQWmRki
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =============================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  18. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    Here is the result from the latest OTL scan:

    All processes killed
    ========== OTL ==========
    C:\ProgramData\~sqebj8ZSQWmRkir moved successfully.
    C:\ProgramData\~sqebj8ZSQWmRki moved successfully.
    C:\ProgramData\sqebj8ZSQWmRki moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TMan
    ->Temp folder emptied: 2086551 bytes
    ->Temporary Internet Files folder emptied: 97995528 bytes
    ->Java cache emptied: 1273498 bytes
    ->Flash cache emptied: 32382 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 67907 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 97.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: TMan
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 11202011_173534

    Files\Folders moved on Reboot...
    C:\Users\TMan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF22D6F46C2A313B51.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF3B2A1020D9E1BD61.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF44B424955E6F1037.TMP not found!
    C:\Users\TMan\AppData\Local\Temp\~DF829DD3C7C29A26B2.TMP moved successfully.
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DFD16B239D02606F21.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DFF27AC6D128632D79.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DFFA4FC043206C1CE7.TMP not found!
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XFFTJ0HC\index[1].htm moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XFFTJ0HC\like[1].php moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XFFTJ0HC\oneliner2[1].txt moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9DFXO59\component[1].html moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9DFXO59\oneliner2[1].txt moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F196I0MF\like[1].php moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F196I0MF\oneliner2[1].txt moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NTV66FJ\like[1].php moved successfully.

    Registry entries deleted on Reboot...


    Thanks!
     
  19. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    Here are the results from the Security Check scan :

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 8 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 29
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    ``````````End of Log````````````
     
  20. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Broni,

    The ESET Online Scanner is running and a message popped up asking me if I was sure I wanted to navigate away. I closed the pop-up and the scanning seems to have resumed though it has been 18 minutes plus and it says it has completed 3 out of 4 steps and has been at 99% complete for five minutes. It appears to still be actively scanning are reports "no threats found" so far.

    BD
     
  21. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Be patient....
     
  22. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Will do. Thanks.
     
  23. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Bad news. ESET completed the scan, found two infected files ("Threats found and cleaned!"), then a message popped up said memory was low. I went to click on the button to show the list of infected files and the system froze. Should I reboot and rerun?
     
  24. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    No. Those items were most likely non active leftovers and they were removed, so....

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  25. BlueDragon

    BlueDragon TS Rookie Topic Starter Posts: 18

    Latest OTL scan:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TMan
    ->Temp folder emptied: 1744274 bytes
    ->Temporary Internet Files folder emptied: 9584522 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1196 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 11817 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 11.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: TMan
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.31.0 log created on 11202011_194819

    Files\Folders moved on Reboot...
    C:\Users\TMan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\TMan\AppData\Local\Temp\~DF2DC1F51042DB21DC.TMP moved successfully.
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF37109BA7BFCB392E.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF610F13074F3E3841.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF6527FC0D9C622663.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DF66A53E01C77500C0.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DFB5088AA734B3936F.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Temp\~DFBD7892CD742B9A17.TMP not found!
    File\Folder C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLWIA1S7\like[1].php not found!
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLWIA1S7\like[2].php moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SV8TRCO8\component[1].html moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SV8TRCO8\index[1].htm moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SV8TRCO8\oneliner2[1].txt moved successfully.
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1Z604RGJ\like[1].php moved successfully.
    File\Folder C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1Z604RGJ\oneliner2[1].txt not found!
    C:\Users\TMan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1Z604RGJ\oneliner2[2].txt moved successfully.

    Registry entries deleted on Reboot...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...