TechSpot

Persistent Win32/Zbot.G virus problem

By SadPanda
Aug 2, 2011
  1. It would appear that I am suffering from the somewhat common problem of finding multiple instances of the Win32/Zbot.G virus using AVG. I can not open certain programs such as Skype, although I can use my anti-virus software and my internet browser. I have followed the 7 step removal thread and have the following logs:

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7356

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    02/08/2011 16:23:58
    mbam-log-2011-08-02 (16-23-58).txt

    Scan type: Quick scan
    Objects scanned: 159620
    Time elapsed: 14 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Clive\AppData\Local\Temp\0.38175907091109873.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-02 16:39:32
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0
    Running: shxkx4gq.exe; Driver: C:\Users\Clive\AppData\Local\Temp\pxldrpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Livekbc.SYS (Windows NT Caps-lock Ctrl Swapper/Systems Internals)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Livekbc.SYS (Windows NT Caps-lock Ctrl Swapper/Systems Internals)

    ---- EOF - GMER 1.0.15 ----
     
  2. SadPanda

    SadPanda TS Rookie Topic Starter

    More Logs

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
    Run by Clive at 16:40:46 on 2011-08-02
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3071.1572 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\CyberLink\YouCam\YouCamTray.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Steam\steam.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Windows\System32\StikyNot.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\The TechGuys\Launch\Launch.exe
    C:\Program Files\OEM\LIVE! OSD 1.14(AD)\osd.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Steam\SteamService.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGJ&bmod=DSGJ
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [Reminder] c:\program files\ttg\reminder\Reminder.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
    uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
    uRun: [IcnKvtqn] c:\users\clive\appdata\local\avvxlqhw\icnkvtqn.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [MDS_Menu] "c:\program files\cyberlink\mediashowespresso\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\mediashowespresso" updatewithcreateonce "software\cyberlink\mediashow espresso\5.0"
    mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\3.0"
    mRun: [YouCam Mirror Tray icon] "c:\program files\cyberlink\youcam\YouCamTray.exe" /s
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\clive\appdata\roaming\microsoft\windows\start menu\programs\startup\icnkvtqn.exe
    StartupFolder: c:\users\clive\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launch.lnk - c:\windows\installer\{4a65dad2-e914-4923-9c2a-81b968a68ce2}\_A685CC3126A7CC37D335DE.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\osd.lnk - c:\windows\installer\{73289228-1853-4623-982a-eb17ff0270ca}\_CCB0CAEC2D875359E0C287.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{8C6DEF76-4C69-4F57-BD98-18A56E217A73} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{8C6DEF76-4C69-4F57-BD98-18A56E217A73}\244584F6D65684572623D2B4452574 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{8C6DEF76-4C69-4F57-BD98-18A56E217A73}\65F69646 : DhcpNameServer = 192.168.0.1 192.168.1.254
    TCP: Interfaces\{8C6DEF76-4C69-4F57-BD98-18A56E217A73}\65F69646F5D656469616 : DhcpNameServer = 192.168.0.1 192.168.1.254
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\clive\appdata\roaming\mozilla\firefox\profiles\7gpzvs2f.default\
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
    FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\users\clive\appdata\roaming\mozilla\firefox\profiles\7gpzvs2f.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\users\clive\appdata\roaming\mozilla\firefox\profiles\7gpzvs2f.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
    FF - Ext: Veoh Web Player Community Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
    R1 RapportCerberus_28711;RapportCerberus_28711;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\28711\RapportCerberus32_28711.sys [2011-7-17 216752]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-8 176128]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
    R2 LiveGpdKBFilter;LiveGpdKBFilter;c:\windows\system32\drivers\LiveGpdKBFilter.sys [2009-9-1 4096]
    R2 LiveIO;LiveIO;c:\windows\system32\drivers\LiveIO.sys [2009-9-1 15312]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-2 366640]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-6-22 870200]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-8 8312832]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-8 244736]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
    R3 Livekbc;Livekbc;c:\windows\system32\drivers\Livekbc.sys [2009-9-1 4096]
    R3 Livemouclass;Livemouclass;c:\windows\system32\drivers\Livemouclass.sys [2009-9-1 3968]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-2 22712]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-9-1 167936]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-9-15 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 136176]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-1 122368]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-2 41272]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-9-1 166912]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-23 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-17 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-08-02 15:06:15 -------- d-----w- c:\users\clive\appdata\roaming\Malwarebytes
    2011-08-02 15:06:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-02 15:06:07 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-02 15:06:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-02 15:06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-02 14:08:10 -------- d-----w- c:\users\clive\appdata\local\ATI
    2011-08-02 14:08:04 -------- d-----w- c:\program files\AMD APP
    2011-08-02 14:08:02 -------- d-----w- c:\program files\common files\ATI Technologies
    2011-08-02 14:04:35 -------- d-----w- C:\AMD
    2011-08-02 13:47:56 -------- d-----w- c:\windows\system32\SPReview
    2011-08-02 13:46:43 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-02 12:06:01 -------- d--h--w- C:\$AVG
    2011-08-02 11:54:43 -------- d-----w- c:\users\clive\appdata\roaming\AVG10
    2011-08-02 11:52:07 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-02 11:52:07 -------- d-----w- c:\programdata\AVG10
    2011-08-02 11:50:26 -------- d-----w- c:\program files\AVG
    2011-08-02 11:45:19 -------- d--h--w- c:\programdata\Common Files
    2011-08-02 11:33:59 -------- d-----w- c:\programdata\MFAData
    2011-08-02 11:30:58 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c5fd329f-35ad-40d0-b63c-ba99ef6c1bc7}\mpengine.dll
    2011-08-02 01:14:31 -------- d-----w- c:\users\clive\appdata\local\avvxlqhw
    2011-07-27 19:36:53 -------- d-----w- c:\users\clive\appdata\local\Zachtronics Industries
    2011-07-20 02:03:14 -------- d-----w- c:\users\clive\appdata\local\Cisco
    2011-07-20 01:40:06 -------- d-----w- c:\program files\Cisco
    2011-07-20 01:39:22 -------- d-----w- c:\programdata\Cisco
    2011-07-12 23:30:52 271872 ----a-w- c:\windows\system32\conhost.exe
    2011-07-12 23:30:51 169984 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-12 23:30:34 2334208 ----a-w- c:\windows\system32\win32k.sys
    2011-07-11 10:13:20 3727360 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
    2011-07-10 17:26:13 -------- d-----w- C:\Temp
    2011-07-10 17:21:09 -------- d-----w- c:\users\clive\appdata\roaming\Wizards of the Coast
    2011-07-08 04:14:40 8312832 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-07-08 03:33:28 17940992 ----a-w- c:\windows\system32\atioglxx.dll
    2011-07-08 03:29:54 151552 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-07-08 03:29:44 689152 ----a-w- c:\windows\system32\aticfx32.dll
    2011-07-08 03:25:48 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-07-08 03:25:20 401408 ----a-w- c:\windows\system32\atieclxx.exe
    2011-07-08 03:24:52 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-07-08 03:23:40 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-07-08 03:23:26 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2011-07-08 03:23:14 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-07-08 03:23:06 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2011-07-08 03:22:58 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2011-07-08 03:05:46 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-07-08 03:02:06 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2011-07-08 03:01:58 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2011-07-08 02:58:52 6740480 ----a-w- c:\windows\system32\aticaldd.dll
    2011-07-08 02:54:28 52736 ----a-w- c:\windows\system32\coinst.dll
    2011-07-08 02:47:34 266240 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-07-08 02:47:20 13312 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-07-08 02:47:10 32768 ----a-w- c:\windows\system32\atigktxx.dll
    2011-07-08 02:46:42 244736 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-07-08 02:46:14 31744 ----a-w- c:\windows\system32\atiuxpag.dll
    2011-07-08 02:45:58 29184 ----a-w- c:\windows\system32\atiu9pag.dll
    2011-07-08 02:45:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-07-08 02:40:48 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2011-07-08 02:40:48 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2011-07-07 22:37:28 53760 ----a-w- c:\windows\system32\OVDecode.dll
    2011-07-07 22:37:06 43520 ----a-w- c:\windows\system32\OpenCL.dll
    2011-07-07 22:36:46 13904896 ----a-w- c:\windows\system32\amdocl.dll
    .
    ==================== Find3M ====================
    .
    2011-08-02 13:56:20 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-19 15:07:43 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-07-19 15:07:43 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-07-08 03:19:50 4275712 ----a-w- c:\windows\system32\atidxx32.dll
    2011-07-08 03:00:34 4367360 ----a-w- c:\windows\system32\atiumdag.dll
    2011-07-08 02:55:56 4039680 ----a-w- c:\windows\system32\atiumdva.dll
    2011-06-22 17:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-06-16 02:34:06 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
    2011-06-16 02:34:06 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
    2011-06-03 05:59:23 290816 ----a-w- c:\windows\system32\KernelBase.dll
    2011-06-03 03:48:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2011-06-03 03:48:31 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2011-06-03 03:48:31 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2011-06-03 03:48:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2011-05-28 02:53:58 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-25 13:13:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-24 10:44:59 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
    .
    ============= FINISH: 16:42:05.47 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 15/09/2010 15:52:55
    System Uptime: 02/08/2011 16:26:45 (0 hours ago)
    .
    Motherboard: MSI | | MS-1722
    Processor: Intel(R) Core(TM)2 Quad CPU Q9000 @ 2.00GHz | CPU 1 | 2001/267mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 456 GiB total, 322.778 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0001
    Service: vpnva
    .
    Class GUID:
    Description:
    Device ID: ACPI\ENE0100\4&FE887C4&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\ENE0100\4&FE887C4&0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP231: 02/08/2011 14:47:47 - Windows 7 Service Pack 1
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Adventure Tools
    AMD APP SDK Runtime
    AMD Media Foundation Decoders
    Armada 2526
    ATI Catalyst Install Manager
    AVG 2011
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    Catalyst Pro Control Center
    ccc-utility
    CCC Help English
    Cisco AnyConnect VPN Client
    Click to Call with Skype
    Clones
    Commander: Conquest of the Americas
    Compatibility Pack for the 2007 Office system
    Critical Mass
    CyberLink MediaShow Espresso
    CyberLink Power2Go
    CyberLink YouCam
    Darkest Hour: A Hearts of Iron Game
    Democracy 2
    DiceMage
    DivX Setup
    Dragon Age II
    Dwarfs!?
    Europa Universalis III
    Fallout: New Vegas
    Fate of the World
    Google Chrome
    Google Update Helper
    Graph 4.3
    Greed Corp
    Heroes of Newerth
    Intel(R) TV Wizard
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 22
    Junk Mail filter update
    Lands To Conquer Gold
    Launch
    LIVE! Control Center 1.05
    LIVE! OSD 1.14(AD)
    LogMeIn Hamachi
    Magic Online
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Medieval II Total War
    Medieval II Total War : Kingdoms : Britannia
    Medieval II Total War : Kingdoms : Crusades
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Works
    Microsoft XNA Framework Redistributable 3.1
    Microsoft XNA Framework Redistributable 4.0
    Mount&Blade Warband
    Mozilla Firefox (3.6.18)
    MSVCRT
    OpenAL
    OpenOffice.org 3.3
    PlayReady PC Runtime x86
    Pride of Nations
    Rapport
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek 8136 8168 8169 Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    REALTEK Wireless LAN Driver
    RealUpgrade 1.1
    RollerCoaster Tycoon 2
    RUSH
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sid Meier's Civilization V
    Silent Hunter: Wolves of the Pacific
    Skype™ 5.5
    SpaceChem
    Spotify
    StarCraft II
    Steam
    Supreme Ruler Cold War
    Synaptics Pointing Device Driver
    Terraria
    The Lord of the Rings FREE Trial
    The Tiny Bang Story
    Third Age - Total War 2.0 (Part1of2)
    Third Age - Total War 2.0 (Part2of2)
    Tidalis
    Total War: SHOGUN 2
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974631)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Veoh Web Player
    Victoria 2
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    WinRAR archiver
    World of Goo
    .
    ==== Event Viewer Messages From Past Week ========
    .
    31/07/2011 01:06:21, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    28/07/2011 21:30:13, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {C2BFE331-6739-4270-86C9-493D9A04CD38}. The error: "2" Happened while starting this command: C:\windows\system32\igfxsrvc.exe -Embedding
    02/08/2011 16:36:48, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}. The error: "2" Happened while starting this command: C:\windows\system32\igfxsrvc.exe -Embedding
    02/08/2011 16:33:43, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    02/08/2011 16:33:43, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
    02/08/2011 15:34:25, Error: Microsoft-Windows-WMPNSS-Service [14353] - A media delivery engine with ID '0' was not initialized due to error '0x80070005' when adding the URL 'http://+:10243/WMPNSSv4/2944732723/'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
    02/08/2011 15:34:25, Error: Microsoft-Windows-WMPNSS-Service [14349] - A new media server was not initialized because the Windows Media Delivery Engine did not initialize due to error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
    02/08/2011 15:06:30, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 9 for Windows 7.
    02/08/2011 13:03:54, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    02/08/2011 13:03:54, Error: atikmdag [43029] - Display is not active
    02/08/2011 13:02:21, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service.
    02/08/2011 12:28:45, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    02/08/2011 12:28:45, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    02/08/2011 02:16:53, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x00000001, 0x00000002, 0x00000008, 0x00000001). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 080211-22386-01.
    .
    ==== End Of File ===========================


    Any help on getting rid of this virus would be greatly appreciated. Thanks. :)
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! The count so far if 3 members posting today with AVG and Zbot. The last time this happened, it was AVG and Win32/Heur, a False Positive caused by a bad update.

    So I'd like to run the following online scan and reserve further action until I see that:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  4. SadPanda

    SadPanda TS Rookie Topic Starter

    More Logs

    Here is this the log for the latest scan you asked me to carry out:

    C:\Users\Clive\AppData\Local\Temp\jar_cache4793716119360110880.tmp multiple threats
    C:\Users\Clive\AppData\Local\Temp\jar_cache7695801933898728842.tmp a variant of Java/Mugademel.B trojan
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\2e283dd7-3c520749 multiple threats
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\67b08a68-22999940 Java/TrojanDownloader.Agent.JX trojan
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\6d16b872-3eecdc3c probably a variant of Win32/Agent.RPSVWU trojan
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\4b361974-7de5040c multiple threats
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\edb02f6-424c22c8 a variant of Java/Agent.BR trojan
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\30ee3746-79de2858 probably a variant of Java/Agent.BR trojan
    C:\Users\Clive\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\74906648-4e26eb29 multiple threats


    It doesn't look like it picked up the Win32/Zbot.G files. My AVG Resident Shield kept informing me that it was finding more files as they were scanned by the ESET scan. In any case, it looks like I have multiple trojan viruses and I would of course appreciate any help with removing them. :)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have 2 outdated versions of Java: Java v6u20 & Java v6u22. These are vulnerabilities on the system. All the Eset entries for malware are in the Java cache:
    Please update Java: Java Updates Then uninstall any earlier versions in Add/Remove Programs..

    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    -------------------------
    After update empty the Java cache:
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the Control Panel.
    3. . Click Settings under Temporary Internet Files.
      http://www.java.com/en/img/download/5000020303.jpg[/b]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]
      ============================================
      [B]You need to run Combofix and it won't run with AVG. So you will have to temporarily uninstall it as follows:[/B]
      Download [url=http://www.appremover.com/get/appremover.exe][b][color=blue] AppRemover[/b][/color][/url] and save to the desktop[list=1]
      [*] Double click the setup on the desktop> click [b]Next[/b]
      [*] Select “Remove Security Application”
      [*] Let scan finish to determine security apps
      [*] A screen like below will appear:
      [img]http://www.appremover.com/about/chooseuninstall.gif/image_preview
    4. Click on Next after choice has been made
    5. Check the AVG program you want to uninstall
    6. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ====================================
    Please leave Combofix log in next reply.
     
  6. SadPanda

    SadPanda TS Rookie Topic Starter

    ComboFix Log

    Here is the ComboFix log that you asked for:

    ComboFix 11-08-03.03 - Clive 04/08/2011 2:52.1.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3071.1837 [GMT 1:00]
    Running from: c:\users\Clive\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\program files\Steam\steam.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-04 01:42 . 2011-06-17 11:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-04 01:42 . 2011-06-17 11:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-04 01:42 . 2011-08-04 01:42 -------- d-----w- c:\programdata\Avira
    2011-08-04 01:42 . 2011-08-04 01:42 -------- d-----w- c:\program files\Avira
    2011-08-04 01:18 . 2011-08-04 01:18 -------- d-----w- c:\program files\Common Files\Java
    2011-08-03 12:37 . 2011-08-03 20:48 -------- d-----w- c:\users\Clive\AppData\Roaming\Skype
    2011-08-02 19:30 . 2011-08-02 19:30 -------- d-----w- c:\program files\ESET
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\users\Clive\AppData\Roaming\Malwarebytes
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-02 15:06 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-02 15:06 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\users\Clive\AppData\Roaming\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\users\Clive\AppData\Local\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\programdata\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\program files\AMD APP
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\program files\Common Files\ATI Technologies
    2011-08-02 14:04 . 2011-08-02 14:04 -------- d-----w- C:\AMD
    2011-08-02 13:47 . 2011-08-02 13:47 -------- d-----w- c:\windows\system32\SPReview
    2011-08-02 13:46 . 2011-08-02 13:46 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-02 12:06 . 2011-08-02 12:06 -------- d-----w- C:\$AVG
    2011-08-02 11:52 . 2011-08-04 01:28 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-02 11:50 . 2011-08-02 11:50 -------- d-----w- c:\program files\AVG
    2011-08-02 11:45 . 2011-08-02 11:45 -------- d--h--w- c:\programdata\Common Files
    2011-08-02 11:30 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C5FD329F-35AD-40D0-B63C-BA99EF6C1BC7}\mpengine.dll
    2011-08-02 01:14 . 2011-08-03 20:48 -------- d-----w- c:\users\Clive\AppData\Local\avvxlqhw
    2011-07-27 19:36 . 2011-07-27 19:36 -------- d-----w- c:\users\Clive\AppData\Local\Zachtronics Industries
    2011-07-20 02:03 . 2011-07-20 02:03 -------- d-----w- c:\users\Clive\AppData\Local\Cisco
    2011-07-20 01:40 . 2011-07-20 01:40 -------- d-----w- c:\program files\Cisco
    2011-07-20 01:39 . 2011-07-20 01:39 -------- d-----w- c:\programdata\Cisco
    2011-07-12 23:30 . 2011-06-03 05:56 271872 ----a-w- c:\windows\system32\conhost.exe
    2011-07-12 23:30 . 2011-06-03 06:01 169984 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-12 23:30 . 2011-06-11 02:29 2334208 ----a-w- c:\windows\system32\win32k.sys
    2011-07-11 10:13 . 2011-07-11 10:13 3727360 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
    2011-07-10 17:26 . 2011-07-10 17:26 -------- d-----w- C:\Temp
    2011-07-10 17:21 . 2011-07-10 17:26 -------- d-----w- c:\users\Clive\AppData\Roaming\Wizards of the Coast
    2011-07-08 04:14 . 2011-07-08 04:14 8312832 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-07-08 03:33 . 2011-07-08 03:33 17940992 ----a-w- c:\windows\system32\atioglxx.dll
    2011-07-08 03:29 . 2011-07-08 03:29 151552 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-07-08 03:29 . 2011-07-08 03:29 689152 ----a-w- c:\windows\system32\aticfx32.dll
    2011-07-08 03:25 . 2011-07-08 03:25 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-07-08 03:25 . 2011-07-08 03:25 401408 ----a-w- c:\windows\system32\atieclxx.exe
    2011-07-08 03:24 . 2011-07-08 03:24 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-07-08 03:23 . 2011-07-08 03:23 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-07-08 03:23 . 2011-07-08 03:23 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2011-07-08 03:23 . 2011-07-08 03:23 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-07-08 03:23 . 2011-07-08 03:23 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2011-07-08 03:22 . 2011-07-08 03:22 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2011-07-08 03:05 . 2011-07-08 03:05 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-07-08 03:02 . 2011-07-08 03:02 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2011-07-08 03:01 . 2011-07-08 03:01 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2011-07-08 02:58 . 2011-07-08 02:58 6740480 ----a-w- c:\windows\system32\aticaldd.dll
    2011-07-08 02:54 . 2011-07-08 02:54 52736 ----a-w- c:\windows\system32\coinst.dll
    2011-07-08 02:47 . 2011-07-08 02:47 266240 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-07-08 02:47 . 2011-07-08 02:47 13312 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-07-08 02:47 . 2011-07-08 02:47 32768 ----a-w- c:\windows\system32\atigktxx.dll
    2011-07-08 02:46 . 2011-07-08 02:46 244736 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-07-08 02:46 . 2011-07-08 02:46 31744 ----a-w- c:\windows\system32\atiuxpag.dll
    2011-07-08 02:45 . 2011-07-08 02:45 29184 ----a-w- c:\windows\system32\atiu9pag.dll
    2011-07-08 02:45 . 2011-07-08 02:45 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-07-08 02:40 . 2011-07-08 02:40 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2011-07-08 02:40 . 2011-07-08 02:40 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2011-07-07 22:37 . 2011-07-07 22:37 53760 ----a-w- c:\windows\system32\OVDecode.dll
    2011-07-07 22:37 . 2011-07-07 22:37 43520 ----a-w- c:\windows\system32\OpenCL.dll
    2011-07-07 22:36 . 2011-07-07 22:36 13904896 ----a-w- c:\windows\system32\amdocl.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-02 13:56 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-19 15:07 . 2010-11-19 15:53 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-07-19 15:07 . 2010-11-19 15:53 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-07-08 03:19 . 2009-07-13 22:09 4275712 ----a-w- c:\windows\system32\atidxx32.dll
    2011-07-08 03:00 . 2009-06-10 21:19 4367360 ----a-w- c:\windows\system32\atiumdag.dll
    2011-07-08 02:55 . 2009-07-13 22:09 4039680 ----a-w- c:\windows\system32\atiumdva.dll
    2011-06-22 17:01 . 2011-06-22 17:01 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-06-16 02:34 . 2011-06-16 02:34 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
    2011-06-16 02:34 . 2011-06-16 02:34 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
    2011-05-28 02:53 . 2011-06-16 08:06 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-24 18:14 . 2010-09-15 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-24 10:44 . 2011-06-29 06:49 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"="c:\program files\TTG\Reminder\Reminder.exe" [2009-08-26 3599360]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
    "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-07-29 17361032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-26 7723552]
    "MDS_Menu"="c:\program files\CyberLink\MediaShowEspresso\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2009-07-31 162912]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-11-21 274608]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-07 336384]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    c:\users\Clive\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Launch.lnk - c:\windows\Installer\{4A65DAD2-E914-4923-9C2A-81B968A68CE2}\_A685CC3126A7CC37D335DE.exe [2009-9-3 17542]
    OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_CCB0CAEC2D875359E0C287.exe [2009-9-1 3262]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 136176]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 122368]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 Micorsoft Windows Service;Micorsoft Windows Service;c:\users\Clive\AppData\Local\Temp\pqoryqma.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-04 166912]
    R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-17 1343400]
    S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-11-14 34176]
    S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-06-22 53816]
    S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-03 216912]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-06-22 66360]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-06-22 158904]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-08 176128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 1336712]
    S2 LiveGpdKBFilter;LiveGpdKBFilter; [x]
    S2 LiveIO;LiveIO; [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-22 870200]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-08 8312832]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-08 244736]
    S3 Livekbc;Livekbc; [x]
    S3 Livemouclass;Livemouclass; [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AVGNTFLT
    *NewlyCreated* - AVIPBB
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 16:28]
    .
    2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 16:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    FF - ProfilePath - c:\users\Clive\AppData\Roaming\Mozilla\Firefox\Profiles\7gpzvs2f.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Veoh Web Player Community Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKCU-Run-Steam - c:\program files\Steam\Steam.exe
    AddRemove-Steam App 105300 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 105600 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 15200 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 22000 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 22380 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 25800 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 34330 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 35480 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 38720 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 40420 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 46790 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 48950 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 49300 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 72400 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 73170 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 73190 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 73220 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 80200 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 8930 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 92800 - c:\program files\Steam\steam.exe
    AddRemove-Steam App 96000 - c:\program files\Steam\steam.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2693697804-2782872241-537400155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-08-04 03:07:01
    ComboFix-quarantined-files.txt 2011-08-04 02:07
    .
    Pre-Run: 344,178,872,320 bytes free
    Post-Run: 344,942,112,768 bytes free
    .
    - - End Of File - - FE615FB551B2F483F658A6EEFA6095EF


    Thanks for the help so far. :)
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome!

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\users\Clive\AppData\Local\Temp\pqoryqma.sys
    c:\windows\system32\DRIVERS\Rts516xIR.sys
    Folder::
    c:\users\Clive\AppData\Local\avvxlqhw
    C:\Temp
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes' Anti-Malware (reboot)"=-
    RegNull::
    [HKEY_USERS\S-1-5-21-2693697804-2782872241-537400155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    Driver::
    Micorsoft Windows Service
    LiveIO
    Livekb
    Livemouclass
    RtsUIR
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please remove the following in Firefox: (Tools> Addos)
    Java v6u22
    Java v6u26
    Conduit Engine.
    Note: You do not have to add a separate extension for Java to Firefox when you update.
     
  8. SadPanda

    SadPanda TS Rookie Topic Starter

    ComboFix Log

    Here is the ComboFix log:

    ComboFix 11-08-05.01 - Clive 05/08/2011 17:34:39.2.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3071.1995 [GMT 1:00]
    Running from: c:\users\Clive\Desktop\ComboFix.exe
    Command switches used :: c:\users\Clive\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Clive\AppData\Local\Temp\pqoryqma.sys"
    "c:\windows\system32\DRIVERS\Rts516xIR.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Temp
    c:\users\Clive\AppData\Local\avvxlqhw
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_LIVEIO
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_LiveIO
    -------\Service_Livemouclass
    -------\Service_Micorsoft Windows Service
    -------\Service_RtsUIR
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-05 16:46 . 2011-08-05 16:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-04 02:09 . 2011-08-04 02:09 -------- d-----w- c:\users\Clive\AppData\Roaming\Avira
    2011-08-04 02:07 . 2011-08-05 16:49 -------- d-----w- c:\users\Clive\AppData\Local\temp
    2011-08-04 01:42 . 2011-08-05 13:11 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-04 01:42 . 2011-08-05 13:11 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-04 01:42 . 2011-08-04 01:42 -------- d-----w- c:\programdata\Avira
    2011-08-04 01:42 . 2011-08-04 01:42 -------- d-----w- c:\program files\Avira
    2011-08-04 01:18 . 2011-08-04 01:18 -------- d-----w- c:\program files\Common Files\Java
    2011-08-03 12:37 . 2011-08-03 20:48 -------- d-----w- c:\users\Clive\AppData\Roaming\Skype
    2011-08-02 19:30 . 2011-08-02 19:30 -------- d-----w- c:\program files\ESET
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\users\Clive\AppData\Roaming\Malwarebytes
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-02 15:06 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-02 15:06 . 2011-08-02 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-02 15:06 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\users\Clive\AppData\Roaming\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\users\Clive\AppData\Local\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\programdata\ATI
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\program files\AMD APP
    2011-08-02 14:08 . 2011-08-02 14:08 -------- d-----w- c:\program files\Common Files\ATI Technologies
    2011-08-02 14:04 . 2011-08-02 14:04 -------- d-----w- C:\AMD
    2011-08-02 13:47 . 2011-08-02 13:47 -------- d-----w- c:\windows\system32\SPReview
    2011-08-02 13:46 . 2011-08-02 13:46 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-02 12:06 . 2011-08-02 12:06 -------- d-----w- C:\$AVG
    2011-08-02 11:52 . 2011-08-04 01:28 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-02 11:50 . 2011-08-02 11:50 -------- d-----w- c:\program files\AVG
    2011-08-02 11:45 . 2011-08-02 11:45 -------- d--h--w- c:\programdata\Common Files
    2011-08-02 11:30 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C5FD329F-35AD-40D0-B63C-BA99EF6C1BC7}\mpengine.dll
    2011-07-27 19:36 . 2011-07-27 19:36 -------- d-----w- c:\users\Clive\AppData\Local\Zachtronics Industries
    2011-07-20 02:03 . 2011-07-20 02:03 -------- d-----w- c:\users\Clive\AppData\Local\Cisco
    2011-07-20 01:40 . 2011-07-20 01:40 -------- d-----w- c:\program files\Cisco
    2011-07-20 01:39 . 2011-07-20 01:39 -------- d-----w- c:\programdata\Cisco
    2011-07-12 23:30 . 2011-06-03 05:56 271872 ----a-w- c:\windows\system32\conhost.exe
    2011-07-12 23:30 . 2011-06-03 06:01 169984 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-12 23:30 . 2011-06-11 02:29 2334208 ----a-w- c:\windows\system32\win32k.sys
    2011-07-11 10:13 . 2011-07-11 10:13 3727360 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
    2011-07-10 17:21 . 2011-07-10 17:26 -------- d-----w- c:\users\Clive\AppData\Roaming\Wizards of the Coast
    2011-07-08 04:14 . 2011-07-08 04:14 8312832 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-07-08 03:33 . 2011-07-08 03:33 17940992 ----a-w- c:\windows\system32\atioglxx.dll
    2011-07-08 03:29 . 2011-07-08 03:29 151552 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-07-08 03:29 . 2011-07-08 03:29 689152 ----a-w- c:\windows\system32\aticfx32.dll
    2011-07-08 03:25 . 2011-07-08 03:25 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-07-08 03:25 . 2011-07-08 03:25 401408 ----a-w- c:\windows\system32\atieclxx.exe
    2011-07-08 03:24 . 2011-07-08 03:24 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-07-08 03:23 . 2011-07-08 03:23 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-07-08 03:23 . 2011-07-08 03:23 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2011-07-08 03:23 . 2011-07-08 03:23 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-07-08 03:23 . 2011-07-08 03:23 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2011-07-08 03:22 . 2011-07-08 03:22 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2011-07-08 03:05 . 2011-07-08 03:05 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-07-08 03:02 . 2011-07-08 03:02 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2011-07-08 03:01 . 2011-07-08 03:01 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2011-07-08 02:58 . 2011-07-08 02:58 6740480 ----a-w- c:\windows\system32\aticaldd.dll
    2011-07-08 02:54 . 2011-07-08 02:54 52736 ----a-w- c:\windows\system32\coinst.dll
    2011-07-08 02:47 . 2011-07-08 02:47 266240 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-07-08 02:47 . 2011-07-08 02:47 13312 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-07-08 02:47 . 2011-07-08 02:47 32768 ----a-w- c:\windows\system32\atigktxx.dll
    2011-07-08 02:46 . 2011-07-08 02:46 244736 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-07-08 02:46 . 2011-07-08 02:46 31744 ----a-w- c:\windows\system32\atiuxpag.dll
    2011-07-08 02:45 . 2011-07-08 02:45 29184 ----a-w- c:\windows\system32\atiu9pag.dll
    2011-07-08 02:45 . 2011-07-08 02:45 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-07-08 02:40 . 2011-07-08 02:40 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2011-07-08 02:40 . 2011-07-08 02:40 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2011-07-07 22:37 . 2011-07-07 22:37 53760 ----a-w- c:\windows\system32\OVDecode.dll
    2011-07-07 22:37 . 2011-07-07 22:37 43520 ----a-w- c:\windows\system32\OpenCL.dll
    2011-07-07 22:36 . 2011-07-07 22:36 13904896 ----a-w- c:\windows\system32\amdocl.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-02 13:56 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-19 15:07 . 2010-11-19 15:53 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-07-19 15:07 . 2010-11-19 15:53 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-07-08 03:19 . 2009-07-13 22:09 4275712 ----a-w- c:\windows\system32\atidxx32.dll
    2011-07-08 03:00 . 2009-06-10 21:19 4367360 ----a-w- c:\windows\system32\atiumdag.dll
    2011-07-08 02:55 . 2009-07-13 22:09 4039680 ----a-w- c:\windows\system32\atiumdva.dll
    2011-06-22 17:01 . 2011-06-22 17:01 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-06-16 02:34 . 2011-06-16 02:34 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
    2011-06-16 02:34 . 2011-06-16 02:34 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
    2011-05-28 02:53 . 2011-06-16 08:06 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-24 18:14 . 2010-09-15 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-24 10:44 . 2011-06-29 06:49 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"="c:\program files\TTG\Reminder\Reminder.exe" [2009-08-26 3599360]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
    "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-07-29 17361032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-26 7723552]
    "MDS_Menu"="c:\program files\CyberLink\MediaShowEspresso\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2009-07-31 162912]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-11-21 274608]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-07 336384]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    c:\users\Clive\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Launch.lnk - c:\windows\Installer\{4A65DAD2-E914-4923-9C2A-81B968A68CE2}\_A685CC3126A7CC37D335DE.exe [2009-9-3 17542]
    OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_CCB0CAEC2D875359E0C287.exe [2009-9-1 3262]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 136176]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 122368]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-04 166912]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-17 1343400]
    S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-11-14 34176]
    S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-06-22 53816]
    S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-03 216912]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-06-22 66360]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-06-22 158904]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-08 176128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 1336712]
    S2 LiveGpdKBFilter;LiveGpdKBFilter; [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-22 870200]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-08 8312832]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-08 244736]
    S3 Livekbc;Livekbc; [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 16:28]
    .
    2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 16:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    FF - ProfilePath - c:\users\Clive\AppData\Roaming\Mozilla\Firefox\Profiles\7gpzvs2f.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Veoh Web Player Community Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\CyberLink\Shared files\RichVideo.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\The TechGuys\Launch\Launch.exe
    c:\program files\OEM\LIVE! OSD 1.14(AD)\osd.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\windows\system32\sppsvc.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-05 17:54:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-05 16:54
    ComboFix2.txt 2011-08-04 02:07
    .
    Pre-Run: 344,797,675,520 bytes free
    Post-Run: 344,615,546,880 bytes free
    .
    - - End Of File - - B41CFBE50721DA65337EE9896C704521


    I was able to remove Conduit Engine from Firefox but was only able to disable the two Java extensions. Also, since running the last ComboFix scan, my mouse has stopped working (my laptop's touch pad doesn't work either). The first ComboFix scan removed a number of files associated with Steam and I was just curious if this was intentional or not. :)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have to logs on as Administrator to get full use for removing Firefox addons.

    I notice the Steam deletes. Combofix would not have removed the entries unless they were flawed somehow. They appears to be different apps downloaded from Steam. My guess is that there was malware with the downloads. I don't use Steam, but I know that it can be gotten through a torrent download and it's necessary to authenticate every Steam game online, whether purchased via Steam itself or installed via a retail disc, the first time it is played. Is it possible that the apps were a torrent download? Steam is basically digital rights management.

    As for the mouse, nothing we've done would have affected it. Please go to the Control Panel> Mouse> check settings for the touchpad and/or external muse if using one. You can also access the Device Manager: Control Panel> System> Hardware tab> Device Manager> check the pointing device entries for error icons: [​IMG]

    Did you empty the Java cache as instructed? That's where the malware entries were located.
     
  10. SadPanda

    SadPanda TS Rookie Topic Starter

    Okay, I have now uninstalled the two Java extensions. I emptied the Java cache when you asked me to.

    Steam had been downloaded from it's own website and none of the apps are torrent downloads. All were installed from disc or downloaded through Steam itself.

    As for the mouse issue, I went to the Device Manager and both the mouse and the touch pad have the little error icons. I troubleshooted both devices and they appear to be missing drivers. For the touch pad, I'm being directed to download these drivers online, whereas I think I have a disc for the mouse. I havn't downloaded or installed these drivers yet, just in case. Should I? :)
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, okay to go ahead and download the mouse drivers. But go to the manufacturer's site to get the download.
     
  12. SadPanda

    SadPanda TS Rookie Topic Starter

    Unfortunately, downloading and installing the mouse drivers does not appear to be the problem. Windows says that the hardware devices can't be used because a registry file was damaged or removed. Are you sure that the second ComboFix scan didn't change any registry files that the mouse might use?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I removed this driver> RtsUIR
    And the file with it> c:\windows\system32\DRIVERS\Rts516xIR.sys

    The entry showed as> R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

    The [x] indicates it's not longer used. I could not identify the driver on the Realtek site.

    It appears that I made a mistake as this must be the infrared mouse driver. Please download the drive back from here and see if it restores your blind mouse:
    If this was the cause, I apologize for the inconvenience. It was a human mistake.

    I did not remove any registry entries. You have 4 Realtek programs running:
    Realtek 8136 8168 8169 Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    REALTEK Wireless LAN Driver
     
  14. SadPanda

    SadPanda TS Rookie Topic Starter

    I'm afraid that there is nowhere to download the driver on the link you posted. Would it not be easier to do a system restore to a time just before the ComboFix scan and proceed to run the scan without deleting the mouse drivers? Alternatively, I could try and find somewhere else to download the driver? :)
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I thought it had a download. But this brings us back to why I removed the driver in the first place. It is not listed on the Realtek site and the [x] indicates it is no longer being used. I don't think this is what stopped the mouse, but let's check the Device Manager again.

    Consider that the laptop touchpad and an external mouse don't have the same driver. If you click on the plus sign to the left of "Mouse and other pointing devices" what you you see? For instance, I use the touchpad on my laptop and the device shows Alps Touchpad. This has got to be on the Startup Menu to work.

    Check for name of touchpad device. If I do a right click> Properties on the Alps Touchpad> Choose Drivers tab> Click on Driver details> I see the entries for the 3 driver file names.

    On my Startup Menu, the touchpad entry is Appoint I see some logs with that entry for Synaptics instead. Same function, different manufactures.

    So please look for the information above in the Device Manager. It will give us something more specific to go on.

    BTW, the 'can't start due to missing Registry' is a generic message most of the time.

    Let me know:
    1. If you have the touchpad checked on the Startup Menu.
    2. Manufacturer's name.
    3. Whether you're using the touchpad or an external mouse.
     
  16. SadPanda

    SadPanda TS Rookie Topic Starter

    Okay, I have some information. Going into the Device Manager, under "Mouse and other pointing devices" there are 4 entries. The first three have the same name: HID-compliant mouse. They all claim to have the same manufacturer (Microsoft), whereas they have separate locations. The first is located on Razer Abyssus and I think this is my external mouse (given that the device disappears if I unplug it and that the external mouse happens to be a Razer Abyssys mouse). The second is located on Microsoft eHome Infrared Transeiver and the third is located on Virtual HID Minidriver. They all use the same drivers:

    C:\Windows\system32\drivers\Livemouclass.sys
    C:\Windows\system32\DRIVERS\mouclass.sys
    C:\Windows\system32\DRIVERS\mouhid.sys

    The last device is called Microsoft PS/2 Mouse. It's manufacturer is apparently also Microsoft. It's location is simply: plugged into PS/2 mouse port. It uses slightly different drivers:

    C:\Windows\system32\DRIVERS\i8042prt.sys
    C:\Windows\system32\drivers\Livemouclass.sys
    C:\Windows\system32\DRIVERS\mouclass.sys

    In the Startup Menu, everything is checked but I can see no mention of the four devices in the device manager. The only thing which remotely resembles anything mouse-related is something called razerhid Application with an unknown manufacturer.

    You asked if I were using the touchpad or an external mouse. Since the second ComboFix scan, neither the touchpad nor the external mouse have been working. I have been navigating Windows with the keyboard, which is quite challenging. I hope this information helps. :)
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please press Fn/F7> make sure this feature is off.

    I do not think Combofix had anything to do with this. It is more likely that that malware could have corrupted a driver.

    I do find complaints of touchpad/p2p mouse stopping working. But they are brand specific. Please let me know the manufacturer of the computer and what model you have.

    You are not going to see those device entries running on Startup. You should see this one:
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    Synaptics TouchPad Enhancements Software Used for Secondary and Auxiliary Function of Synaptics TouchPads
    Please see this for a description of the entries for Synaptic you may see on the Startup menu:
    http://www.sysinfo.org/startuplist.php?filter=syntpenh
    .
    To check the Startup menu using the msconfig utility:
    • Click on the Windows 7 start icon in the bottom left corner of your screen.
    • Type MSCONFIG in the search box> press enter or double-click on the MSCONFIG program that appears in the search results.
      [​IMG]
    • Click on Selective Startup
    • Click on the Startup tab. You will now see the System Msconfig Utility
      [​IMG]

      Windows 7 loads almost all of Windows' essential programs are loaded through Windows Services. So most of the startup items you see here are optional and can be turned off.
      Important! When in doubt, leave it on-or- use a Startup database to identify a process you are not sure of.
    • Uncheck any process you don't want to start on boot.
    • When finished> click on OK
      Reboot the computer.
    • When you see this message come up: Check 'don't show this message again'> then Restart.
    [​IMG]
    Images courtesy NetSquirrel

    The only processes that need to start on boot are the antivirus program, third party firewall if you have one, touchpad if on laptop and network processes if using third party software for network. Any other entries in this section can be Unchecked.

    This does not remove a process or program- it can still be accessed when needed through All Programs. And you can go back at a later time and reset the default programs if needed.
    =========================================
    I did notice the following device in the DDS log:
    I can't identify the entry but as you can see, information is missing.
    =======================================
    And I'd like you to describe what you mean by "stopped working."
    Is the cursor frozen on the screen?
    When you reboot, does it come up and then disappear?
    Do you have Control Panel> Mouse set for the touchpad or the mouse?
     
  18. SadPanda

    SadPanda TS Rookie Topic Starter

    On the laptop I'm using, Fn/F7 just turns the sound down (I think). What am I trying to turn off?

    My laptop's manufacturer is Advent. The model is 8555GX.

    Going back into Startup, there don't appear to be any entries associated with Synaptics. I found the folder in Program Files and apart from an empty folder named SynTP, there are no files to be found.

    By "stopped working", I meant that the cursor is not responsive. It won't move or click on anything. It is, as you put it: "frozen on the screen". When I reboot, it appears in the middle of the screen and just sits there. Looking under "Mouse" in the Control Panel, I don't see anything related to the touchpad or mouse apart from the four devices I mentioned in my last post under the "Hardware" tab.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...