TechSpot

Svchost.exe Trojan Agent causing blue screens crashes

Solved
By Fadil Khan
Nov 9, 2012
Topic Status:
Not open for further replies.
  1. I need help with removing this Trojan and making sure that my computer is Threat Free. I cannot seem to fix it on my own. Malwarebytes detects it each scan and "removes" it but it does not. Please help... I cannot replace this laptop. It is my Lifeline....Thanks a Lot!
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  3. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    HIJACKTHIS LOG FILE

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 6:43:16 AM, on 11/9/2012
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Avast\AvastUI.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\control.exe
    C:\Windows\system32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/?

    cid={8E9EE8F6-5D45-401A-9192-CEA92801ABC3}&mid=51d8fbda1c1447d08b47d15a927e952e-

    ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=is015&pr=sa&d=2012-11-08

    21:10:49&v=11.0.0.9&sap=hp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files

    \Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:

    \PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:

    \Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files

    \AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program

    Files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office

    \Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-

    Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run] "C:\Program

    Files\Google\Chrome\Application\chrome.exe" --type=service
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [DriverMax_RESTART] "C:\Program Files\DriverMax\drivermax.exe" -RESTART
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

    (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL

    SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

    (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK

    SERVICE')
    O4 - Startup: CleanTemp.bat
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:

    \PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:

    \PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:

    \PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows

    live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows

    live\wlidnsp.dll
    O13 - Gopher Prefix:
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:

    \PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
    O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files

    \Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated

    - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Avast\AvastSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files

    \Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program

    Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn

    \x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files

    \LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: vToolbarUpdater11.0.2 - Unknown owner - C:\Program Files\Common Files\AVG

    Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe

    --
    End of file - 6277 bytes
     
  4. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    ATTACH LOG FILE IS ATTACHED....



    DDS LOG FILE


    DDS (Ver_2012-11-07.01) - NTFS_x86
    Internet Explorer: 8.0.7600.16385
    Run by silentarts at 6:14:12 on 2012-11-09
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1015.238 [GMT -4.5:30]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\CISVC.EXE
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Avast\AvastUI.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k apphost
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://isearch.avg.com/?cid={8E9EE8F6-5D45-401A-9192-CEA92801ABC3}&mid=51d8fbda1c1447d08b47d15a927e952e-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=is015&pr=sa&d=2012-11-08 21:10:49&v=11.0.0.9&sap=hp
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
    uRun: [6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    uRun: [DriverMax_RESTART] "c:\program files\drivermax\drivermax.exe" -RESTART
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast] "c:\program files\avast\avastUI.exe" /nogui
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    StartupFolder: c:\users\silentarts\appdata\roaming\microsoft\windows\start menu\programs\startup\CleanTemp.bat
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{01BDEBE6-6ADA-4388-8946-8C629255A3D0} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{51132BB7-1E3C-4E2A-A31A-D5913FDF449E} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{A0D72338-71F0-4196-965C-82982C94B637} : DHCPNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-11-8 721000]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-11-8 353688]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-11-8 21256]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-11-8 57656]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast\AvastSvc.exe [2012-11-8 44808]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-6-8 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-11-8 47640]
    R3 analog;analog;c:\windows\system32\drivers\analog.sys [2012-11-8 11264]
    R3 iegdmini;iegdmini;c:\windows\system32\drivers\iegdmini.sys [2012-11-8 1677440]
    R3 lvds;lvds;c:\windows\system32\drivers\lvds.sys [2012-11-8 10496]
    R3 sdvo;sdvo;c:\windows\system32\drivers\sdvo.sys [2012-11-8 38784]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    R3 tv;tv;c:\windows\system32\drivers\tv.sys [2012-11-8 36864]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    .
    =============== Created Last 30 ================
    .
    2012-11-09 15:32:35--------d-----w-c:\programdata\Spybot - Search & Destroy
    2012-11-09 15:32:35--------d-----w-c:\program files\Spybot - Search & Destroy
    2012-11-09 08:53:05--------d-----w-C:\c164e047adc2ebfd466b
    2012-11-09 03:32:29--------d-----w-C:\8274542b4bdfad142084d6
    2012-11-09 02:47:48--------d-----w-C:\3dbed645ae825410e7b6e08a9367
    2012-11-09 02:45:37--------d-----w-C:\bd43dce6287d498487db4e6d0ad7
    2012-11-09 02:17:1536864----a-w-c:\windows\system32\drivers\tv.sys
    2012-11-09 02:17:1338784----a-w-c:\windows\system32\drivers\sdvo.sys
    2012-11-09 02:17:1310496----a-w-c:\windows\system32\drivers\lvds.sys
    2012-11-09 02:17:091677440----a-w-c:\windows\system32\drivers\iegdmini.sys
    2012-11-09 02:17:06403328----a-w-c:\windows\system32\iegddis.dll
    2012-11-09 02:16:59401792----a-w-c:\windows\system32\iegd3dg3.dll
    2012-11-09 02:16:5711264----a-w-c:\windows\system32\drivers\analog.sys
    2012-11-09 02:14:58--------d-----w-C:\6c5648bb766312e7cfb5e23427
    2012-11-09 02:14:13196608----a-w-c:\windows\system32\mfreadwrite.dll
    2012-11-09 02:14:123181568----a-w-c:\windows\system32\mf.dll
    2012-11-09 02:14:101619456----a-w-c:\windows\system32\WMVDECOD.DLL
    2012-11-09 01:59:5340960----a-w-c:\windows\system32\F5D9050.dll
    2012-11-09 01:59:49--------d-----w-c:\program files\Belkin
    2012-11-09 01:59:29225280----a-w-c:\program files\common files\installshield\iscript\iscript.dll
    2012-11-09 01:59:29176128----a-w-c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
    2012-11-09 01:59:2877824----a-w-c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
    2012-11-09 01:59:2832768----a-w-c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
    2012-11-09 01:59:12614532----a-w-c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
    2012-11-09 01:58:42--------d-----w-C:\Belkin
    2012-11-09 01:43:14--------d-----w-c:\users\silentarts\appdata\local\Innovative Solutions
    2012-11-09 01:42:52--------d-----w-c:\program files\DriverMax
    2012-11-09 01:42:25--------d-----w-c:\users\silentarts\appdata\local\AVG Secure Search
    2012-11-09 01:40:27--------d-----w-c:\program files\common files\AVG Secure Search
    2012-11-09 01:40:11--------d-----w-c:\program files\AVG Secure Search
    2012-11-09 01:37:41--------d-----w-c:\programdata\AVG Secure Search
    2012-11-09 01:37:25--------d--h--w-c:\programdata\Common Files
    2012-11-09 01:37:12--------d-----w-c:\users\silentarts\appdata\roaming\mIRC
    2012-11-09 01:37:11--------d-----w-c:\program files\mIRC
    2012-11-09 01:06:52--------d-----w-c:\windows\Panther
    2012-11-09 00:59:37--------d-----w-c:\program files\RocketDock
    2012-11-08 22:35:476918632----a-w-c:\programdata\microsoft\windows defender\definition updates\{4bfdeddf-ddb2-47d5-a791-34054722a925}\mpengine.dll
    2012-11-08 22:35:44237072------w-c:\windows\system32\MpSigStub.exe
    2012-11-08 21:50:00--------d-----w-c:\users\silentarts\appdata\local\LogMeIn
    2012-11-08 21:49:5152128----a-w-c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2012-11-08 21:49:5130624----a-w-c:\windows\system32\LMIport.dll
    2012-11-08 21:49:5083392----a-w-c:\windows\system32\LMIRfsClientNP.dll
    2012-11-08 21:49:5047640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys
    2012-11-08 21:49:4687456----a-w-c:\windows\system32\LMIinit.dll
    2012-11-08 21:49:37--------d-----w-c:\programdata\LogMeIn
    2012-11-08 21:49:05--------d-----w-c:\program files\LogMeIn
    2012-11-08 21:44:40--------d-----w-c:\windows\system32\Adobe
    2012-11-08 21:43:37--------d-----w-c:\users\silentarts\appdata\local\Adobe
    2012-11-08 21:36:30--------d-----w-C:\Torrents
    2012-11-08 21:31:04--------d-----w-c:\program files\uTorrent
    2012-11-08 21:28:58--------d-----w-c:\users\silentarts\appdata\roaming\uTorrent
    2012-11-08 21:26:501096----a-w-c:\users\silentarts\appdata\roaming\microsoft\windows\start menu\programs\startup\CleanTemp.bat
    2012-11-08 20:39:57--------d-----w-c:\windows\system32\BestPractices
    2012-11-08 20:39:56--------d-----w-C:\inetpub
    2012-11-08 20:23:39--------d-----w-c:\program files\CCleaner
    2012-11-08 20:20:3444784----a-w-c:\windows\system32\drivers\aswRdr2.sys
    2012-11-08 20:20:28721000----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-11-08 20:20:2057656----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2012-11-08 20:19:1841224----a-w-c:\windows\avastSS.scr
    2012-11-08 20:18:50--------d-----w-c:\programdata\AVAST Software
    2012-11-08 20:18:49--------d-----w-c:\program files\Avast
    2012-11-08 20:16:22--------d-----w-c:\program files\VirtualDJ
    2012-11-08 20:11:42889416-c--a-w-c:\program files\common files\windows live\.cache\4389400c1cdbded03\dotNetFx40_Full_setup.exe
    2012-11-08 20:09:21--------d-----w-c:\users\silentarts\appdata\local\Windows Live
    2012-11-08 20:08:46--------d-----w-c:\program files\common files\Windows Live
    2012-11-08 19:58:58--------d-----w-c:\users\silentarts\appdata\roaming\QuickLaunch
    2012-11-08 19:38:3053248----a-w-c:\windows\system32\CSVer.dll
    2012-11-08 19:38:06--------d-----w-C:\Intel
    2012-11-08 19:33:10248672----a-w-c:\windows\system32\d3dx11_43.dll
    2012-11-08 19:32:31470880----a-w-c:\windows\system32\d3dx10_43.dll
    2012-11-08 19:31:511998168----a-w-c:\windows\system32\D3DX9_43.dll
    2012-11-08 19:30:251868128----a-w-c:\windows\system32\d3dcsx_43.dll
    2012-11-08 19:29:302106216----a-w-c:\windows\system32\D3DCompiler_43.dll
    2012-11-08 19:28:3290112----a-w-c:\windows\system32\snymsico.dll
    2012-11-08 19:28:3144544----a-w-c:\windows\system32\drivers\rimsptsk.sys
    2012-11-08 19:28:05--------d-----w-c:\users\silentarts\appdata\roaming\WinBatch
    2012-11-08 19:04:1733104----a-w-c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
    2012-11-08 19:04:1732592----a-w-c:\windows\system32\msonpmon.dll
    2012-11-08 18:58:38--------d-----w-c:\windows\PCHEALTH
    2012-11-08 18:55:51--------d-----w-c:\program files\Microsoft Visual Studio 8
    2012-11-08 18:54:24--------d-----w-c:\users\silentarts\appdata\local\Microsoft Help
    2012-11-08 18:42:07--------d-----w-c:\users\silentarts\appdata\roaming\Blitware
    2012-11-08 18:42:05--------d-----w-c:\program files\Driver Robot
    2012-11-08 18:32:01--------d-sh--w-c:\windows\Installer
    2012-11-08 18:28:14--------d-----w-c:\users\silentarts\appdata\local\ElevatedDiagnostics
    2012-11-08 18:27:30--------d-----w-c:\users\silentarts\appdata\local\Google
    2012-11-08 18:24:58--------d-----w-c:\users\silentarts\appdata\local\Apps
    2012-11-08 18:24:57--------d-----w-c:\users\silentarts\appdata\local\Deployment
    2012-11-08 17:50:27--------d-----w-c:\windows\system32\wbem\Performance
    2012-11-08 17:47:26--------d-sh--w-C:\Recovery
    .
    ==================== Find3M ====================
    .
    2012-09-12 20:37:4458368----a-w-c:\windows\system32\sirenacm.dll
    .
    ============= FINISH: 6:16:58.68 ===============
     

    Attached Files:

  5. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    COMBOFIX LOGFILE


    ComboFix 12-11-09.02 - silentarts 11/09/2012 6:54.1.1 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1015.448 [GMT -4.5:30]
    Running from: c:\users\silentarts\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\users\silentarts\AppData\Roaming\mIRC\logs\status.log
    c:\windows\system32\F5D9050.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-09 15:32 . 2012-11-09 15:42--------d-----w-c:\program files\Spybot - Search & Destroy
    2012-11-09 15:32 . 2012-11-09 05:02--------d-----w-c:\programdata\Spybot - Search & Destroy
    2012-11-09 11:33 . 2012-11-09 11:33--------d-----w-c:\users\Default\AppData\Local\temp
    2012-11-09 11:08 . 2012-11-09 11:08--------d-----w-c:\program files\TrendMicro
    2012-11-09 11:06 . 2012-11-09 11:18--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-11-09 10:53 . 2012-11-09 10:53--------d-----w-C:\TDSSKiller_Quarantine
    2012-11-09 09:24 . 2012-11-09 09:30--------d-----w-c:\program files\Windows Live
    2012-11-09 08:53 . 2012-11-09 08:53--------d-----w-C:\c164e047adc2ebfd466b
    2012-11-09 03:32 . 2012-11-09 03:36--------d-----w-C:\8274542b4bdfad142084d6
    2012-11-09 02:47 . 2012-11-09 02:47--------d-----w-C:\3dbed645ae825410e7b6e08a9367
    2012-11-09 02:45 . 2012-11-09 02:45--------d-----w-C:\bd43dce6287d498487db4e6d0ad7
    2012-11-09 02:17 . 2011-02-01 20:3936864----a-w-c:\windows\system32\drivers\tv.sys
    2012-11-09 02:17 . 2011-02-01 20:3938784----a-w-c:\windows\system32\drivers\sdvo.sys
    2012-11-09 02:17 . 2011-02-01 20:3910496----a-w-c:\windows\system32\drivers\lvds.sys
    2012-11-09 02:17 . 2011-02-01 20:391677440----a-w-c:\windows\system32\drivers\iegdmini.sys
    2012-11-09 02:17 . 2011-02-01 20:39403328----a-w-c:\windows\system32\iegddis.dll
    2012-11-09 02:16 . 2011-02-01 20:39401792----a-w-c:\windows\system32\iegd3dg3.dll
    2012-11-09 02:16 . 2011-02-01 20:3911264----a-w-c:\windows\system32\drivers\analog.sys
    2012-11-09 02:14 . 2012-11-09 02:15--------d-----w-C:\6c5648bb766312e7cfb5e23427
    2012-11-09 02:14 . 2010-05-23 10:11196608----a-w-c:\windows\system32\mfreadwrite.dll
    2012-11-09 02:14 . 2010-05-23 10:113181568----a-w-c:\windows\system32\mf.dll
    2012-11-09 02:14 . 2010-05-23 10:151619456----a-w-c:\windows\system32\WMVDECOD.DLL
    2012-11-09 01:59 . 2012-11-09 01:59--------d-----w-c:\program files\Belkin
    2012-11-09 01:59 . 2012-11-09 01:59--------d-----w-c:\program files\Common Files\InstallShield
    2012-11-09 01:58 . 2012-11-09 01:58--------d-----w-C:\Belkin
    2012-11-09 01:46 . 2012-11-09 01:47--------d-----w-c:\programdata\WinZip
    2012-11-09 01:42 . 2012-11-09 02:09--------d-----w-c:\program files\DriverMax
    2012-11-09 01:40 . 2012-11-09 01:40--------d-----w-c:\program files\Common Files\AVG Secure Search
    2012-11-09 01:40 . 2012-11-09 01:42--------d-----w-c:\program files\AVG Secure Search
    2012-11-09 01:37 . 2012-11-09 01:42--------d-----w-c:\programdata\AVG Secure Search
    2012-11-09 01:37 . 2012-11-09 01:37--------d--h--w-c:\programdata\Common Files
    2012-11-09 01:37 . 2012-11-09 01:43--------d-----w-c:\program files\mIRC
    2012-11-09 01:06 . 2012-11-08 21:34--------d-----w-c:\windows\Panther
    2012-11-09 00:59 . 2012-11-09 00:59--------d-----w-c:\program files\RocketDock
    2012-11-08 22:35 . 2012-10-17 06:026918632----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BFDEDDF-DDB2-47D5-A791-34054722A925}\mpengine.dll
    2012-11-08 22:35 . 2012-05-31 15:55237072------w-c:\windows\system32\MpSigStub.exe
    2012-11-08 21:49 . 2012-07-05 22:3952128----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-11-08 21:49 . 2012-07-05 22:3930624----a-w-c:\windows\system32\LMIport.dll
    2012-11-08 21:49 . 2012-07-05 22:4083392----a-w-c:\windows\system32\LMIRfsClientNP.dll
    2012-11-08 21:49 . 2012-06-08 16:3647640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys
    2012-11-08 21:49 . 2012-07-05 22:3987456----a-w-c:\windows\system32\LMIinit.dll
    2012-11-08 21:49 . 2012-11-09 10:10--------d-----w-c:\programdata\LogMeIn
    2012-11-08 21:49 . 2012-11-09 02:40--------d-----w-c:\program files\LogMeIn
    2012-11-08 21:44 . 2012-11-08 21:44--------d-----w-c:\windows\system32\Adobe
    2012-11-08 21:36 . 2012-11-08 21:36--------d-----w-C:\Torrents
    2012-11-08 21:31 . 2012-11-08 21:31--------d-----w-c:\program files\uTorrent
    2012-11-08 20:39 . 2012-11-08 20:39--------d-----w-c:\windows\system32\BestPractices
    2012-11-08 20:39 . 2012-11-08 20:39--------d-----w-C:\inetpub
    2012-11-08 20:23 . 2012-11-08 20:24--------d-----w-c:\program files\CCleaner
    2012-11-08 20:20 . 2012-07-03 16:2121256----a-w-c:\windows\system32\drivers\aswFsBlk.sys
    2012-11-08 20:20 . 2012-07-03 16:21353688----a-w-c:\windows\system32\drivers\aswSP.sys
    2012-11-08 20:20 . 2012-07-03 16:2144784----a-w-c:\windows\system32\drivers\aswRdr2.sys
    2012-11-08 20:20 . 2012-07-03 16:2154232----a-w-c:\windows\system32\drivers\aswTdi.sys
    2012-11-08 20:20 . 2012-07-03 16:21721000----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-11-08 20:20 . 2012-07-03 16:2157656----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2012-11-08 20:19 . 2012-07-03 16:2141224----a-w-c:\windows\avastSS.scr
    2012-11-08 20:19 . 2012-07-03 16:21227648----a-w-c:\windows\system32\aswBoot.exe
    2012-11-08 20:18 . 2012-11-08 20:18--------d-----w-c:\programdata\AVAST Software
    2012-11-08 20:18 . 2012-11-08 20:19--------d-----w-c:\program files\Avast
    2012-11-08 20:18 . 2012-11-09 16:17--------d-----w-c:\program files\Common Files\Adobe
    2012-11-08 20:16 . 2012-11-08 20:18--------d-----w-c:\program files\VirtualDJ
    2012-11-08 20:08 . 2012-11-08 20:08--------d-----w-c:\program files\Common Files\Windows Live
    2012-11-08 19:38 . 2012-11-08 19:38--------d-----w-c:\program files\Intel
    2012-11-08 19:38 . 2012-11-08 19:3753248----a-w-c:\windows\system32\CSVer.dll
    2012-11-08 19:38 . 2012-11-08 19:38--------d-----w-C:\Intel
    2012-11-08 19:33 . 2010-05-26 16:11248672----a-w-c:\windows\system32\d3dx11_43.dll
    2012-11-08 19:32 . 2010-05-26 16:11470880----a-w-c:\windows\system32\d3dx10_43.dll
    2012-11-08 19:31 . 2010-05-26 16:111998168----a-w-c:\windows\system32\D3DX9_43.dll
    2012-11-08 19:30 . 2010-05-26 16:111868128----a-w-c:\windows\system32\d3dcsx_43.dll
    2012-11-08 19:29 . 2010-05-26 16:112106216----a-w-c:\windows\system32\D3DCompiler_43.dll
    2012-11-08 19:28 . 2004-09-04 07:3090112----a-w-c:\windows\system32\snymsico.dll
    2012-11-08 19:28 . 2012-11-08 19:28--------d--h--w-c:\program files\InstallShield Installation Information
    2012-11-08 19:28 . 2009-06-25 20:4044544----a-w-c:\windows\system32\drivers\rimsptsk.sys
    2012-11-08 19:04 . 2006-10-27 00:2633104----a-w-c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2012-11-08 19:04 . 2006-10-27 00:2632592----a-w-c:\windows\system32\msonpmon.dll
    2012-11-08 19:01 . 2012-11-08 19:01--------d-----w-c:\program files\Microsoft Works
    2012-11-08 18:58 . 2012-11-09 09:14--------d-----w-c:\program files\Microsoft.NET
    2012-11-08 18:58 . 2012-11-08 18:58--------d-----w-c:\windows\PCHEALTH
    2012-11-08 18:55 . 2012-11-08 18:55--------d-----w-c:\program files\Microsoft Visual Studio 8
    2012-11-08 18:54 . 2012-11-08 19:05--------d-----w-c:\programdata\Microsoft Help
    2012-11-08 18:51 . 2012-11-08 18:51--------d-----r-C:\MSOCache
    2012-11-08 18:42 . 2012-11-08 18:42--------d-----w-c:\program files\Driver Robot
    2012-11-08 18:32 . 2012-11-09 11:08--------d-sh--w-c:\windows\Installer
    2012-11-08 18:27 . 2012-11-08 19:47--------d-----w-c:\program files\Google
    2012-11-08 17:53 . 2012-11-09 03:09--------d-----w-c:\users\silentarts
    2012-11-08 17:50 . 2012-11-08 21:58--------d-----w-c:\windows\system32\wbem\Performance
    2012-11-08 17:47 . 2012-11-08 17:47--------d-----w-C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-12 20:37 . 2012-09-12 20:3758368----a-w-c:\windows\system32\sirenacm.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-11-09 01:402067328----a-w-c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-11-09 2067328]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21121528----a-w-c:\program files\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2012-10-31 1242136]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "DriverMax_RESTART"="c:\program files\DriverMax\drivermax.exe" [2012-10-19 11325376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "avast"="c:\program files\Avast\avastUI.exe" [2012-07-03 4273976]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-06-08 63048]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-09 1116544]
    .
    c:\users\silentarts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    CleanTemp.bat [2012-11-8 1096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
    S3 analog;analog;c:\windows\system32\DRIVERS\analog.sys [x]
    S3 iegdmini;iegdmini;c:\windows\system32\DRIVERS\iegdmini.sys [x]
    S3 lvds;lvds;c:\windows\system32\DRIVERS\lvds.sys [x]
    S3 sdvo;sdvo;c:\windows\system32\DRIVERS\sdvo.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
    S3 tv;tv;c:\windows\system32\DRIVERS\tv.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 63271854
    *Deregistered* - 63271854
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    iissvcsREG_MULTI_SZ w3svc was
    apphostREG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-08 c:\windows\Tasks\Driver Robot.job
    - c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2012-11-08 21:59]
    .
    2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-08 18:27]
    .
    2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-08 18:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.tt/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-11-09 07:06:58
    ComboFix-quarantined-files.txt 2012-11-09 11:36
    .
    Pre-Run: 12,485,107,712 bytes free
    Post-Run: 12,409,049,088 bytes free
    .
    - - End Of File - - C52651716C3CE8523318C510F7663549
     
  6. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    I ALSO DOWNLOADED Malwarebytes' Anti-Malware and here is the log file for it...
    Malwarebytes' Anti-Malware 1.41
    Database version: 2775
    Windows 6.1.7600
    11/9/2012 10:21:37 AM
    mbam-log-2012-11-09 (10-21-37).txt
    Scan type: Full Scan (C:\|)
    Objects scanned: 163112
    Time elapsed: 1 hour(s), 27 minute(s), 57 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    avast! aswMBR

    Please download aswMBR from here
    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Uncheck "Trace disk IO calls".
    • Click the Scan button to start the scan as illustrated below
    [​IMG]
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.
    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.
     
  8. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    The TDSS Log File is too large so I Attached it...

    Also, I am currently running the aswMBR Scan...
     

    Attached Files:

  9. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    Hey...I have one question...Which Antivirus Software Should I Use?
     
  10. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    aswMBR Log File


    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-10 01:23:19
    -----------------------------
    01:23:19.458 OS Version: Windows 6.1.7600
    01:23:19.458 Number of processors: 1 586 0xD06
    01:23:19.461 ComputerName: SILENTARTS_PC UserName: silentarts
    01:23:22.937 Initialize success
    01:23:26.189 AVAST engine defs: 12111001
    01:23:48.645 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    01:23:48.645 Disk 0 Vendor: TOSHIBA_MK3029GACE RB102A Size: 28615MB BusType: 3
    01:23:48.661 Disk 0 MBR read successfully
    01:23:48.661 Disk 0 MBR scan
    01:23:48.661 Disk 0 Windows 7 default MBR code
    01:23:48.676 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    01:23:48.692 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 28513 MB offset 206848
    01:23:48.692 Disk 0 scanning sectors +58601472
    01:23:48.786 Disk 0 scanning C:\Windows\system32\drivers
    01:24:07.727 Service scanning
    01:24:41.827 Modules scanning
    01:25:02.952 AVAST engine scan C:\
    02:01:03.097 Scan finished successfully
    02:04:00.894 Disk 0 MBR has been saved successfully to "C:\Users\silentarts\Desktop\Logs\MBR.dat"
    02:04:00.899 The log file has been saved successfully to "C:\Users\silentarts\Desktop\Logs\aswMBR.txt"
     
  11. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    MBRscan Log File

    3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~ | …ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu÷Á tþFf`€~ t&fh fÿvh h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu €~ €„Š ²€ë„U2äŠV Í]랁>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh» fh  fh fSfSfUfh fh | fah ÍZ2öê | Í ·ë ¶ë µ2ä ‹ð¬< t» ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system c{šøT € ! ß   ß þÿÿ ( { Uª
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We'll take care of that later.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  13. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    Did everything you said. Found only one virus...

    C:\Users\silentarts\Downloads\Unlocker1.9.1.exeWin32/Adware.ADON applicationcleaned by deleting - quarantined
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  15. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    That seems to be all.. Just one question...Is it normal to have this many svchost.exe files running at once? Check Attachment for an Idea of what I am talking about...
     

    Attached Files:

  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yes, it is very normal. Svchost.exe has multiple instances in the processes, because it has so many different purposed in the file system.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

      Caution: Only use the Registry feature if you are very familiar with the registry.
      Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

      Security Check

      Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
      • Save it to your Desktop.
      • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
      • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  17. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    OTC is currently running...I did all the steps above so far...just one question...

    After OTC Runs....You said download and install CCleaner Slim...I have the normal CCleaner version...is that the same, because I use that for everyday cleaning...

    PS: How long does OTC take to run?
     
  18. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    OTC Done, CCleaner Done...with all browsers closed....

    Security Check Scan Log...

    Results of screen317's Security Check version 0.99.54
    Windows 7 x86 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.65.1.1000
    CCleaner
    Adobe Reader X (10.1.4)
    Google Chrome 23.0.1271.64
    ````````Process Check: objlist.exe by Laurent````````
    Avast AvastSvc.exe
    Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 10%
    ````````````````````End of Log``````````````````````
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  20. Fadil Khan

    Fadil Khan TS Rookie Topic Starter

    Thanks a lot! No more questions...All issues solved...Will try my best to keep it that way...

    Now...about my question....What antivirus software should I be using?
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Read carefully:
    You'll find info there. :)

    Topic marked.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.