TechSpot

Win32 Heur / AVG

Solved
By banana1
Mar 9, 2011
  1. Hello everyone, now I noticed I'm not the only one getting this alert from AVG last night, about my Supreme Commander Forged alliance.exe and Star wars forces of corruption.exe

    I ran the six step guide on this forum and so far they say I am not infected, I have the two files in my AVG quarantine.

    Just as a side note, I do not go on pornographic sites, the only downloads I do are steam, itunes and gaming mods. Which I have done none of the latter for weeks, I also scan on a daily basis with my AVG and it did not detect anything the previous day until this update kicked in late last night, I have also sent the file to AVG so they can see if it is a false positive (to which I really hope it is) but you guys/gals are more knowledgeable than me on this so I come to you :)
    My computer is not showing any kinda of malfunctions or symptoms of an infection either, my cpu usage isnt spazzing out and neither is my memory, my only indicator theres a problem was the pop up from AVG.

    So far all these have come up empty, oh and my gmer log didnt seem to save correctly, so I will run that again and post when I have it. Thank you. Sorry to be a bother.


    Malwarebytes log.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5993

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    08/03/2011 23:43:45
    mbam-log-2011-03-08 (23-43-45).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 664147
    Time elapsed: 2 hour(s), 27 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    DDS LOG
    .
    DDS (Ver_11-03-05.01) - NTFS_AMD64
    Run by Christopher at 18:27:52.78 on 09/03/2011
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.4094.2155 [GMT 0:00]
    .
    AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files\Packard Bell\Packard Bell Recovery Management\Service\ETService.exe
    C:\Windows\system32\HidService.exe
    C:\Program Files\Microsoft LifeCam\MSCamS64.exe
    C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
    C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
    C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Packard Bell\SrvCDEject.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Windows\System32\nvraidservice.exe
    C:\Windows\RAVCpl64.exe
    C:\ACER\Preload\Autorun\DRV\Fiji Keyboard\ABoard.exe
    C:\Program Files\PACKARD BELL\SetUpMyPC\SmpSys.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\Steam\Steam.exe
    C:\ACER\Preload\Autorun\DRV\Fiji Keyboard\AOSD.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\wuauclt.exe
    C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Users\Christopher\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://bridgecommander.filefront.com/
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\IPSBHO.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\coIEPlg.dll
    uRun: [SmpcSys] C:\Program Files\PACKARD BELL\SetUpMyPC\SmpSys.exe
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    uRun: [Google Update] "C:\Users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [SmpcSys] C:\Program Files\Packard Bell\SetupMyPC\SmpSys.exe
    mRun: [eRecoveryService]
    mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Free YouTube Download - C:\Users\Christopher\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
    IE: Free YouTube to Mp3 Converter - C:\Users\Christopher\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun-x64: [NVRaidService] C:\Windows\system32\nvraidservice.exe
    mRun-x64: [RtHDVCpl] RAVCpl64.exe
    mRun-x64: [Skytel] Skytel.exe
    mRun-x64: [FijiKeyboard] c:\Acer\Preload\Autorun\DRV\FIJI Keyboard\ABoard.exe
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
    R0 nvamacpi;Nvidia Away Mode System;C:\Windows\System32\drivers\nvamacpi.sys [2009-1-11 28192]
    R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0401000.020\SymDS64.sys [2010-4-30 433200]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0401000.020\SymEFA64.sys [2010-4-30 221232]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHDrvx64.sys [2010-3-24 678960]
    R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\N360x64\0401000.020\cchpx64.sys [2010-4-30 615040]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100422.002\IDSviA64.sys [2010-5-1 466992]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0401000.020\Ironx64.sys [2010-4-30 149552]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\N360x64\0401000.020\symtdiv.sys [2010-4-30 451120]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
    R2 ETService;Empowering Technology Service;C:\Program Files\PACKARD BELL\Packard Bell Recovery Management\Service\ETService.exe [2009-3-28 24576]
    R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-4-30 126392]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-4-6 1153368]
    R2 SrvCDEject;SrvCDEject;C:\Program Files (x86)\Packard Bell\SrvCDEject.exe [2009-3-28 600576]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 133712]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-5-1 132656]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate1c9d4b82f48e567;Google Update Service (gupdate1c9d4b82f48e567);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-5-14 133104]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
    S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-8-18 1038088]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-3-12 36720]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]
    S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-28 93184]
    .
    =============== Created Last 30 ================
    .
    2073-04-13 17:17:26 203576 ------w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-03-09 17:21:11 2424320 ----a-w- C:\Windows\System32\mstscax.dll
    2011-03-09 17:21:10 730624 ----a-w- C:\Windows\System32\mstsc.exe
    2011-03-09 17:21:10 677888 ----a-w- C:\Windows\SysWow64\mstsc.exe
    2011-03-09 17:21:10 2067456 ----a-w- C:\Windows\SysWow64\mstscax.dll
    2011-03-09 17:21:09 560128 ----a-w- C:\Windows\System32\EncDec.dll
    2011-03-09 17:21:09 429056 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-03-09 17:21:09 416768 ----a-w- C:\Windows\System32\sbe.dll
    2011-03-09 17:21:09 323072 ----a-w- C:\Windows\SysWow64\sbe.dll
    2011-03-09 17:21:09 226816 ----a-w- C:\Windows\System32\mpg2splt.ax
    2011-03-09 17:21:09 210944 ----a-w- C:\Windows\System32\sbeio.dll
    2011-03-09 17:21:09 177664 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
    2011-03-09 17:21:09 153088 ----a-w- C:\Windows\SysWow64\sbeio.dll
    2011-03-08 21:06:28 -------- d-----w- C:\Users\CHRIST~1\AppData\Roaming\Malwarebytes
    2011-03-08 21:06:20 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-03-08 21:06:19 -------- d-----w- C:\PROGRA~3\Malwarebytes
    2011-03-08 21:06:16 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
    2011-03-08 21:06:15 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-03-08 21:06:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-03-04 20:44:54 -------- d-----w- C:\Program Files\iPod
    2011-03-04 20:44:42 -------- d-----w- C:\Program Files\iTunes
    2011-03-04 20:44:42 -------- d-----w- C:\Program Files (x86)\iTunes
    2011-03-04 20:39:50 -------- d-----w- C:\Program Files\Bonjour
    2011-03-04 20:39:50 -------- d-----w- C:\Program Files (x86)\Bonjour
    2011-02-26 01:19:32 41872 ----a-w- C:\Windows\SysWow64\xfcodec.dll
    2011-02-26 01:19:32 27536 ----a-w- C:\Windows\System32\xfcodec64.dll
    2011-02-23 18:22:57 -------- d-----w- C:\Users\CHRIST~1\AppData\Local\Chromium
    2011-02-23 17:12:52 2048 ----a-w- C:\Windows\SysWow64\winrsmgr.dll
    2011-02-23 17:12:52 2048 ----a-w- C:\Windows\System32\winrsmgr.dll
    2011-02-23 17:12:50 13312 ----a-w- C:\Windows\System32\wsmplpxy.dll
    2011-02-23 17:12:50 13312 ----a-w- C:\Windows\System32\winrssrv.dll
    2011-02-23 17:12:31 10240 ----a-w- C:\Windows\SysWow64\wsmplpxy.dll
    2011-02-23 17:12:31 10240 ----a-w- C:\Windows\SysWow64\winrssrv.dll
    2011-02-22 21:08:03 -------- d-----w- C:\Users\CHRIST~1\AppData\Local\Amazon
    2011-02-22 21:07:44 -------- d-----w- C:\Program Files (x86)\Amazon
    2011-02-18 16:36:58 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
    2011-02-18 16:36:58 4184352 ----a-w- C:\Windows\System32\usbaaplrc.dll
    2011-02-12 20:20:28 -------- d-----w- C:\Program Files (x86)\Raven
    2011-02-09 18:17:49 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-02-09 18:17:48 1560960 ----a-w- C:\Windows\System32\ntdll.dll
    2011-02-09 18:17:48 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll
    .
    ==================== Find3M ====================
    .
    2011-02-16 19:07:10 270904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-02-16 19:07:10 270904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-02-16 19:05:54 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-01-08 09:31:03 48128 ----a-w- C:\Windows\System32\atmlib.dll
    2011-01-08 07:50:00 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2011-01-08 06:17:24 367104 ----a-w- C:\Windows\System32\atmfd.dll
    2011-01-08 05:57:10 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2010-12-31 13:46:25 2755584 ----a-w- C:\Windows\System32\win32k.sys
    2010-12-28 15:26:13 462848 ----a-w- C:\Windows\System32\odbc32.dll
    2010-12-28 14:57:35 409600 ----a-w- C:\Windows\SysWow64\odbc32.dll
    2010-12-23 17:10:15 43520 ----a-w- C:\Windows\SysWow64\CmdLineExt03.dll
    2010-12-20 16:08:20 1032704 ----a-w- C:\Windows\System32\wininet.dll
    2010-12-20 16:04:07 86528 ----a-w- C:\Windows\System32\ieencode.dll
    2010-12-20 15:40:24 833024 ----a-w- C:\Windows\SysWow64\wininet.dll
    2010-12-20 15:37:57 78336 ----a-w- C:\Windows\SysWow64\ieencode.dll
    2010-12-20 14:37:07 485376 ----a-w- C:\Windows\System32\html.iec
    2010-12-20 14:12:59 389632 ----a-w- C:\Windows\SysWow64\html.iec
    2010-12-20 14:12:01 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
    2010-12-20 13:51:45 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2010-12-14 16:20:18 1251840 ----a-w- C:\Windows\System32\sdclt.exe
    .
    ============= FINISH: 18:28:45.36 ===============

    DDS Attach log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 28/03/2009 12:39:21
    System Uptime: 09/03/2011 18:14:16 (0 hours ago)
    .
    Motherboard: Packard Bell | | FMCP7AM
    Processor: Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz | CPU 1 | 2336/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 582 GiB total, 27.684 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Adobe Reader 9.4.2
    Amazon Kindle For PC
    Apple Application Support
    Crysis 2 Demo
    Crysis(R)
    Dead Rising 2
    Dream Experimental v0.5
    Elite Force RPG-X v2.0
    Email Scrabble .Net
    Far Cry Demo
    Google Chrome
    Hitman: Blood Money
    Just Cause 2
    Lara Croft and the Guardian of Light
    Malwarebytes' Anti-Malware
    Mass Effect 2
    Medieval II: Total War
    Medieval II: Total War Kingdoms
    Metro 2033
    Microsoft Chart Controls for Microsoft .NET Framework 3.5
    Microsoft Office Home and Student 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft XNA Framework Redistributable 3.1
    Need for Speed(TM) Hot Pursuit
    NVIDIA PhysX
    Oblivion mod manager 1.1.12
    OpenAL
    Pando Media Booster
    QuickTime
    RIFT
    Safari
    Skype™ 5.1
    Star Trek Legacy
    Star Trek Voyager Elite Force
    Titan Quest
    Titan Quest: Immortal Throne
    Tom Clancy's Splinter Cell Conviction
    Total War: SHOGUN 2 Demo
    Ubisoft Game Launcher
    Unity Web Player
    Warhammer 40,000: Dawn of War Gold Edition
    Warhammer 40,000: Dawn of War – Dark Crusade
    Warhammer 40,000: Dawn of War – Winter Assault
    Warhammer® 40,000®: Dawn of War® II – Retribution™
    Warhammer® 40,000™: Dawn of War® II
    Warhammer® 40,000™: Dawn of War® II – Chaos Rising™
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================================================

    Make sure, your AVG is up to date, since there were some false positives reported lately.

    Now...you're running two AV programs, AVG and Norton.
    One of them has to go.
    If AVG, use this uninstaller: http://www.avg.com/us-en/download-tools
    If Norton, use this one: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    When done....

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    Thanks Broni I will do that when I get back from work tonight, I want ti get rid of norton so I shall remove that. But it looks like I will have to remove AVG anyway too temporarily to run combo fix.

    AVG still hasn't gotten back to me on the file I sent fir testing so they are still in the quarantine so before I uninstall AVG for combo fix do I use AVG to empty and remove the quarantined items?

    Thank you for your help, I know nothing about this kind of thing.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Leave quarantined files alone for now.
    They're safe there.
    I just want to make sure, nothing important has been removed as false positive.
     
  5. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    But if I uninstall AVG to run the combofix file, wont that like unquarantine things? I dont want to make things worse, because right now I have no symptoms of infection.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    No, uninstalling will either get rid of quarantine folder, or it'll give you an option to leave the folder alone.
    If the latter option is possible, I'd prefer that, so nothing important is removed by a mistake.
    If you want to, we can take a look, if you can post a content of quarantine folder.
     
  7. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    there are two items,

    c:\Program Files (x86)\THQ\Gas Powered Games\Supreme Commander - Forged Alliance\bin\ForgedAlliance.exe

    c:\Program Files (x86)\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe

    Both say severity is infection.

    Thats all thats in there, I cant see how those files were infected with anything, I haven't played either of those games in months and months and I update and run AVG and Spybot search and destroy every day.

    What would you like me to do now? I appreciate your help thank you Broni.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Upload both files to http://www.virustotal.com/ for security check.

    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  9. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    Where do I find the files? I'm not sure where AVG's quarantine folder is, I'll then upload them to the virustotal site you mentioned.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    I'm not sure either, but try to look around in C:\Program Files\AVG
     
  11. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    I cant find the quarantine folder and isn't it not a good idea to go opening that anyway? Cant we get rid of the files with AVG then just proceed with the combofix checks and stuff after the files are removed and AVG uninstalled? I mean they are only game exe's they can be replaced from the game disks which are obviously clean.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    If you don't worry about those files, go ahead and empty quarantine folder.
     
  13. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    Hi, sorry for the late reply just got back from work, here is the MBR check you told me to run, I uninstalled Norton too, just have AVG on right now, still I have no symptoms but I noticed when I ran the MBR it said MBR code Faked, what does that mean? I'll wait until I get a reply to continue with the other things you said.

    Edit: I know that Bobbeye just said that AVG's update was the cause of the false positive for the heur virus and to update AVG (which I have always been doing anyway) and to recheck if it still registers the virus but I deleted them from the quarantine earlier so I cant rescan them as they are gone from the pc. I would like to continue with your help though if thats ok, since I would prefer to be on the safe side anyway if its not too much trouble. I'm a little worried about the MBR thing too, it doesnt sound good saying somethings fake.


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 1 (build 6001), 64-bit
    Base Board Manufacturer: Packard Bell
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: Packard Bell
    System Product Name: IXTREME X6617 UK
    Logical Drives Mask: 0x000000fc

    Kernel Drivers (total 145):
    0x02264000 \SystemRoot\system32\ntoskrnl.exe
    0x0221E000 \SystemRoot\system32\hal.dll
    0x00609000 \SystemRoot\system32\kdcom.dll
    0x00613000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00640000 \SystemRoot\system32\PSHED.dll
    0x00654000 \SystemRoot\system32\CLFS.SYS
    0x006B1000 \SystemRoot\system32\CI.dll
    0x00809000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x008E3000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x008F1000 \SystemRoot\system32\drivers\acpi.sys
    0x00947000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00950000 \SystemRoot\system32\drivers\msisadrv.sys
    0x0095A000 \SystemRoot\system32\drivers\pci.sys
    0x0098A000 \SystemRoot\System32\drivers\partmgr.sys
    0x0099F000 \SystemRoot\system32\drivers\volmgr.sys
    0x00763000 \SystemRoot\System32\drivers\volmgrx.sys
    0x009B3000 \SystemRoot\system32\drivers\nvrd64.sys
    0x007C9000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x009DF000 \SystemRoot\System32\drivers\mountmgr.sys
    0x00A02000 \SystemRoot\system32\drivers\nvraid.sys
    0x00A25000 \SystemRoot\system32\drivers\nvstor64.sys
    0x00A51000 \SystemRoot\system32\drivers\storport.sys
    0x00AAE000 \SystemRoot\system32\drivers\fltmgr.sys
    0x00AF4000 \SystemRoot\system32\drivers\fileinfo.sys
    0x00B08000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x00C02000 \SystemRoot\system32\drivers\ndis.sys
    0x00B8F000 \SystemRoot\system32\drivers\msrpc.sys
    0x00E09000 \SystemRoot\system32\drivers\NETIO.SYS
    0x00E61000 \SystemRoot\System32\drivers\tcpip.sys
    0x00DC5000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01008000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x0118C000 \SystemRoot\system32\drivers\wd.sys
    0x01194000 \SystemRoot\system32\drivers\volsnap.sys
    0x011D8000 \SystemRoot\System32\Drivers\spldr.sys
    0x011E0000 \SystemRoot\system32\DRIVERS\NVAMACPI.sys
    0x011EA000 \SystemRoot\System32\Drivers\mup.sys
    0x01201000 \SystemRoot\System32\drivers\ecache.sys
    0x0122D000 \SystemRoot\system32\drivers\disk.sys
    0x01241000 \SystemRoot\system32\drivers\crcdisk.sys
    0x0124B000 \SystemRoot\system32\DRIVERS\avgrkx64.sys
    0x01255000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
    0x012A3000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x012B0000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x012B9000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x012CC000 \SystemRoot\system32\DRIVERS\serial.sys
    0x012E9000 \SystemRoot\system32\DRIVERS\serenum.sys
    0x012F5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x0130B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x01319000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x01325000 \SystemRoot\system32\DRIVERS\nvsmu.sys
    0x01330000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x0133B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x01381000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x01392000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x03203000 \SystemRoot\system32\DRIVERS\nvmfdx64.sys
    0x0336F000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x0338B000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0x03401000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x04093000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
    0x04095000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x04174000 \SystemRoot\System32\drivers\watchdog.sys
    0x04183000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x04195000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x041A5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x041AE000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x041E6000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x03398000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x041F3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x033BB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x033EC000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x013A5000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x013C3000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x013DB000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x033FC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x04202000 \SystemRoot\system32\DRIVERS\ks.sys
    0x04236000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x04241000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x04251000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x04298000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x04A09000 \SystemRoot\system32\drivers\RTKVHD64.sys
    0x04B76000 \SystemRoot\system32\drivers\portcls.sys
    0x04BB1000 \SystemRoot\system32\drivers\drmk.sys
    0x04BD4000 \SystemRoot\system32\drivers\ksthunk.sys
    0x04BDA000 \SystemRoot\system32\DRIVERS\avgmfx64.sys
    0x04BE9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x04BF3000 \SystemRoot\System32\Drivers\Null.SYS
    0x042AC000 \SystemRoot\System32\drivers\vga.sys
    0x042BA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x042DF000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x04BFC000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x04A00000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x042F4000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x042FD000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x04308000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x04319000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x04322000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x0433F000 \SystemRoot\system32\DRIVERS\smb.sys
    0x0435A000 \SystemRoot\system32\DRIVERS\avgtdia.sys
    0x043BB000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x013ED000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x00FD5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x013F6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x04C02000 \SystemRoot\system32\drivers\afd.sys
    0x04C6F000 \SystemRoot\system32\drivers\ws2ifsl.sys
    0x04C7A000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x04C98000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x04CA7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x04CC2000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x04D10000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x04D1C000 \SystemRoot\System32\Drivers\dfsc.sys
    0x04D39000 \SystemRoot\system32\DRIVERS\avgldx64.sys
    0x04D89000 \SystemRoot\system32\DRIVERS\udfs.sys
    0x04DD7000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x04DE5000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0x0125F000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
    0x00020000 \SystemRoot\System32\win32k.sys
    0x04DEF000 \SystemRoot\System32\drivers\Dxapi.sys
    0x0128B000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x00480000 \SystemRoot\System32\TSDDD.dll
    0x00620000 \SystemRoot\System32\cdd.dll
    0x008B0000 \SystemRoot\System32\ATMFD.DLL
    0x08405000 \SystemRoot\system32\drivers\luafv.sys
    0x08427000 \SystemRoot\system32\drivers\spsys.sys
    0x084C1000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x084D5000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x084ED000 \SystemRoot\system32\drivers\HTTP.sys
    0x0858C000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x085B5000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x085D3000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x08E0A000 \SystemRoot\system32\drivers\mrxdav.sys
    0x08E31000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x08E5A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x08EA3000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x08EC2000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x08EF4000 \SystemRoot\System32\DRIVERS\srv.sys
    0x08F8A000 \SystemRoot\System32\Drivers\adfs.SYS
    0x08FA2000 \SystemRoot\system32\DRIVERS\atksgt.sys
    0x08FF0000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    0x00FE7000 \??\C:\Windows\SysWOW64\drivers\int15_64.sys
    0x085ED000 \SystemRoot\system32\DRIVERS\lirsgt.sys
    0x0960C000 \SystemRoot\system32\drivers\peauth.sys
    0x096C2000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x096CD000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x096DC000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    0x77110000 \Windows\System32\ntdll.dll

    Processes (total 79):
    0 System Idle Process
    4 System
    452 C:\Windows\System32\smss.exe
    484 C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    540 C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    732 csrss.exe
    800 C:\Windows\System32\wininit.exe
    812 csrss.exe
    848 C:\Windows\System32\services.exe
    860 C:\Windows\System32\lsass.exe
    872 C:\Windows\System32\lsm.exe
    916 C:\Windows\System32\winlogon.exe
    328 C:\Windows\System32\svchost.exe
    460 C:\Windows\System32\nvvsvc.exe
    668 C:\Windows\System32\svchost.exe
    1000 C:\Windows\System32\svchost.exe
    720 C:\Windows\System32\svchost.exe
    1036 C:\Windows\System32\svchost.exe
    1132 C:\Windows\System32\audiodg.exe
    1156 C:\Windows\System32\svchost.exe
    1172 C:\Windows\System32\SLsvc.exe
    1220 C:\Windows\System32\svchost.exe
    1344 C:\Windows\System32\nvvsvc.exe
    1444 C:\Windows\System32\svchost.exe
    1656 C:\Windows\System32\spoolsv.exe
    1680 C:\Windows\System32\svchost.exe
    1440 C:\Windows\System32\dwm.exe
    1476 C:\Windows\System32\taskeng.exe
    308 C:\Windows\System32\taskeng.exe
    1500 C:\Windows\explorer.exe
    2068 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    2144 C:\Windows\System32\nvraidservice.exe
    2172 C:\Windows\RAVCpl64.exe
    2344 C:\ACER\Preload\Autorun\DRV\Fiji Keyboard\ABoard.exe
    2360 C:\Program Files\PACKARD BELL\SetUpMyPC\SmpSys.exe
    2368 C:\Windows\ehome\ehtray.exe
    2400 C:\Windows\ehome\ehmsas.exe
    2408 C:\ACER\Preload\Autorun\DRV\Fiji Keyboard\AOSD.exe
    2456 C:\Windows\System32\svchost.exe
    2496 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    2508 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    2720 C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    2764 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    2788 C:\Program Files\PACKARD BELL\Packard Bell Recovery Management\Service\ETService.exe
    3024 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
    3056 C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    1296 C:\Program Files (x86)\iTunes\iTunesHelper.exe
    1392 C:\Windows\System32\HidService.exe
    2336 C:\Program Files\Microsoft LifeCam\MSCamS64.exe
    2320 C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
    2128 C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    3104 C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    3112 C:\Windows\SysWOW64\PnkBstrA.exe
    3144 C:\Windows\System32\svchost.exe
    3176 C:\Program Files (x86)\Packard Bell\SrvCDEject.exe
    3340 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    3360 C:\Windows\System32\svchost.exe
    3408 C:\Windows\System32\svchost.exe
    3436 C:\Windows\System32\svchost.exe
    3476 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    3548 C:\Windows\System32\SearchIndexer.exe
    3628 C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    3852 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    3960 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    3132 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    3164 C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    2104 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    4344 C:\Program Files\iPod\bin\iPodService.exe
    4596 WmiPrvSE.exe
    4880 C:\Windows\System32\wbem\unsecapp.exe
    4808 C:\Users\Christopher\AppData\Local\Google\Chrome\Application\chrome.exe
    1304 C:\Windows\System32\SearchProtocolHost.exe
    3952 C:\Users\Christopher\AppData\Local\Google\Chrome\Application\chrome.exe
    3536 C:\Users\Christopher\AppData\Local\Google\Chrome\Application\chrome.exe
    1076 WmiPrvSE.exe
    4692 C:\Windows\System32\wuauclt.exe
    1956 C:\Windows\System32\SearchFilterHost.exe
    4212 C:\Windows\servicing\TrustedInstaller.exe
    228 C:\Users\Christopher\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`a9900000 (NTFS)

    PhysicalDrive0 Model Number: WDC WD6400AAKS-00A7B, Rev: 01.0

    Size Device Name MBR Status
    --------------------------------------------
    596 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: B5C35EFE944C59530229019F26C1A75A6658D723


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  14. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    I still need Combofix log.
     
  15. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    I tried uninstalling AVG and while it's not here anymore combo fix doesn't want to run as it's still saying it's installed, I tried app remover to see if it's still listed but it's not coming up on that either, what do I do.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,066   +257

  17. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    AVG remover is what I tried first it pulled up a mini black beox and then restarted the pc afterwards and AVG isn't in the task bar or processes list anymore but combo says it's still installed and is dangerous to try using combo when it's installed
     
  18. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    Wait combo is working now it's scanning I'll post the results when they are done soon hopefully
     
  19. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    hi sorry for the hiccup

    heres the combofix log for you, can I reinstall AVG now? feeling alittle naked so to speak lol.


    ComboFix 11-03-10.04 - Christopher 12/03/2011 18:30:01.1.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.4094.2869 [GMT 0:00]
    Running from: c:\users\Christopher\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\INSTALL.LOG
    c:\users\Christopher\AppData\Roaming\mwll_torrent.dll
    c:\windows\system32\Install.cmd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 17:17 . 2006-11-21 20:48 203576 ------w- c:\program files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-03-12 18:38 . 2011-03-12 18:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-12 18:38 . 2011-03-12 18:38 -------- d-----w- c:\users\Christopher\AppData\Local\temp
    2011-03-12 18:28 . 2011-03-12 18:28 -------- d-----w- C:\32788R22FWJFW
    2011-03-09 17:21 . 2010-12-17 17:12 2424320 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 17:21 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\SysWow64\mstscax.dll
    2011-03-09 17:21 . 2010-12-17 15:35 730624 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-09 17:21 . 2010-12-17 15:06 677888 ----a-w- c:\windows\SysWow64\mstsc.exe
    2011-03-09 17:21 . 2010-12-29 17:53 416768 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 17:21 . 2010-12-29 17:53 210944 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 17:21 . 2010-12-29 17:53 560128 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 17:21 . 2010-12-29 17:51 226816 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 17:21 . 2010-12-29 17:41 323072 ----a-w- c:\windows\SysWow64\sbe.dll
    2011-03-09 17:21 . 2010-12-29 17:41 153088 ----a-w- c:\windows\SysWow64\sbeio.dll
    2011-03-09 17:21 . 2010-12-29 17:41 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-03-09 17:21 . 2010-12-29 17:39 177664 ----a-w- c:\windows\SysWow64\mpg2splt.ax
    2011-03-08 21:06 . 2011-03-08 21:06 -------- d-----w- c:\users\Christopher\AppData\Roaming\Malwarebytes
    2011-03-08 21:06 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-03-08 21:06 . 2011-03-08 21:06 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-08 21:06 . 2011-03-08 21:13 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
    2011-03-08 21:06 . 2011-03-08 21:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-03-08 21:06 . 2010-12-20 18:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-04 20:44 . 2011-03-04 20:44 -------- d-----w- c:\program files\iPod
    2011-03-04 20:44 . 2011-03-04 20:45 -------- d-----w- c:\program files\iTunes
    2011-03-04 20:44 . 2011-03-04 20:45 -------- d-----w- c:\program files (x86)\iTunes
    2011-03-04 20:39 . 2011-03-04 20:39 -------- d-----w- c:\program files\Bonjour
    2011-03-04 20:39 . 2011-03-04 20:39 -------- d-----w- c:\program files (x86)\Bonjour
    2011-02-26 01:19 . 2011-02-26 01:19 41872 ----a-w- c:\windows\SysWow64\xfcodec.dll
    2011-02-26 01:19 . 2011-02-26 01:19 27536 ----a-w- c:\windows\system32\xfcodec64.dll
    2011-02-23 18:22 . 2011-02-23 18:22 -------- d-----w- c:\users\Christopher\AppData\Local\Chromium
    2011-02-23 17:12 . 2009-10-09 21:56 2048 ----a-w- c:\windows\SysWow64\winrsmgr.dll
    2011-02-23 17:12 . 2009-10-09 21:35 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-23 17:12 . 2009-10-09 21:35 13312 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-23 17:12 . 2009-10-09 21:34 13312 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-23 17:12 . 2009-10-09 21:56 10240 ----a-w- c:\windows\SysWow64\wsmplpxy.dll
    2011-02-23 17:12 . 2009-10-09 21:56 10240 ----a-w- c:\windows\SysWow64\winrssrv.dll
    2011-02-22 21:08 . 2011-02-22 21:08 -------- d-----w- c:\users\Christopher\AppData\Roaming\Amazon
    2011-02-22 21:08 . 2011-02-22 21:08 -------- d-----w- c:\users\Christopher\AppData\Local\Amazon
    2011-02-22 21:07 . 2011-02-22 21:07 -------- d-----w- c:\program files (x86)\Amazon
    2011-02-21 17:28 . 2011-02-21 17:28 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2011-02-18 16:36 . 2011-02-18 16:36 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
    2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-02-12 20:20 . 2011-02-12 20:20 -------- d-----w- c:\program files (x86)\Raven
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-16 19:07 . 2009-05-24 13:33 270904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-02-16 19:07 . 2009-04-02 20:45 270904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-02-16 19:05 . 2009-04-02 20:45 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-01-08 09:31 . 2011-02-09 18:20 48128 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 07:50 . 2011-02-09 18:20 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2011-01-08 06:17 . 2011-02-09 18:20 367104 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-08 05:57 . 2011-02-09 18:20 292352 ----a-w- c:\windows\SysWow64\atmfd.dll
    2010-12-31 13:46 . 2011-02-09 18:20 2755584 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:26 . 2011-01-12 10:59 462848 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-28 14:57 . 2011-01-12 10:59 409600 ----a-w- c:\windows\SysWow64\odbc32.dll
    2010-12-23 17:10 . 2010-09-24 16:48 43520 ----a-w- c:\windows\SysWow64\CmdLineExt03.dll
    2010-12-20 16:08 . 2011-02-09 18:20 1032704 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 16:04 . 2011-02-09 18:20 86528 ----a-w- c:\windows\system32\ieencode.dll
    2010-12-20 15:40 . 2011-02-09 18:20 833024 ----a-w- c:\windows\SysWow64\wininet.dll
    2010-12-20 15:37 . 2011-02-09 18:20 78336 ----a-w- c:\windows\SysWow64\ieencode.dll
    2010-12-20 14:37 . 2011-02-09 18:20 485376 ----a-w- c:\windows\system32\html.iec
    2010-12-20 14:12 . 2011-02-09 18:20 389632 ----a-w- c:\windows\SysWow64\html.iec
    2010-12-20 14:12 . 2011-02-09 18:20 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-20 13:51 . 2011-02-09 18:20 1383424 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2010-12-14 16:20 . 2011-01-12 10:59 1251840 ----a-w- c:\windows\system32\sdclt.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SmpcSys"="c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe" [2008-07-07 1038136]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Google Update"="c:\users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-10-21 136176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2008-07-07 1038136]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
    "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-01 421160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1c9d4b82f48e567;Google Update Service (gupdate1c9d4b82f48e567);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-14 133104]
    R2 SrvCDEject;SrvCDEject;c:\program files (x86)\Packard Bell\SrvCDEject.exe [2008-02-26 600576]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-08-18 1038088]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S0 nvamacpi;Nvidia Away Mode System;c:\windows\system32\DRIVERS\NVAMACPI.sys [x]
    S2 ETService;Empowering Technology Service;c:\program files\Packard Bell\Packard Bell Recovery Management\Service\ETService.exe [2008-07-16 24576]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-14 17:19]
    .
    2011-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-14 17:19]
    .
    2011-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1744426918-3034555884-2614701510-1000Core.job
    - c:\users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-01 20:45]
    .
    2011-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1744426918-3034555884-2614701510-1000UA.job
    - c:\users\Christopher\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-01 20:45]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 91648 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
    "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 333344]
    "RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
    "Skytel"="Skytel.exe" [2008-09-18 1833504]
    "FijiKeyboard"="c:\acer\Preload\Autorun\DRV\FIJI Keyboard\ABoard.exe" [2008-09-18 79416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://bridgecommander.filefront.com/
    mLocal Page = %SystemRoot%\system32\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Free YouTube Download - c:\users\Christopher\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
    IE: Free YouTube to Mp3 Converter - c:\users\Christopher\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-eRecoveryService - (no file)
    AddRemove-{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB} - c:\program files (x86)\Common Files\BioWare\Uninstall Mass Effect 2.exe
    AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files (x86)\Pando Networks\Media Booster\uninst.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1744426918-3034555884-2614701510-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:a8,cf,2f,42,e0,e6,08,a2,a7,d1,c2,99,ba,1f,77,5e,51,35,98,a5,54,bc,9b,
    cf,ce,d3,ee,c4,d9,5f,01,97,c8,02,3e,96,73,fc,43,cc,38,15,f4,0f,f5,52,56,3a,\
    "??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
    .
    [HKEY_USERS\S-1-5-21-1744426918-3034555884-2614701510-1000\Software\SecuROM\License information*]
    "datasecu"=hex:1e,09,a2,8b,79,5e,20,c3,aa,18,a6,97,99,94,cd,95,45,26,e1,de,f5,
    8a,9f,3f,bd,59,ae,2d,e7,c3,24,77,00,a2,0f,25,cf,bf,cb,0b,17,2b,3b,e7,c3,55,\
    "rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2011-03-12 18:40:24
    ComboFix-quarantined-files.txt 2011-03-12 18:40
    .
    Pre-Run: 41,009,016,832 bytes free
    Post-Run: 42,246,656,000 bytes free
    .
    - - End Of File - - 8BDF0718DADF7B04DAB0662346D1C75D
     
  20. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Looks clean.
    As I said, most likely, false positive.

    You can reinstall AVG now.

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  21. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    ok I'll run the new scans now, I'll post them asap, I'm reinstalling avg atm, once thats updated and the scans are all done and I post the logs, assuming they are still clear. In a day or two I'll reinstall Supreme Commander forged alliance and see if it still detects it as a threat, though I dont know why it would a fresh new install.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    OK................
     
  23. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    hi, heres the security check log, doing the TFC then the ESET thing next.


    Results of screen317's Security Check version 0.99.7
    Windows Vista (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    MVPS Hosts File
    Malwarebytes' Anti-Malware
    Adobe Reader 9.4.2
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    ``````````End of Log````````````
     
  24. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

    =======================================================================

    When Eset comes up clean, we'll have install Service Pack 2 and upgrade IE to version 8.
     
  25. banana1

    banana1 TS Rookie Topic Starter Posts: 36

    It's doing the eset scan now currently no threats and it's 63% done. Do I have to update IE if 8 am using chrome? As I use that not internet explored anymore.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.