Win64/Patched.A infected services.exe file

Solved
By costin
Nov 16, 2012
Topic Status:
Not open for further replies.
  1. Hi,
    I'm new here and I hope I can get some help...
    I've got infected with Win64/Patched.A virus in services.exe file. AVG cannot remove the file because it's critical to Windows. Also, I ran some scans with AVG and it detects a lot of other viruses, but they can be removed. After I do another scan they appera again...

    Can you please help me remove the virus manually?

    Thanks in advance!
    Costin.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  3. costin

    costin Newcomer, in training Topic Starter

    FRST.txt log file:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2012
    Ran by SYSTEM at 16-11-2012 13:48:13
    Running from H:\
    Windows 7 Ultimate (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [] [x]
    HKU\Constantin\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
    HKU\Constantin\...\Run: [AdobeBridge] [x]
    Tcpip\Parameters: [DhcpNameServer] 62.215.6.51 62.215.6.4

    ==================== Services (Whitelisted) ===================

    2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [19232 2012-01-30] (Autodesk, Inc.)
    2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
    2 KMService; C:\Windows\SysWow64\srvany.exe [8192 2012-08-23] ()
    2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
    2 mi-raysat_3dsmax2013_64; "C:\Program Files\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_64server.exe" [86016 2011-09-14] ()

    ==================== Drivers (Whitelisted) =====================

    1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
    1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-01] (AVG Technologies CZ, s.r.o.)
    0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-20] (AVG Technologies CZ, s.r.o.)
    0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-04] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
    1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-20] (AVG Technologies CZ, s.r.o.)
    3 bcm44amd64; C:\Windows\System32\DRIVERS\b44amd64.sys [87552 2009-06-10] (Broadcom Corporation)
    3 cpudrv64; \??\C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [17864 2011-06-02] ()
    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-08-23] (DT Soft Ltd)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
    3 OEM02Dev; C:\Windows\System32\Drivers\OEM02Dev.sys [266624 2007-10-10] (Creative Technology Ltd.)
    3 OEM02Vfx; C:\Windows\System32\Drivers\OEM02Vfx.sys [12288 2007-03-04] (EyePower Games Pte. Ltd.)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-11-16 13:48 - 2012-11-16 13:48 - 00000000 ____D C:\FRST
    2012-11-16 00:58 - 2012-11-16 00:58 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Malwarebytes
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-16 00:58 - 2012-09-29 08:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-16 00:50 - 2012-11-16 00:51 - 00000000 ____D C:\Users\Constantin\Desktop\jarallah
    2012-11-16 00:39 - 2012-11-16 00:54 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Constantin\Desktop\mbam-setup-1.65.1.1000.exe
    2012-11-15 11:47 - 2012-11-15 11:47 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
    2012-11-14 09:32 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
    2012-11-14 09:32 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
    2012-11-13 21:33 - 2012-11-13 21:33 - 00000059 ____A C:\Users\Constantin\Downloads\listen (1).pls
    2012-11-12 21:32 - 2012-11-12 21:32 - 00000067 ____A C:\Users\Constantin\Downloads\listen.pls
    2012-11-12 21:29 - 2012-11-14 23:16 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Winamp
    2012-11-12 21:29 - 2012-11-12 21:30 - 00000000 ____D C:\Program Files (x86)\Winamp
    2012-11-12 21:29 - 2012-11-12 21:29 - 00000985 ____A C:\Users\Public\Desktop\Winamp.lnk
    2012-11-12 21:29 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp Detect
    2012-11-12 21:27 - 2012-11-12 21:27 - 17335648 ____A (Nullsoft, Inc.) C:\Users\Constantin\Downloads\winamp563_full_emusic-7plus_all.exe
    2012-11-12 12:32 - 2012-03-12 02:06 - 00000000 ____D C:\Users\Constantin\Desktop\Ex_Files_Revit_House
    2012-11-03 01:53 - 2012-11-03 02:52 - 00000000 ____D C:\Users\Constantin\Downloads\Evermotion_Archmodels_72_BtTrove
    2012-11-03 01:52 - 2012-11-03 01:52 - 00021263 ____A C:\Users\Constantin\Downloads\[isoHunt] Evermotion_Archmodels_72_BtTrove.torrent
    2012-11-03 01:48 - 2012-11-03 01:48 - 00000000 ____D C:\Users\Constantin\Downloads\nature-backgrounds-vector
    2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector
    2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\abstract-trees-vector
    2012-11-03 01:00 - 2012-11-03 01:01 - 04050921 ____A C:\Users\Constantin\Downloads\nature-backgrounds-vector.zip
    2012-11-03 01:00 - 2012-11-03 01:00 - 03304569 ____A C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector.zip
    2012-11-03 00:58 - 2012-11-03 00:59 - 07564516 ____A C:\Users\Constantin\Downloads\abstract-trees-vector.zip
    2012-11-03 00:49 - 2012-11-03 00:49 - 00000000 ____D C:\Users\Constantin\Downloads\watercolor-postcards-vector
    2012-11-03 00:47 - 2012-11-03 00:48 - 07391864 ____A C:\Users\Constantin\Downloads\watercolor-postcards-vector.zip
    2012-10-29 19:07 - 2012-10-29 19:07 - 00000000 ____D C:\Users\Constantin\Downloads\19
    2012-10-29 18:53 - 2012-10-29 18:53 - 00409752 ____A C:\Users\Constantin\Downloads\bench_08.3ds
    2012-10-29 13:11 - 2012-10-29 13:11 - 00057125 ____A C:\Users\Constantin\Downloads\19.rar
    2012-10-29 13:10 - 2012-10-29 13:10 - 00000000 ____D C:\Users\Constantin\Downloads\30
    2012-10-29 13:09 - 2012-10-29 13:09 - 00171534 ____A C:\Users\Constantin\Downloads\30.rar
    2012-10-22 20:59 - 2012-10-22 20:59 - 00000132 ____A C:\Users\Constantin\AppData\Roaming\Adobe PNG Format CS6 Prefs
    2012-10-22 20:23 - 2012-10-22 20:23 - 00093969 ____A C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!.htm
    2012-10-22 20:23 - 2012-10-22 20:23 - 00000000 ____D C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!_files
    2012-10-22 11:32 - 2012-10-25 03:52 - 00001556 ____A C:\Users\Constantin\Desktop\Adobe Illustrator CS6 (64 Bit).lnk
    2012-10-22 11:32 - 2012-10-22 11:32 - 00001240 ____A C:\Users\Constantin\Desktop\Adobe Photoshop CS6 (64 Bit).lnk
    2012-10-22 11:31 - 2012-10-22 11:31 - 53863379 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload
    2012-10-22 11:31 - 2012-10-22 11:31 - 00000809 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload.aamd
    2012-10-22 11:19 - 2012-10-22 11:19 - 00000000 ____D C:\Users\All Users\ALM
    2012-10-22 11:04 - 2012-10-22 11:21 - 00000000 ____D C:\Program Files\Adobe
    2012-10-22 02:02 - 2012-10-22 02:02 - 00154464 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
    2012-10-20 03:50 - 2012-10-20 03:50 - 00000000 ____D C:\Users\Constantin\Downloads\Trei Parale - BAZAR I
    2012-10-19 00:01 - 2012-10-19 00:01 - 00001168 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
    2012-10-17 12:41 - 2012-10-17 12:41 - 00000000 ____D C:\Users\Constantin\Documents\Random_Select
    2012-10-17 12:40 - 2012-10-17 12:40 - 00009908 ____A C:\Users\Constantin\Documents\Random_Select.zip

    ==================== One Month Modified Files and Folders =======

    2012-11-16 02:40 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-11-16 02:33 - 2012-08-23 23:12 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\vlc
    2012-11-16 02:30 - 2012-10-03 12:34 - 00000000 ____D C:\Users\All Users\AVG2013
    2012-11-16 02:30 - 2012-08-23 23:18 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\uTorrent
    2012-11-16 02:29 - 2012-08-19 04:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-11-16 01:48 - 2012-08-21 22:27 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-11-16 01:24 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-11-16 01:24 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-11-16 01:18 - 2012-08-22 00:07 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\DAEMON Tools Lite
    2012-11-16 01:17 - 2012-08-21 22:26 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-11-16 01:16 - 2012-08-30 21:23 - 00012245 ____A C:\Windows\setupact.log
    2012-11-16 01:16 - 2012-08-21 23:20 - 00000000 ____D C:\Users\All Users\NVIDIA
    2012-11-16 01:16 - 2012-08-19 02:33 - 00026368 ____A C:\Windows\PFRO.log
    2012-11-16 01:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-11-16 00:58 - 2012-11-16 00:58 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Malwarebytes
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-16 00:54 - 2012-11-16 00:39 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Constantin\Desktop\mbam-setup-1.65.1.1000.exe
    2012-11-16 00:51 - 2012-11-16 00:50 - 00000000 ____D C:\Users\Constantin\Desktop\jarallah
    2012-11-15 22:02 - 2012-08-21 23:50 - 00000000 ____D C:\Users\All Users\MFAData
    2012-11-15 15:00 - 2012-08-21 22:33 - 00000000 ____D C:\Users\Constantin\AppData\Local\Adobe
    2012-11-15 12:14 - 2012-09-19 08:32 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Skype
    2012-11-15 11:47 - 2012-11-15 11:47 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
    2012-11-15 11:47 - 2012-08-19 12:21 - 01818552 ____A C:\Windows\WindowsUpdate.log
    2012-11-14 23:16 - 2012-11-12 21:29 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Winamp
    2012-11-13 21:33 - 2012-11-13 21:33 - 00000059 ____A C:\Users\Constantin\Downloads\listen (1).pls
    2012-11-13 11:09 - 2012-08-19 04:33 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Adobe
    2012-11-12 21:32 - 2012-11-12 21:32 - 00000067 ____A C:\Users\Constantin\Downloads\listen.pls
    2012-11-12 21:30 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp
    2012-11-12 21:29 - 2012-11-12 21:29 - 00000985 ____A C:\Users\Public\Desktop\Winamp.lnk
    2012-11-12 21:29 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp Detect
    2012-11-12 21:27 - 2012-11-12 21:27 - 17335648 ____A (Nullsoft, Inc.) C:\Users\Constantin\Downloads\winamp563_full_emusic-7plus_all.exe
    2012-11-09 20:59 - 2009-07-13 21:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-11-08 20:53 - 2012-08-21 22:28 - 00002374 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-11-07 10:47 - 2012-08-22 23:59 - 00000000 ____D C:\Users\Constantin\AppData\Local\Autodesk
    2012-11-07 10:47 - 2012-08-22 12:45 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Autodesk
    2012-11-07 10:47 - 2012-08-22 12:45 - 00000000 ____D C:\Users\All Users\Autodesk
    2012-11-07 09:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-11-05 12:36 - 2012-09-19 08:32 - 00000000 ____D C:\Users\All Users\Skype
    2012-11-03 02:52 - 2012-11-03 01:53 - 00000000 ____D C:\Users\Constantin\Downloads\Evermotion_Archmodels_72_BtTrove
    2012-11-03 01:52 - 2012-11-03 01:52 - 00021263 ____A C:\Users\Constantin\Downloads\[isoHunt] Evermotion_Archmodels_72_BtTrove.torrent
    2012-11-03 01:48 - 2012-11-03 01:48 - 00000000 ____D C:\Users\Constantin\Downloads\nature-backgrounds-vector
    2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector
    2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\abstract-trees-vector
    2012-11-03 01:01 - 2012-11-03 01:00 - 04050921 ____A C:\Users\Constantin\Downloads\nature-backgrounds-vector.zip
    2012-11-03 01:00 - 2012-11-03 01:00 - 03304569 ____A C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector.zip
    2012-11-03 00:59 - 2012-11-03 00:58 - 07564516 ____A C:\Users\Constantin\Downloads\abstract-trees-vector.zip
    2012-11-03 00:49 - 2012-11-03 00:49 - 00000000 ____D C:\Users\Constantin\Downloads\watercolor-postcards-vector
    2012-11-03 00:48 - 2012-11-03 00:47 - 07391864 ____A C:\Users\Constantin\Downloads\watercolor-postcards-vector.zip
    2012-10-29 22:30 - 2012-08-23 22:42 - 00000000 ____D C:\Users\Constantin\AppData\Local\cache
    2012-10-29 19:07 - 2012-10-29 19:07 - 00000000 ____D C:\Users\Constantin\Downloads\19
    2012-10-29 18:53 - 2012-10-29 18:53 - 00409752 ____A C:\Users\Constantin\Downloads\bench_08.3ds
    2012-10-29 13:11 - 2012-10-29 13:11 - 00057125 ____A C:\Users\Constantin\Downloads\19.rar
    2012-10-29 13:10 - 2012-10-29 13:10 - 00000000 ____D C:\Users\Constantin\Downloads\30
    2012-10-29 13:09 - 2012-10-29 13:09 - 00171534 ____A C:\Users\Constantin\Downloads\30.rar
    2012-10-25 14:17 - 2012-08-30 06:03 - 00000000 ____D C:\Users\Constantin\Downloads\@Torrents
    2012-10-25 03:52 - 2012-10-22 11:32 - 00001556 ____A C:\Users\Constantin\Desktop\Adobe Illustrator CS6 (64 Bit).lnk
    2012-10-23 10:21 - 2009-07-13 20:45 - 05065576 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-10-22 20:59 - 2012-10-22 20:59 - 00000132 ____A C:\Users\Constantin\AppData\Roaming\Adobe PNG Format CS6 Prefs
    2012-10-22 20:23 - 2012-10-22 20:23 - 00093969 ____A C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!.htm
    2012-10-22 20:23 - 2012-10-22 20:23 - 00000000 ____D C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!_files
    2012-10-22 11:32 - 2012-10-22 11:32 - 00001240 ____A C:\Users\Constantin\Desktop\Adobe Photoshop CS6 (64 Bit).lnk
    2012-10-22 11:31 - 2012-10-22 11:31 - 53863379 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload
    2012-10-22 11:31 - 2012-10-22 11:31 - 00000809 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload.aamd
    2012-10-22 11:27 - 2012-08-23 22:07 - 00000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
    2012-10-22 11:27 - 2012-08-19 02:37 - 00122544 ____A C:\Users\Constantin\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-10-22 11:23 - 2012-08-21 22:20 - 00000000 ____D C:\Users\All Users\Adobe
    2012-10-22 11:21 - 2012-10-22 11:04 - 00000000 ____D C:\Program Files\Adobe
    2012-10-22 11:21 - 2012-08-23 21:49 - 00000000 ____D C:\Program Files\Common Files\Adobe
    2012-10-22 11:19 - 2012-10-22 11:19 - 00000000 ____D C:\Users\All Users\ALM
    2012-10-22 11:12 - 2012-08-21 22:20 - 00000000 ____D C:\Program Files (x86)\Adobe
    2012-10-22 02:02 - 2012-10-22 02:02 - 00154464 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
    2012-10-20 03:50 - 2012-10-20 03:50 - 00000000 ____D C:\Users\Constantin\Downloads\Trei Parale - BAZAR I
    2012-10-19 07:51 - 2012-10-01 07:22 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\TeamViewer
    2012-10-19 00:01 - 2012-10-19 00:01 - 00001168 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
    2012-10-17 12:41 - 2012-10-17 12:41 - 00000000 ____D C:\Users\Constantin\Documents\Random_Select
    2012-10-17 12:40 - 2012-10-17 12:40 - 00009908 ____A C:\Users\Constantin\Documents\Random_Select.zip


    ZeroAccess:
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\@
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\L
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\00000004.@
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\00000008.@
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\000000cb.@
    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\80000032.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-15 17:41:02

    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 3070.04 MB
    Available physical RAM: 2477.04 MB
    Total Pagefile: 3068.19 MB
    Available Pagefile: 2463.75 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: (SYSTEM) (Fixed) (Total:68.36 GB) (Free:4.09 GB) NTFS
    2 Drive e: (WORK) (Fixed) (Total:98.41 GB) (Free:48.87 GB) NTFS
    3 Drive f: (TEMP) (Fixed) (Total:19.43 GB) (Free:14.85 GB) NTFS
    5 Drive h: (A-DATA UFD) (Removable) (Total:7.5 GB) (Free:6.9 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 186 GB 9 MB
    Disk 1 Online 7701 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 19 GB 101 MB
    Partition 0 Extended 166 GB 19 GB
    Partition 3 Logical 68 GB 19 GB
    Partition 4 Logical 98 GB 87 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 F TEMP NTFS Partition 19 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C SYSTEM NTFS Partition 68 GB Healthy

    =========================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E WORK NTFS Partition 98 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7695 MB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H A-DATA UFD FAT32 Removable 7695 MB Healthy

    =========================================================

    Last Boot: 2012-11-14 13:26

    ==================== End Of Log =============================
  4. costin

    costin Newcomer, in training Topic Starter

    Search.txt file log:

    Farbar Recovery Scan Tool (x64) Version: 12-11-2012
    Ran by SYSTEM at 2012-11-16 13:49:48
    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

    C:\Windows\erdnt\cache64\services.exe
    [2012-10-03 10:25] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job!

    Next step...

    FRST Fixlist

    Please download attached fixlist.txt below, and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Attached Files:

  6. costin

    costin Newcomer, in training Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-11-2012
    Ran by SYSTEM at 2012-11-16 22:14:22 Run:1
    Running from H:\

    ==============================================

    C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3} moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
    c:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to c:\Windows\System32\services.exe

    ==== End of Fixlog ====
  7. costin

    costin Newcomer, in training Topic Starter

    Thank you very much!
    I scanned the computer with AVG and it seems OK, I will do another scan with Malwarebytes Anti-Malware and tell you what happened...
    Thanks again, I wish you all the best!
    Costin.
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  9. costin

    costin Newcomer, in training Topic Starter

    Hi!
    I scanned many times with AVG and Malwarebytes Anti-Malware and it seems everything is OK.
    Do I need to do something more?

  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please do ComboFix and trust my lead. Let's make sure all malware is gone, so you don't run your computer at further risk.
  11. costin

    costin Newcomer, in training Topic Starter

    Hi again, sorry for the misunderstanding. I did ComboFix, here is the log:


    ComboFix 12-11-16.02 - Constantin 11/19/2012 22:13:03.2.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1939 [GMT 3:00]
    Running from: c:\users\Constantin\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    FW: AVG Internet Security 2013 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
    SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
    2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\Public\AppData\Local\temp
    2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\Default\AppData\Local\temp
    2012-11-19 05:54 . 2012-07-26 04:472560----a-w-c:\windows\system32\drivers\en-US\wdf01000.sys.mui
    2012-11-19 05:54 . 2012-07-26 04:55785512----a-w-c:\windows\system32\drivers\Wdf01000.sys
    2012-11-19 05:54 . 2012-07-26 04:5554376----a-w-c:\windows\system32\drivers\WdfLdr.sys
    2012-11-19 05:54 . 2012-07-26 02:369728----a-w-c:\windows\system32\Wdfres.dll
    2012-11-19 05:47 . 2012-07-26 03:0884992----a-w-c:\windows\system32\WUDFSvc.dll
    2012-11-19 05:47 . 2012-07-26 03:08194048----a-w-c:\windows\system32\WUDFPlatform.dll
    2012-11-19 05:47 . 2012-07-26 02:2687040----a-w-c:\windows\system32\drivers\WUDFPf.sys
    2012-11-19 05:47 . 2012-07-26 02:26198656----a-w-c:\windows\system32\drivers\WUDFRd.sys
    2012-11-19 05:47 . 2012-07-26 03:08229888----a-w-c:\windows\system32\WUDFHost.exe
    2012-11-19 05:47 . 2012-07-26 03:08744448----a-w-c:\windows\system32\WUDFx.dll
    2012-11-19 05:47 . 2012-07-26 03:0845056----a-w-c:\windows\system32\WUDFCoinstaller.dll
    2012-11-19 04:50 . 2012-10-18 18:253149824----a-w-c:\windows\system32\win32k.sys
    2012-11-16 21:48 . 2012-11-16 21:48--------d-----w-C:\FRST
    2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\users\Constantin\AppData\Roaming\Malwarebytes
    2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\programdata\Malwarebytes
    2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-16 08:58 . 2012-09-29 16:5425928----a-w-c:\windows\system32\drivers\mbam.sys
    2012-11-15 19:48 . 2012-11-15 19:48220160----a-w-c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
    2012-11-15 19:47 . 2012-11-15 19:47--------d-----w-c:\program files (x86)\Mega Codec Pack
    2012-11-14 17:32 . 2012-09-25 22:4778336----a-w-c:\windows\SysWow64\synceng.dll
    2012-11-14 17:32 . 2012-09-25 22:4695744----a-w-c:\windows\system32\synceng.dll
    2012-11-13 05:29 . 2012-11-13 05:29--------d-----w-c:\program files (x86)\Winamp Detect
    2012-11-13 05:29 . 2012-11-13 05:29--------d-----w-c:\program files (x86)\Common Files\PX Storage Engine
    2012-11-13 05:29 . 2012-11-15 07:16--------d-----w-c:\users\Constantin\AppData\Roaming\Winamp
    2012-11-13 05:29 . 2012-11-13 05:30--------d-----w-c:\program files (x86)\Winamp
    2012-10-22 19:19 . 2012-10-22 19:19--------d-----w-c:\programdata\ALM
    2012-10-22 19:04 . 2012-10-22 19:21--------d-----w-c:\program files\Adobe
    2012-10-22 10:02 . 2012-10-22 10:02154464----a-w-c:\windows\system32\drivers\avgidsdrivera.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-19 05:47 . 2012-08-23 10:1066395536----a-w-c:\windows\system32\MRT.exe
    2012-10-15 00:48 . 2012-10-15 00:4863328----a-w-c:\windows\system32\drivers\avgidsha.sys
    2012-10-10 02:30 . 2012-08-19 12:3373656----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-10 02:30 . 2012-08-19 12:33696760----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-05 00:32 . 2012-10-05 00:32111456----a-w-c:\windows\system32\drivers\avgmfx64.sys
    2012-10-02 00:30 . 2012-10-02 00:30185696----a-w-c:\windows\system32\drivers\avgldx64.sys
    2012-09-21 00:46 . 2012-09-21 00:46200032----a-w-c:\windows\system32\drivers\avgtdia.sys
    2012-09-21 00:46 . 2012-09-21 00:46225120----a-w-c:\windows\system32\drivers\avgloga.sys
    2012-09-14 19:19 . 2012-10-10 01:492048----a-w-c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-10 01:492048----a-w-c:\windows\SysWow64\tzres.dll
    2012-09-14 00:05 . 2012-09-14 00:0540800----a-w-c:\windows\system32\drivers\avgrkx64.sys
    2012-08-31 18:19 . 2012-10-10 01:511659760----a-w-c:\windows\system32\drivers\ntfs.sys
    2012-08-30 18:03 . 2012-10-10 01:505559664----a-w-c:\windows\system32\ntoskrnl.exe
    2012-08-30 17:12 . 2012-10-10 01:503968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:12 . 2012-10-10 01:503914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
    2012-08-24 18:05 . 2012-10-10 01:50220160----a-w-c:\windows\system32\wintrust.dll
    2012-08-24 16:57 . 2012-10-10 01:50172544----a-w-c:\windows\SysWow64\wintrust.dll
    2012-08-24 07:56 . 2012-08-24 07:568192----a-w-c:\windows\SysWow64\srvany.exe
    2012-08-23 16:27 . 2012-08-23 16:27283200----a-w-c:\windows\system32\drivers\dtsoftbus01.sys
    2012-08-23 16:13 . 2009-07-14 02:36175616----a-w-c:\windows\system32\msclmd.dll
    2012-08-23 16:13 . 2009-07-14 02:36152576----a-w-c:\windows\SysWow64\msclmd.dll
    2012-08-22 18:12 . 2012-09-14 09:41950128----a-w-c:\windows\system32\drivers\ndis.sys
    2012-08-22 18:12 . 2012-09-14 09:40376688----a-w-c:\windows\system32\drivers\netio.sys
    2012-08-22 18:12 . 2012-09-14 09:40288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
    2012-08-22 07:09 . 2012-08-22 07:0921712----a-w-c:\windows\SysWow64\drivers\DrvAgent64.SYS
    2012-08-22 06:39 . 2012-08-22 06:3995208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-08-22 06:39 . 2012-08-22 06:40746984----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-08-22 06:39 . 2012-08-22 06:40821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
    2012-08-21 21:01 . 2012-09-27 17:41245760----a-w-c:\windows\system32\OxpsConverter.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
    @="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
    [HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
    2012-11-06 17:32220160----a-w-c:\program files (x86)\Mega Codec Pack\Filters\Haali\mmdinfo.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
    "AdobeBridge"="" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    R2 KMService;KMService;c:\windows\system32\srvany.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-05-13 36328]
    R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-06-02 17864]
    R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2012-08-22 21712]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-08-23 1432400]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-13 157672]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-13 16872]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-13 177640]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-20 1255736]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]
    S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
    S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-10-05 111456]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
    S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-23 283200]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-06 5814392]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
    S2 mi-raysat_3dsmax2013_64;mental ray 3.10 Satellite for Autodesk 3ds Max 2013 64-bit;c:\program files\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_64server.exe [2011-09-14 86016]
    S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-14 382272]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-08-31 2754984]
    S3 bcm44amd64;Broadcom 440x 10/100 Integrated Controller XP Driver;c:\windows\system32\DRIVERS\b44amd64.sys [2009-06-10 87552]
    S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [1999-12-31 292864]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
    S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2012-08-07 35112]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 02:30]
    .
    2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-22 06:26]
    .
    2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-22 06:26]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = https://isearch.avg.com/?cid={A264A...7db239a45&lang=en&ds=is015&pr=sa&d=2012-08-22 10:25&v=12.2.0.5&sap=hp
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    TCP: DhcpNameServer = 62.215.6.51 62.215.6.4
    TCP: Interfaces\{443C9D70-F490-428B-B6D6-B640627BD433}: DhcpNameServer = 62.215.6.51 62.215.6.4
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-WinRAR - c:\windows\WinRAR\uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    .
    **************************************************************************
    .
    Completion time: 2012-11-19 22:28:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-11-19 19:28
    .
    Pre-Run: 4,806,926,336 bytes free
    Post-Run: 4,743,483,392 bytes free
    .
    - - End Of File - - 55BAA57CC0547A880658C95571B40BFF
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  13. costin

    costin Newcomer, in training Topic Starter

    I did the ESET Scan, no threats were found. What next?
    Costin.
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sorry for delay. I just came back from my short vacation. :)


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  15. costin

    costin Newcomer, in training Topic Starter

    No problem..

    I believe everything is fine...I don't have any other issues...
    Can you recommend an antivirus/firewall/antimalware/etc. I am using AVG free antivirus, and for another few days Malwarebytes-Anti-malware. Is it enough? Should I change anything?
    Sometimes I use Teamviewer, and I know it's not very secured. Is it that bad?

    Thanks for the help!!
    Costin.
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. Let's finish up and we'll see with Security Check tool...

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Topic solved.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.