Solved Error code 0x80070424:Rootkit 0 access virus

[krazeefly]

Hello there,
Some 6 days ago, I found that the windows media player was not starting at all.Tried to start it in every way, but failed...then googled about the problem and found Microsoft Fixit for WMP and it stated that the registry entry was corrupted and fixed all the problems. After that,while I was checking my computer, I saw that the firewall was turned off,defender is also turned off, updates not starting and action center not working at all with the security center turned off.I tried to start all the functions and encountered the above mentioned error code.I had the Avira free antivirus installed then,but it did not found any infections.....so uninstalled it and installed AVG antivirus and MBAM.

After updating and running both, I found my pc is infected with the above mentioned virus. Followed all the instructions and deleted the infected files and did some googling again to remove the virus from my pc.Came through a lot of topics with various methods, but didn't apply anything.But I did make one mistake....I did read in another forum about combofix and did end up running the tool in my PC.Didn't realise it was wrong to do without supervision !!!
Combofix ran well and generated a message about C:\windows\system32\services.exe being corrupted and attempting to patch it and then created a log about the files being patched and new files created...but at that time there was a freak powercut in my area and the log file was erased. So, I did run combofix one more time and the log file is pasted here......

After running combofix, my machine was working great...all services were back to normal,but,today morning again found the rootkit virus message popping up from MBAM and all the services have stopped again. After lot of search found your forum.....was really amazed to see how you people volunteered to help others.Did the 5 steps mentioned...and is pasting all the logs below one after other.......
Thanks in advance for your help...
---------------------------------------------------------------------------------------------------------------------------

ComboFix 12-08-13.01 - Desktop 14-Aug-12 17:44:03.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2773 [GMT 5.5:30]
Running from: c:\users\Desktop\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Desktop\AppData\Local\TempDIR
c:\users\Desktop\AppData\Roaming\110ab52f
c:\users\Desktop\AppData\Roaming\118494bb
c:\users\Desktop\AppData\Roaming\1247491f
c:\users\Desktop\AppData\Roaming\145bcc7
c:\users\Desktop\AppData\Roaming\14b1c720
c:\users\Desktop\AppData\Roaming\14d8b220
c:\users\Desktop\AppData\Roaming\1506a031
c:\users\Desktop\AppData\Roaming\15be8edf
c:\users\Desktop\AppData\Roaming\15ecacfa
c:\users\Desktop\AppData\Roaming\15efa89e
c:\users\Desktop\AppData\Roaming\161af501
c:\users\Desktop\AppData\Roaming\16c656f7
c:\users\Desktop\AppData\Roaming\18057ff9
c:\users\Desktop\AppData\Roaming\1816b214
c:\users\Desktop\AppData\Roaming\1856daa
c:\users\Desktop\AppData\Roaming\1896ebc8
c:\users\Desktop\AppData\Roaming\191b9c54
c:\users\Desktop\AppData\Roaming\1965f68
c:\users\Desktop\AppData\Roaming\19ea700b
c:\users\Desktop\AppData\Roaming\1afb2a27
c:\users\Desktop\AppData\Roaming\1b158729
c:\users\Desktop\AppData\Roaming\1bf5152a
c:\users\Desktop\AppData\Roaming\1c3a3b2d
c:\users\Desktop\AppData\Roaming\1cbbd0ee
c:\users\Desktop\AppData\Roaming\1d6cde3e
c:\users\Desktop\AppData\Roaming\1eae1606
c:\users\Desktop\AppData\Roaming\1f5927d5
c:\users\Desktop\AppData\Roaming\2478fd99
c:\users\Desktop\AppData\Roaming\253b74
c:\users\Desktop\AppData\Roaming\260c4d9e
c:\users\Desktop\AppData\Roaming\270f0f9e
c:\users\Desktop\AppData\Roaming\27f355c4
c:\users\Desktop\AppData\Roaming\284d4587
c:\users\Desktop\AppData\Roaming\28f69cec
c:\users\Desktop\AppData\Roaming\298c3c6c
c:\users\Desktop\AppData\Roaming\29a72cc8
c:\users\Desktop\AppData\Roaming\2a6063cf
c:\users\Desktop\AppData\Roaming\2a655a8
c:\users\Desktop\AppData\Roaming\2a92b305
c:\users\Desktop\AppData\Roaming\2b13b33
c:\users\Desktop\AppData\Roaming\2c2233
c:\users\Desktop\AppData\Roaming\2f96b0ae
c:\users\Desktop\AppData\Roaming\2faa25c
c:\users\Desktop\AppData\Roaming\30a36d49
c:\users\Desktop\AppData\Roaming\325ea1bd
c:\users\Desktop\AppData\Roaming\335d658
c:\users\Desktop\AppData\Roaming\3458b729
c:\users\Desktop\AppData\Roaming\3560bc01
c:\users\Desktop\AppData\Roaming\3650d68d
c:\users\Desktop\AppData\Roaming\37691bc9
c:\users\Desktop\AppData\Roaming\386bbb3d
c:\users\Desktop\AppData\Roaming\39cde08
c:\users\Desktop\AppData\Roaming\3a597b3
c:\users\Desktop\AppData\Roaming\3d4eee1c
c:\users\Desktop\AppData\Roaming\3e2072a1
c:\users\Desktop\AppData\Roaming\3eea7afb
c:\users\Desktop\AppData\Roaming\3f37fdb1
c:\users\Desktop\AppData\Roaming\3f3b128
c:\users\Desktop\AppData\Roaming\411a0827
c:\users\Desktop\AppData\Roaming\41c1789f
c:\users\Desktop\AppData\Roaming\4232ea67
c:\users\Desktop\AppData\Roaming\440e8180
c:\users\Desktop\AppData\Roaming\47128dc6
c:\users\Desktop\AppData\Roaming\471a2a79
c:\users\Desktop\AppData\Roaming\48a4eed2
c:\users\Desktop\AppData\Roaming\49c02ee3
c:\users\Desktop\AppData\Roaming\4a0b6b7
c:\users\Desktop\AppData\Roaming\4b380798
c:\users\Desktop\AppData\Roaming\4b53d497
c:\users\Desktop\AppData\Roaming\4b61b6d9
c:\users\Desktop\AppData\Roaming\4b64601
c:\users\Desktop\AppData\Roaming\4c7ab50b
c:\users\Desktop\AppData\Roaming\4cfc1060
c:\users\Desktop\AppData\Roaming\4e6ce37
c:\users\Desktop\AppData\Roaming\596a25b
c:\users\Desktop\AppData\Roaming\5e08a60
c:\users\Desktop\AppData\Roaming\5e310e45
c:\users\Desktop\AppData\Roaming\5f697a27
c:\users\Desktop\AppData\Roaming\607286e0
c:\users\Desktop\AppData\Roaming\620ef67d
c:\users\Desktop\AppData\Roaming\62c5bb1d
c:\users\Desktop\AppData\Roaming\6332c5b9
c:\users\Desktop\AppData\Roaming\6c4f6882
c:\users\Desktop\AppData\Roaming\6df71825
c:\users\Desktop\AppData\Roaming\6e3ba91
c:\users\Desktop\AppData\Roaming\75669402
c:\users\Desktop\AppData\Roaming\7dec157
c:\users\Desktop\AppData\Roaming\85e36a01
c:\users\Desktop\AppData\Roaming\867f4207
c:\users\Desktop\AppData\Roaming\880d790d
c:\users\Desktop\AppData\Roaming\884bb93b
c:\users\Desktop\AppData\Roaming\9564557d
c:\users\Desktop\AppData\Roaming\97ce75d8
c:\users\Desktop\AppData\Roaming\97d4f8a3
c:\users\Desktop\AppData\Roaming\990e24e1
c:\users\Desktop\AppData\Roaming\995ab09b
c:\users\Desktop\AppData\Roaming\9bc577df
c:\users\Desktop\AppData\Roaming\9e2d83e8
c:\users\Desktop\AppData\Roaming\a12d5826
c:\users\Desktop\AppData\Roaming\a25cdf5f
c:\users\Desktop\AppData\Roaming\a3e19362
c:\users\Desktop\AppData\Roaming\a5677138
c:\users\Desktop\AppData\Roaming\af1c832
c:\users\Desktop\AppData\Roaming\b254f00e
c:\users\Desktop\AppData\Roaming\b2f81783
c:\users\Desktop\AppData\Roaming\b4e61bea
c:\users\Desktop\AppData\Roaming\b592600b
c:\users\Desktop\AppData\Roaming\b7e81e7
c:\users\Desktop\AppData\Roaming\b848f6d8
c:\users\Desktop\AppData\Roaming\b8530f2d
c:\users\Desktop\AppData\Roaming\b9b5fd42
c:\users\Desktop\AppData\Roaming\bbddf538
c:\users\Desktop\AppData\Roaming\bbf4c325
c:\users\Desktop\AppData\Roaming\bd647d71
c:\users\Desktop\AppData\Roaming\bf3c1566
c:\users\Desktop\AppData\Roaming\c0541eb6
c:\users\Desktop\AppData\Roaming\c24630e0
c:\users\Desktop\AppData\Roaming\c35a034c
c:\users\Desktop\AppData\Roaming\c46d6b13
c:\users\Desktop\AppData\Roaming\c5640c5c
c:\users\Desktop\AppData\Roaming\c8feae72
c:\users\Desktop\AppData\Roaming\c92752a
c:\users\Desktop\AppData\Roaming\c958a10
c:\users\Desktop\AppData\Roaming\ca2d1445
c:\users\Desktop\AppData\Roaming\ca625864
c:\users\Desktop\AppData\Roaming\cb24aa75
c:\users\Desktop\AppData\Roaming\cb6d7bee
c:\users\Desktop\AppData\Roaming\cd09cb25
c:\users\Desktop\AppData\Roaming\cd8000d0
c:\users\Desktop\AppData\Roaming\cde151b9
c:\users\Desktop\AppData\Roaming\ce33e2c1
c:\users\Desktop\AppData\Roaming\cf2c3336
c:\users\Desktop\AppData\Roaming\cf72c69c
c:\users\Desktop\AppData\Roaming\cf7d6a37
c:\users\Desktop\AppData\Roaming\chrtmp
c:\users\Desktop\AppData\Roaming\d0969c44
c:\users\Desktop\AppData\Roaming\d09f4e7f
c:\users\Desktop\AppData\Roaming\d19030c3
c:\users\Desktop\AppData\Roaming\d28a6067
c:\users\Desktop\AppData\Roaming\d2c6d69a
c:\users\Desktop\AppData\Roaming\d2eb6fb4
c:\users\Desktop\AppData\Roaming\d3a4b93a
c:\users\Desktop\AppData\Roaming\d4493a08
c:\users\Desktop\AppData\Roaming\d5c47c93
c:\users\Desktop\AppData\Roaming\d635c736
c:\users\Desktop\AppData\Roaming\d6f27a63
c:\users\Desktop\AppData\Roaming\d8cae6ad
c:\users\Desktop\AppData\Roaming\daee34a7
c:\users\Desktop\AppData\Roaming\dc359bdf
c:\users\Desktop\AppData\Roaming\dce30b55
c:\users\Desktop\AppData\Roaming\dd54e89b
c:\users\Desktop\AppData\Roaming\de0b0e37
c:\users\Desktop\AppData\Roaming\df13d14f
c:\users\Desktop\AppData\Roaming\dfa321f7
c:\users\Desktop\AppData\Roaming\e092892b
c:\users\Desktop\AppData\Roaming\e0b963b3
c:\users\Desktop\AppData\Roaming\e196ec7
c:\users\Desktop\AppData\Roaming\e1dae2f7
c:\users\Desktop\AppData\Roaming\e2dec85f
c:\users\Desktop\AppData\Roaming\e66269f
c:\users\Desktop\AppData\Roaming\e780c75a
c:\users\Desktop\AppData\Roaming\e7d8073b
c:\users\Desktop\AppData\Roaming\e8915c65
c:\users\Desktop\AppData\Roaming\e8adb1c4
c:\users\Desktop\AppData\Roaming\e8fc5c12
c:\users\Desktop\AppData\Roaming\e928d42e
c:\users\Desktop\AppData\Roaming\e9c6b7fc
c:\users\Desktop\AppData\Roaming\ea3cb8a2
c:\users\Desktop\AppData\Roaming\eab870dc
c:\users\Desktop\AppData\Roaming\eadb7c2f
c:\users\Desktop\AppData\Roaming\eb3d40ee
c:\users\Desktop\AppData\Roaming\ec44c5ca
c:\users\Desktop\AppData\Roaming\ed02fb4b
c:\users\Desktop\AppData\Roaming\ed43c43a
c:\users\Desktop\AppData\Roaming\ee2000cb
c:\users\Desktop\AppData\Roaming\ee9ffdce
c:\users\Desktop\AppData\Roaming\ef316c03
c:\users\Desktop\AppData\Roaming\efbdf0a5
c:\users\Desktop\AppData\Roaming\f04e30cb
c:\users\Desktop\AppData\Roaming\f15ff377
c:\users\Desktop\AppData\Roaming\f1adf267
c:\users\Desktop\AppData\Roaming\f25929ab
c:\users\Desktop\AppData\Roaming\f2d34aad
c:\users\Desktop\AppData\Roaming\f2e2a803
c:\users\Desktop\AppData\Roaming\f40d9b1f
c:\users\Desktop\AppData\Roaming\f439e845
c:\users\Desktop\AppData\Roaming\f44d901b
c:\users\Desktop\AppData\Roaming\f568b92c
c:\users\Desktop\AppData\Roaming\f62a3dd9
c:\users\Desktop\AppData\Roaming\f70b7ca4
c:\users\Desktop\AppData\Roaming\f809a603
c:\users\Desktop\AppData\Roaming\f819a2b9
c:\users\Desktop\AppData\Roaming\f84a50a
c:\users\Desktop\AppData\Roaming\f921bfb0
c:\users\Desktop\AppData\Roaming\f9632998
c:\users\Desktop\AppData\Roaming\fa142e2f
c:\users\Desktop\AppData\Roaming\fbb65c86
c:\users\Desktop\AppData\Roaming\fd30b46e
c:\users\Desktop\AppData\Roaming\fd66a206
c:\users\Desktop\AppData\Roaming\feb5582e
c:\users\Desktop\AppData\Roaming\fecb4a58
c:\users\Desktop\AppData\Roaming\msthnv.dll
c:\users\Desktop\AppData\Roaming\nhcaps.dll
c:\users\Desktop\AppData\Roaming\qmcts.dll
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\L\00000004.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000004.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@
c:\windows\SysWow64\1065\inf1065.dat
c:\windows\SysWow64\1077
c:\windows\SysWow64\1077\inf1077.dat
c:\windows\SysWow64\1079\inf1079.dat
.
----- File Replicators -----
.
c:\windows\System32\usser.exe
c:\windows\System32\ussser.exe
c:\windows\System32\usssser.exe
c:\windows\System32\ussssser.exe
c:\windows\System32\usssssser.exe
c:\windows\System32\ussssssser.exe
c:\windows\System32\usssssssser.exe
c:\windows\System32\ussssssssser.exe
c:\windows\System32\usssssssssser.exe
c:\windows\System32\ussssssssssser.exe
c:\windows\System32\usssssssssssser.exe
c:\windows\System32\ussssssssssssser.exe
c:\windows\System32\usssssssssssssser.exe
c:\windows\System32\ussssssssssssssser.exe
c:\windows\System32\usssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssser.exe
c:\windows\System32\usssssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssssser.exe
c:\windows\System32\usssssssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssssssser.exe
c:\windows\System32\usssssssssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssssssssser.exe
c:\windows\System32\usssssssssssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssssssssssser.exe
c:\windows\System32\usssssssssssssssssssssssssser.exe
c:\windows\System32\ussssssssssssssssssssssssssser.exe
c:\windows\SysWOW64\usser.exe
c:\windows\SysWOW64\ussser.exe
c:\windows\SysWOW64\usssser.exe
c:\windows\SysWOW64\ussssser.exe
c:\windows\SysWOW64\usssssser.exe
c:\windows\SysWOW64\ussssssser.exe
c:\windows\SysWOW64\usssssssser.exe
c:\windows\SysWOW64\ussssssssser.exe
c:\windows\SysWOW64\usssssssssser.exe
c:\windows\SysWOW64\ussssssssssser.exe
c:\windows\SysWOW64\usssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssssssssssser.exe
c:\windows\SysWOW64\usssssssssssssssssssssssssser.exe
c:\windows\SysWOW64\ussssssssssssssssssssssssssser.exe
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy2_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
.
.
2012-08-14 12:18 . 2012-08-14 12:18--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-14 10:11 . 2012-08-14 10:20--------d-----w-c:\users\Desktop\AppData\Roaming\Wise Registry Cleaner
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\SymbolSourceSymbols
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\RefSrcSymbols
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\JetBrains
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Roaming\JetBrains
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\windows\SysWow64\1082
2012-08-11 13:00 . 2012-08-11 13:00679936----a-w-c:\windows\system32\Rede1389.scr
2012-08-11 13:00 . 2012-08-11 13:00679936------w-c:\windows\SysWow64\Rede1389.scr
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\programdata\Screentime
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\users\Desktop\AppData\Local\Screentime
2012-08-11 12:57 . 2012-08-11 12:57--------d-----w-c:\windows\SysWow64\1081
2012-08-11 12:41 . 2012-08-11 12:47--------d-----w-c:\program files (x86)\Free Registry Cleaner For Seven
2012-08-11 09:39 . 2012-08-11 09:39--------d-----w-c:\windows\SysWow64\1080
2012-08-11 08:46 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1079
2012-08-11 08:33 . 2012-08-11 08:41--------d-----w-c:\users\Desktop\AppData\Roaming\Error Fix
2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\windows\ehome
2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\users\Default\AppData\Roaming\Media Center Programs
2012-08-11 08:01 . 2012-08-11 08:01--------d-----w-c:\windows\SysWow64\1078
2012-08-11 07:52 . 2012-08-11 07:52--------d-----w-c:\windows\SysWow64\1076
2012-08-10 09:47 . 2012-08-10 09:47--------d-----w-c:\windows\SysWow64\1075
2012-08-10 09:33 . 2012-08-10 09:33--------d-----w-c:\windows\SysWow64\1074
2012-08-10 09:08 . 2012-08-10 09:08--------d-----w-c:\windows\SysWow64\1073
2012-08-10 09:05 . 2012-08-10 09:05--------d-----w-c:\windows\SysWow64\1072
2012-08-10 08:53 . 2012-08-10 08:53--------d-----w-c:\windows\SysWow64\1071
2012-08-10 08:34 . 2012-08-10 08:34--------d-----w-c:\windows\SysWow64\1070
2012-08-10 08:32 . 2012-08-10 08:32--------d-----w-c:\users\Desktop\AppData\Roaming\flashInstall
2012-08-10 07:08 . 2012-08-10 07:09--------d-----w-c:\users\Desktop\AppData\Roaming\PE Explorer
2012-08-10 06:38 . 2012-08-10 06:38--------d-----w-c:\windows\SysWow64\1069
2012-08-10 06:30 . 2012-08-10 06:30--------d-----w-c:\windows\SysWow64\1068
2012-08-10 06:19 . 2012-08-10 06:19--------d-----w-c:\windows\SysWow64\1067
2012-08-10 06:18 . 2012-08-10 06:18--------d-----w-c:\windows\SysWow64\1066
2012-08-10 06:15 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1065
2012-08-09 11:26 . 2012-08-09 11:26--------d-----w-c:\windows\SysWow64\1064
2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1063
2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1062
2012-08-09 10:10 . 2012-08-09 10:10--------d-----w-c:\windows\SysWow64\1061
2012-08-09 10:09 . 2012-08-09 10:09--------d-----w-c:\windows\SysWow64\1060
2012-08-09 10:01 . 2012-08-09 10:01--------d-----w-c:\windows\SysWow64\1059
2012-08-09 10:00 . 2012-08-09 10:00--------d-----w-c:\windows\SysWow64\1058
2012-08-09 09:59 . 2012-08-09 09:59--------d-----w-c:\windows\SysWow64\1057
2012-08-06 10:56 . 2011-11-09 12:08189608----a-w-c:\windows\system32\IPROSetMonitor.exe
2012-08-06 10:56 . 2012-08-06 10:56--------d-----w-c:\program files\Intel
2012-08-06 10:54 . 2012-02-01 21:13509104----a-w-c:\windows\system32\drivers\e1k62x64.sys
2012-08-06 10:54 . 2012-01-19 21:1199520----a-w-c:\windows\system32\NicInstK.dll
2012-08-06 10:54 . 2012-01-18 21:0768264----a-w-c:\windows\system32\e1kmsg.dll
2012-08-02 14:33 . 2012-06-18 08:0419032------w-c:\windows\system32\pwdrvio.sys
2012-08-02 14:33 . 2012-06-18 08:042966720----a-w-c:\windows\system32\pwNative.exe
2012-08-02 14:33 . 2012-06-18 08:0412384------w-c:\windows\system32\pwdspio.sys
2012-08-01 13:20 . 2012-08-03 02:56--------d-----w-c:\users\Desktop\.android
2012-08-01 13:12 . 2012-08-01 13:12--------d-----w-c:\program files\Oracle
2012-08-01 13:12 . 2012-08-01 13:11268784----a-w-c:\windows\system32\javaws.exe
2012-08-01 13:12 . 2012-08-01 13:11189424----a-w-c:\windows\system32\javaw.exe
2012-08-01 13:12 . 2012-08-01 13:11188912----a-w-c:\windows\system32\java.exe
2012-08-01 13:10 . 2012-08-01 13:11--------d-----w-c:\program files\Java
2012-08-01 13:10 . 2012-08-02 14:04--------d-----w-c:\users\Desktop\jdk1.7.0_05_combo
2012-07-27 13:39 . 2012-08-02 18:03--------d-----w-c:\programdata\LGMOBILEAX
2012-07-26 11:49 . 2012-07-26 11:55--------d-----w-c:\program files (x86)\YourFileDownloader
2012-07-26 11:49 . 2012-07-26 11:49--------d-----w-c:\users\Desktop\AppData\Roaming\YourFileDownloader
2012-07-26 11:21 . 2012-07-26 11:21--------d-----w-c:\program files (x86)\uTorrent
2012-07-25 15:15 . 2012-07-25 15:15--------d-----w-c:\program files (x86)\LG Electronics
2012-07-25 14:31 . 2012-08-02 18:33--------d-----w-c:\users\Desktop\AppData\Roaming\LG Electronics
2012-07-25 14:30 . 2012-07-25 14:30--------d-----w-c:\users\Desktop\AppData\Local\LG Electronics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-13 10:36 . 2012-04-04 06:17426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-13 10:36 . 2011-06-02 02:3970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-09 06:36 . 2009-07-13 23:19328704----a-w-c:\windows\system32\services.exe
2012-07-03 08:16 . 2011-06-14 07:2924904----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-06 04:06 . 2012-06-06 04:062174976----a-w-c:\program files (x86)\Common Files\atimpenc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-11-05 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-11-05 01:58297808----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Smart File Advisor"="c:\program files (x86)\Smart File Advisor\sfa.exe" [2011-04-04 280824]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]
"CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-13 84464]
"Desktop Disc Tool"="c:\program files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680]
"Malwarebytes' Anti-Malware"="d:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7619\Launcher.exe [2011-9-12 157088]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-07-16 354288]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys [2012-03-06 31744]
R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys [2012-03-06 29184]
R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys [2012-03-06 36352]
R3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys [2012-03-06 93184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-08 129976]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-06-18 19032]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-06-18 12384]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-07-16 1099248]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc; [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub; [x]
R3 VGPU;VGPU; [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384]
R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2007-03-18 301824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-05 1255736]
R3 ZSMC0303;INTEX Game Camera;c:\windows\system32\Drivers\usbVM303.sys [2007-03-25 1494656]
R4 Ireniceaesse;Ireniceaesse; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-18 55856]
S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys [2009-06-01 27120]
S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys [2009-06-01 19952]
S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys [2009-06-01 27632]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-06-02 457200]
S2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-07-13 32240]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-02-01 509104]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-03 271872]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\SidebarExecute.job
- c:\program files\Windows Sidebar\sidebar.exe [2011-04-09 13:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.in/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\zpqxsszw.default\
FF - prefs.js: browser.startup.homepage - www.google.co.in
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-whtpd - (no file)
Wow6432Node-HKCU-Run-nhcaps - (no file)
Wow6432Node-HKCU-Run-qmcts - (no file)
Wow6432Node-HKCU-Run-msthnv - (no file)
Wow6432Node-HKCU-Run-wladmg - (no file)
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-msthnv - (no file)
HKLM-Run-wladmg - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-08-14 17:52:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-14 12:22
.
Pre-Run: 64,696,188,928 bytes free
Post-Run: 64,522,870,784 bytes free
.
- - End Of File - - DBDDD338056EA51EA6BCCAF12E7952E9

 

[krazeefly]

This is the GMER log file.....................

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-16 13:05:52
Windows 6.1.7601 Service Pack 1
Running: jd5fjk2p.exe


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\RedemptionCemetery3_GraveTestimonyCE.exe 8
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Games\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\flashInstall.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Desktop\Desktop\Redemption Cemetery Grave Testimony Collector\x2019s Edition Setup\RedemptionCemetery3_GraveTestimonyCE.exe 8

---- EOF - GMER 1.0.15 ----

The DDS Logfile with both DDS and Attach.........

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Desktop at 13:06:51 on 2012-08-16
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2363 [GMT 5.5:30]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe
C:\Program Files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe
D:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~2\Webshots\315~1.761\webshots.scr
C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe
C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe
D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Desktop\AppData\Local\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Smart File Advisor] "C:\Program Files (x86)\Smart File Advisor\sfa.exe" /checkassoc
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"
mRun: [CPMonitor] "C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Malwarebytes' Anti-Malware] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "D:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
StartupFolder: C:\Users\Desktop\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\3.1.5.7619\Launcher.exe
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.5.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8} : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - D:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Smart File Advisor] "C:\Program Files (x86)\Smart File Advisor\sfa.exe" /checkassoc
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"
mRun-x64: [CPMonitor] "C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [AVG_TRAY] "D:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 Sahdad64;HDD Filter Driver;C:\Windows\system32\Drivers\Sahdad64.sys --> C:\Windows\system32\Drivers\Sahdad64.sys [?]
R0 Saibad64;Volume Filter Driver;C:\Windows\system32\Drivers\Saibad64.sys --> C:\Windows\system32\Drivers\Saibad64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 SaibVdAd64;Virtual Disk Driver;C:\Windows\system32\Drivers\SaibVdAd64.sys --> C:\Windows\system32\Drivers\SaibVdAd64.sys [?]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-6-2 457200]
R2 AGCoreService;AG Core Services;C:\Program Files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2011-9-12 20480]
R2 avgwd;AVG WatchDog;D:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 BOT4Service;BOT4Service;C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-7-14 32240]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]
R2 MBAMService;MBAMService;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-2-21 2320920]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;D:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-7-16 354288]
S3 andnetadb;ADB Interface DriverNet;C:\Windows\system32\Drivers\lgandnetadb.sys --> C:\Windows\system32\Drivers\lgandnetadb.sys [?]
S3 AndNetDiag;LGE AndroidNet USB Serial Port;C:\Windows\system32\DRIVERS\lgandnetdiag64.sys --> C:\Windows\system32\DRIVERS\lgandnetdiag64.sys [?]
S3 ANDNetModem;LGE AndroidNet USB Modem;C:\Windows\system32\DRIVERS\lgandnetmodem64.sys --> C:\Windows\system32\DRIVERS\lgandnetmodem64.sys [?]
S3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;C:\Windows\system32\DRIVERS\lgandnetndis64.sys --> C:\Windows\system32\DRIVERS\lgandnetndis64.sys [?]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]
S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RoxMediaDB13;RoxMediaDB13;C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-7-16 1099248]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 vpcuxd;USB Virtualization Stub Service;C:\Windows\system32\DRIVERS\vpcuxd.sys --> C:\Windows\system32\DRIVERS\vpcuxd.sys [?]
S3 vvftav303;vvftav303;C:\Windows\system32\drivers\vvftav303.sys --> C:\Windows\system32\drivers\vvftav303.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 ZSMC0303;INTEX Game Camera;C:\Windows\system32\Drivers\usbVM303.sys --> C:\Windows\system32\Drivers\usbVM303.sys [?]
.
=============== Created Last 30 ================
.
2012-08-15 08:11:52 -------- d-----w- C:\Users\Desktop\AppData\Roaming\AVG2012
2012-08-15 08:10:48 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2012-08-15 08:10:16 -------- d--h--w- C:\$AVG
2012-08-15 08:10:16 -------- d-----w- C:\Windows\System32\drivers\AVG
2012-08-15 08:10:16 -------- d-----w- C:\ProgramData\AVG2012
2012-08-15 08:07:36 -------- d--h--w- C:\ProgramData\Common Files
2012-08-15 08:07:35 -------- d-----w- C:\ProgramData\MFAData
2012-08-15 06:21:14 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{31259DA6-BF84-4755-8713-068D445F5CAA}\mpengine.dll
2012-08-15 05:49:22 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-08-15 05:49:11 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-08-15 05:49:01 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-08-15 05:49:01 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-08-14 15:56:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-14 12:12:57 98816 ----a-w- C:\Windows\sed.exe
2012-08-14 12:12:57 518144 ----a-w- C:\Windows\SWREG.exe
2012-08-14 12:12:57 256000 ----a-w- C:\Windows\PEV.exe
2012-08-14 12:12:57 208896 ----a-w- C:\Windows\MBR.exe
2012-08-11 13:29:50 -------- d-----w- C:\Users\Desktop\AppData\Local\SymbolSourceSymbols
2012-08-11 13:29:50 -------- d-----w- C:\Users\Desktop\AppData\Local\RefSrcSymbols
2012-08-11 13:29:49 -------- d-----w- C:\Users\Desktop\AppData\Local\JetBrains
2012-08-11 13:29:48 -------- d-----w- C:\Users\Desktop\AppData\Roaming\JetBrains
2012-08-11 13:00:53 -------- d-----w- C:\Windows\SysWow64\1082
2012-08-11 13:00:23 679936 ----a-w- C:\Windows\System32\Rede1389.scr
2012-08-11 13:00:22 679936 ------w- C:\Windows\SysWow64\Rede1389.scr
2012-08-11 13:00:22 -------- d-----w- C:\ProgramData\Screentime
2012-08-11 13:00:19 -------- d-----w- C:\Users\Desktop\AppData\Local\Screentime
2012-08-11 12:57:45 -------- d-----w- C:\Windows\SysWow64\1081
2012-08-11 09:39:35 -------- d-----w- C:\Windows\SysWow64\1080
2012-08-11 08:46:39 -------- d-----w- C:\Windows\SysWow64\1079
2012-08-11 08:10:06 -------- d-----w- C:\Windows\ehome
2012-08-11 08:01:14 -------- d-----w- C:\Windows\SysWow64\1078
2012-08-11 07:52:55 -------- d-----w- C:\Windows\SysWow64\1076
2012-08-10 09:47:56 -------- d-----w- C:\Windows\SysWow64\1075
2012-08-10 09:33:56 -------- d-----w- C:\Windows\SysWow64\1074
2012-08-10 09:08:18 -------- d-----w- C:\Windows\SysWow64\1073
2012-08-10 09:05:34 -------- d-----w- C:\Windows\SysWow64\1072
2012-08-10 08:53:07 -------- d-----w- C:\Windows\SysWow64\1071
2012-08-10 08:34:01 -------- d-----w- C:\Windows\SysWow64\1070
2012-08-10 08:32:15 -------- d-----w- C:\Users\Desktop\AppData\Roaming\flashInstall
2012-08-10 07:08:40 -------- d-----w- C:\Users\Desktop\AppData\Roaming\PE Explorer
2012-08-10 06:38:06 -------- d-----w- C:\Windows\SysWow64\1069
2012-08-10 06:30:09 -------- d-----w- C:\Windows\SysWow64\1068
2012-08-10 06:19:07 -------- d-----w- C:\Windows\SysWow64\1067
2012-08-10 06:18:24 -------- d-----w- C:\Windows\SysWow64\1066
2012-08-10 06:15:11 -------- d-----w- C:\Windows\SysWow64\1065
2012-08-09 11:26:40 -------- d-----w- C:\Windows\SysWow64\1064
2012-08-09 10:24:54 -------- d-----w- C:\Windows\SysWow64\1063
2012-08-09 10:24:37 -------- d-----w- C:\Windows\SysWow64\1062
2012-08-09 10:10:43 -------- d-----w- C:\Windows\SysWow64\1061
2012-08-09 10:09:34 -------- d-----w- C:\Windows\SysWow64\1060
2012-08-09 10:01:14 -------- d-----w- C:\Windows\SysWow64\1059
2012-08-09 10:00:14 -------- d-----w- C:\Windows\SysWow64\1058
2012-08-09 09:59:49 -------- d-----w- C:\Windows\SysWow64\1057
2012-08-06 10:56:41 189608 ----a-w- C:\Windows\System32\IPROSetMonitor.exe
2012-08-06 10:54:03 99520 ----a-w- C:\Windows\System32\NicInstK.dll
2012-08-06 10:54:03 68264 ----a-w- C:\Windows\System32\e1kmsg.dll
2012-08-06 10:54:03 509104 ----a-w- C:\Windows\System32\drivers\e1k62x64.sys
2012-08-02 14:33:55 2966720 ----a-w- C:\Windows\System32\pwNative.exe
2012-08-02 14:33:55 19032 ------w- C:\Windows\System32\pwdrvio.sys
2012-08-02 14:33:54 12384 ------w- C:\Windows\System32\pwdspio.sys
2012-08-01 13:20:43 -------- d-----w- C:\Users\Desktop\.android
2012-08-01 13:12:43 -------- d-----w- C:\Program Files\Oracle
2012-08-01 13:10:34 -------- d-----w- C:\Users\Desktop\jdk1.7.0_05_combo
2012-07-27 13:39:10 -------- d-----w- C:\ProgramData\LGMOBILEAX
2012-07-26 11:49:06 -------- d-----w- C:\Users\Desktop\AppData\Roaming\YourFileDownloader
2012-07-26 11:49:06 -------- d-----w- C:\Program Files (x86)\YourFileDownloader
2012-07-25 15:15:28 -------- d-----w- C:\Program Files (x86)\LG Electronics
2012-07-25 14:31:06 -------- d-----w- C:\Users\Desktop\AppData\Roaming\LG Electronics
2012-07-25 14:30:49 -------- d-----w- C:\Users\Desktop\AppData\Local\LG Electronics
.
==================== Find3M ====================
.
2012-08-16 04:37:39 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 04:37:39 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-09 06:36:12 329216 ----a-w- C:\Windows\System32\services.exe
2012-07-03 08:16:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-06 04:06:50 2174976 ----a-w- C:\Program Files (x86)\Common Files\atimpenc.dll
2012-05-31 06:55:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 13:07:14.69 ===============

The Attach log file........

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 21-Feb-11 6:24:04 PM
System Uptime: 16-Aug-12 12:46:38 PM (1 hours ago)
.
Motherboard: Intel Corporation | | DH55TC
Processor: Intel(R) Core(TM) i3 CPU 540 @ 3.07GHz | XU1 | 3059/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 116 GiB total, 61.883 GiB free.
D: is FIXED (NTFS) - 116 GiB total, 106.564 GiB free.
E: is FIXED (NTFS) - 233 GiB total, 206.682 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) 82578DC Gigabit Network Connection
Device ID: PCI\VEN_8086&DEV_10F0&SUBSYS_00368086&REV_06\3&11583659&0&C8
Manufacturer: Intel
Name: Intel(R) 82578DC Gigabit Network Connection
PNP Device ID: PCI\VEN_8086&DEV_10F0&SUBSYS_00368086&REV_06\3&11583659&0&C8
Service: e1kexpress
.
==== System Restore Points ===================
.
RP258: 15-Aug-12 1:39:19 PM - Installed AVG 2012
RP259: 15-Aug-12 1:39:54 PM - Installed AVG 2012
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
4Media Ringtone Maker
7-Zip 9.22beta
Adobe AIR
Adobe Community Help
Adobe Connect Add-in
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe PageMaker 7.0
Adobe Photoshop CS5
Adobe Reader 9.4.3
Adobe Shockwave Player 11.5
Advanced Video Compressor 2012
Avro Keyboard 5.1.0
BanglaWord v1.9.0
DivX Setup
DjVu Viewer version 1.0
File Splitter and Joiner (FFSJ v3.3)
FlyteDownloadManager version 1.1.0.0
Golden Trails 3 The Guardians Creed 1.00
Google Chrome
Google Talk Plugin
Google Update Helper
ImagXpress
Intel(R) Desktop Utilities
Intel(R) Graphics Media Accelerator Driver
Intel(R) Integrator Assistant
Intel(R) IPP Run-Time Installer 5.2 for Windows* on IA-32
Intel(R) Management Engine Components
INTEX Game Camera
LG PC Suite
LG United Mobile Drivers
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Reader
Microsoft Report Viewer Redistributable 2005
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft_VC100_CRT_SP1_x86
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
neroxml
PDF Settings CS5
PL-2303 USB-to-Serial
PowerDVD
Real Alternative 2.0.2
Realtek High Definition Audio Driver
Redemption Cemetery Grave Testimony - Menu Screen Saver
Roxio BackOnTrack
Roxio BackOnTrackPE
Roxio Burn - Secure
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Creator 2011 Pro
Roxio PhotoShow
Roxio Video Capture USB
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Skype™ 5.1
Smart File Advisor 1.1.1
SmartSound Common Data
SmartSound Quicktracks 5
System Requirements Lab for Intel
Update for 2007 Microsoft Office System (KB967642)
Update for Outlook 2007 Junk Email Filter (KB2522999)
USB Disk Win98 Driver
VC80CRTRedist - 8.0.50727.4053
Visual Studio 2008 x64 Redistributables
VLC media player 2.0.1
Webshots Desktop
Winamp
Winamp Detector Plug-in
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 12.0
Xilisoft AVI MPEG Joiner 2
Xilisoft Video Cutter
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
16-Aug-12 12:49:07 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
16-Aug-12 12:49:07 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
16-Aug-12 12:47:44 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 12 service to connect.
16-Aug-12 12:47:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
16-Aug-12 12:47:12 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
16-Aug-12 12:47:11 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
16-Aug-12 10:09:12 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {46986115-84D6-459C-8F95-52DD653E532E}. The error: "740" Happened while starting this command: "C:\Program Files (x86)\Winamp\winamp.exe" -Embedding
15-Aug-12 3:21:19 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
15-Aug-12 3:21:19 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
15-Aug-12 12:12:47 AM, Error: Service Control Manager [7034] - The Roxio SAIB Service service terminated unexpectedly. It has done this 1 time(s).
14-Aug-12 9:21:36 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
14-Aug-12 9:20:15 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
14-Aug-12 9:19:53 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
14-Aug-12 8:47:05 PM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
14-Aug-12 8:47:03 PM, Error: Microsoft Antimalware [5008] -
14-Aug-12 5:39:13 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
14-Aug-12 5:07:10 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
14-Aug-12 5:07:10 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
14-Aug-12 5:06:07 PM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
14-Aug-12 5:06:07 PM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
14-Aug-12 3:49:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
11-Aug-12 1:37:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {0B5A2C52-3EB9-470A-96E2-6C6D4570E40F}
11-Aug-12 1:28:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11-Aug-12 1:24:12 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
11-Aug-12 1:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11-Aug-12 1:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11-Aug-12 1:22:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11-Aug-12 1:22:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr discache SaibVdAd64 spldr vpcvmm Wanarpv6
11-Aug-12 1:22:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11-Aug-12 1:22:14 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================

 

[Jay Pfoutz]

Hello!

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[krazeefly]

Thanks for your quick reply.....
Tried copying the log file, but it was a large one......so as per your instruction, I am attaching it with this reply.

 

[Jay Pfoutz]

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[krazeefly]

Here is the AswMBR log file.........

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 12:26:19
-----------------------------
12:26:19.263 OS Version: Windows x64 6.1.7601 Service Pack 1
12:26:19.263 Number of processors: 4 586 0x2505
12:26:19.263 ComputerName: DESKTOP-PC UserName: Desktop
12:26:21.229 Initialize success
13:01:35.637 AVAST engine defs: 12081601
13:13:07.903 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
13:13:07.919 Disk 0 Vendor: ST3500418AS CC46 Size: 476940MB BusType: 3
13:13:07.919 Disk 0 MBR read successfully
13:13:07.935 Disk 0 MBR scan
13:13:07.966 Disk 0 Windows 7 default MBR code
13:13:07.981 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
13:13:07.997 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 119134 MB offset 206848
13:13:08.013 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 119235 MB offset 244193280
13:13:08.028 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 238469 MB offset 488386560
13:13:08.059 Disk 0 scanning C:\Windows\system32\drivers
13:13:17.981 Service scanning
13:13:33.550 Modules scanning
13:13:33.550 Disk 0 trace - called modules:
13:13:34.049 ntoskrnl.exe CLASSPNP.SYS disk.sys Sahdad64.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
13:13:34.049 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048b7060]
13:13:34.049 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa800474ba20]
13:13:34.065 5 Sahdad64.sys[fffff8800199be25] -> nt!IofCallDriver -> [0xfffffa800463f520]
13:13:34.065 7 ACPI.sys[fffff88000d897a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004640680]
13:13:39.135 AVAST engine scan C:\Windows
13:13:41.334 AVAST engine scan C:\Windows\system32
13:15:16.884 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
13:15:18.647 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
13:16:05.557 AVAST engine scan C:\Windows\system32\drivers
13:16:20.158 AVAST engine scan C:\Users\Desktop
13:18:24.459 AVAST engine scan C:\ProgramData
13:19:21.805 Scan finished successfully
13:19:33.240 Disk 0 MBR has been saved successfully to "C:\Users\Desktop\Desktop\MBR.dat"
13:19:33.240 The log file has been saved successfully to "C:\Users\Desktop\Desktop\aswMBR.txt"

 

[krazeefly]

Thought about mentioning one point, since yesterday my AVG free antivirus has also started popping up messages about c:\Windows\System32\services.exe being corrupted, I don't know if they are True or False Positives.........So thought of adding the detection file.................

Resident Shield detection
"Trojan horse Patched_c.LXT""c:\Windows\System32\services.exe""Object is white-listed (critical/system file that should not be removed)""17-Aug-12, 1:58:58 PM""file""C:\Windows\System32\svchost.exe"
"Trojan horse Patched_c.LXT""c:\Windows\System32\services.exe""Object is white-listed (critical/system file that should not be removed)""17-Aug-12, 1:26:16 PM""file""C:\Windows\System32\svchost.exe"

 

[Jay Pfoutz]

New log from ComboFix

We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.

 

[krazeefly]

Below is the new Combofix log,which I ran today morning........

ComboFix 12-08-17.03 - Desktop 18-Aug-12 10:06:26.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3893.2585 [GMT 5.5:30]
Running from: c:\users\Desktop\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\L\00000004.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000004.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@
c:\windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache64\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Guest\AppData\Local\temp
2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-18 04:40 . 2012-08-18 04:40--------d-----w-c:\users\Administrator\AppData\Local\temp
2012-08-17 08:35 . 2012-08-17 08:35--------d-----w-c:\program files (x86)\Common Files\Java
2012-08-17 08:35 . 2012-08-17 08:34821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
2012-08-17 08:35 . 2012-08-17 08:3495208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-17 08:34 . 2012-08-17 08:34--------d-----w-c:\program files (x86)\Java
2012-08-16 05:17 . 2012-08-16 08:41--------d-----w-c:\program files\Recuva
2012-08-15 08:11 . 2012-08-15 08:11--------d-----w-c:\users\Desktop\AppData\Roaming\AVG2012
2012-08-15 08:10 . 2012-08-18 04:27--------d-----w-c:\programdata\AVG2012
2012-08-15 08:10 . 2012-08-18 04:25--------d-----w-C:\$AVG
2012-08-15 08:07 . 2012-08-15 08:07--------d--h--w-c:\programdata\Common Files
2012-08-15 08:07 . 2012-08-18 04:25--------d-----w-c:\programdata\MFAData
2012-08-15 06:21 . 2012-07-15 21:109133488----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{31259DA6-BF84-4755-8713-068D445F5CAA}\mpengine.dll
2012-08-15 05:49 . 2012-06-02 22:192428952----a-w-c:\windows\system32\wuaueng.dll
2012-08-15 05:49 . 2012-06-02 22:1957880----a-w-c:\windows\system32\wuauclt.exe
2012-08-15 05:49 . 2012-06-02 22:1944056----a-w-c:\windows\system32\wups2.dll
2012-08-15 05:49 . 2012-06-02 22:152622464----a-w-c:\windows\system32\wucltux.dll
2012-08-15 05:49 . 2012-06-02 22:1938424----a-w-c:\windows\system32\wups.dll
2012-08-15 05:49 . 2012-06-02 22:19701976----a-w-c:\windows\system32\wuapi.dll
2012-08-15 05:49 . 2012-06-02 22:1599840----a-w-c:\windows\system32\wudriver.dll
2012-08-15 05:49 . 2012-06-02 09:49186752----a-w-c:\windows\system32\wuwebv.dll
2012-08-15 05:49 . 2012-06-02 09:4536864----a-w-c:\windows\system32\wuapp.exe
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\SymbolSourceSymbols
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\RefSrcSymbols
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Local\JetBrains
2012-08-11 13:29 . 2012-08-11 13:29--------d-----w-c:\users\Desktop\AppData\Roaming\JetBrains
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\windows\SysWow64\1082
2012-08-11 13:00 . 2012-08-11 13:00679936----a-w-c:\windows\system32\Rede1389.scr
2012-08-11 13:00 . 2012-08-11 13:00679936------w-c:\windows\SysWow64\Rede1389.scr
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\programdata\Screentime
2012-08-11 13:00 . 2012-08-11 13:00--------d-----w-c:\users\Desktop\AppData\Local\Screentime
2012-08-11 12:57 . 2012-08-11 12:57--------d-----w-c:\windows\SysWow64\1081
2012-08-11 09:39 . 2012-08-11 09:39--------d-----w-c:\windows\SysWow64\1080
2012-08-11 08:46 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1079
2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\windows\ehome
2012-08-11 08:10 . 2012-08-11 08:10--------d-----w-c:\users\Default\AppData\Roaming\Media Center Programs
2012-08-11 08:01 . 2012-08-11 08:01--------d-----w-c:\windows\SysWow64\1078
2012-08-11 07:52 . 2012-08-11 07:52--------d-----w-c:\windows\SysWow64\1076
2012-08-10 09:47 . 2012-08-10 09:47--------d-----w-c:\windows\SysWow64\1075
2012-08-10 09:33 . 2012-08-10 09:33--------d-----w-c:\windows\SysWow64\1074
2012-08-10 09:08 . 2012-08-10 09:08--------d-----w-c:\windows\SysWow64\1073
2012-08-10 09:05 . 2012-08-10 09:05--------d-----w-c:\windows\SysWow64\1072
2012-08-10 08:53 . 2012-08-10 08:53--------d-----w-c:\windows\SysWow64\1071
2012-08-10 08:34 . 2012-08-10 08:34--------d-----w-c:\windows\SysWow64\1070
2012-08-10 08:32 . 2012-08-10 08:32--------d-----w-c:\users\Desktop\AppData\Roaming\flashInstall
2012-08-10 07:08 . 2012-08-10 07:09--------d-----w-c:\users\Desktop\AppData\Roaming\PE Explorer
2012-08-10 06:38 . 2012-08-10 06:38--------d-----w-c:\windows\SysWow64\1069
2012-08-10 06:30 . 2012-08-10 06:30--------d-----w-c:\windows\SysWow64\1068
2012-08-10 06:19 . 2012-08-10 06:19--------d-----w-c:\windows\SysWow64\1067
2012-08-10 06:18 . 2012-08-10 06:18--------d-----w-c:\windows\SysWow64\1066
2012-08-10 06:15 . 2012-08-14 12:17--------d-----w-c:\windows\SysWow64\1065
2012-08-09 11:26 . 2012-08-09 11:26--------d-----w-c:\windows\SysWow64\1064
2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1063
2012-08-09 10:24 . 2012-08-09 10:24--------d-----w-c:\windows\SysWow64\1062
2012-08-09 10:10 . 2012-08-09 10:10--------d-----w-c:\windows\SysWow64\1061
2012-08-09 10:09 . 2012-08-09 10:09--------d-----w-c:\windows\SysWow64\1060
2012-08-09 10:01 . 2012-08-09 10:01--------d-----w-c:\windows\SysWow64\1059
2012-08-09 10:00 . 2012-08-09 10:00--------d-----w-c:\windows\SysWow64\1058
2012-08-09 09:59 . 2012-08-09 09:59--------d-----w-c:\windows\SysWow64\1057
2012-08-06 10:56 . 2011-11-09 12:08189608----a-w-c:\windows\system32\IPROSetMonitor.exe
2012-08-06 10:56 . 2012-08-06 10:56--------d-----w-c:\program files\Intel
2012-08-06 10:54 . 2012-02-01 21:13509104----a-w-c:\windows\system32\drivers\e1k62x64.sys
2012-08-06 10:54 . 2012-01-19 21:1199520----a-w-c:\windows\system32\NicInstK.dll
2012-08-06 10:54 . 2012-01-18 21:0768264----a-w-c:\windows\system32\e1kmsg.dll
2012-08-02 14:33 . 2012-06-18 08:0419032------w-c:\windows\system32\pwdrvio.sys
2012-08-02 14:33 . 2012-06-18 08:042966720----a-w-c:\windows\system32\pwNative.exe
2012-08-02 14:33 . 2012-06-18 08:0412384------w-c:\windows\system32\pwdspio.sys
2012-08-01 13:20 . 2012-08-03 02:56--------d-----w-c:\users\Desktop\.android
2012-08-01 13:12 . 2012-08-01 13:12--------d-----w-c:\program files\Oracle
2012-08-01 13:12 . 2012-08-01 13:11268784----a-w-c:\windows\system32\javaws.exe
2012-08-01 13:12 . 2012-08-01 13:11189424----a-w-c:\windows\system32\javaw.exe
2012-08-01 13:12 . 2012-08-01 13:11188912----a-w-c:\windows\system32\java.exe
2012-08-01 13:10 . 2012-08-01 13:11--------d-----w-c:\program files\Java
2012-08-01 13:10 . 2012-08-02 14:04--------d-----w-c:\users\Desktop\jdk1.7.0_05_combo
2012-07-27 13:39 . 2012-08-02 18:03--------d-----w-c:\programdata\LGMOBILEAX
2012-07-26 11:49 . 2012-07-26 11:55--------d-----w-c:\program files (x86)\YourFileDownloader
2012-07-26 11:49 . 2012-07-26 11:49--------d-----w-c:\users\Desktop\AppData\Roaming\YourFileDownloader
2012-07-25 15:15 . 2012-07-25 15:15--------d-----w-c:\program files (x86)\LG Electronics
2012-07-25 14:31 . 2012-08-02 18:33--------d-----w-c:\users\Desktop\AppData\Roaming\LG Electronics
2012-07-25 14:30 . 2012-07-25 14:30--------d-----w-c:\users\Desktop\AppData\Local\LG Electronics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-17 08:34 . 2011-02-22 05:31746984----a-w-c:\windows\SysWow64\deployJava1.dll
2012-08-16 04:37 . 2012-04-04 06:17426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-16 04:37 . 2011-06-02 02:3970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-09 06:36 . 2009-07-13 23:19328704----a-w-c:\windows\system32\services.exe
2012-07-03 08:16 . 2011-06-14 07:2924904----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-06 04:06 . 2012-06-06 04:062174976----a-w-c:\program files (x86)\Common Files\atimpenc.dll
2012-05-31 06:55 . 2011-02-21 14:37279656------w-c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-11-05 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-11-05 01:58297808----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Smart File Advisor"="c:\program files (x86)\Smart File Advisor\sfa.exe" [2011-04-04 280824]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]
"CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-13 84464]
"Desktop Disc Tool"="c:\program files (x86)\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680]
"Malwarebytes' Anti-Malware"="d:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7619\Launcher.exe [2011-9-12 157088]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-07-16 354288]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys [2012-03-06 31744]
R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys [2012-03-06 29184]
R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys [2012-03-06 36352]
R3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys [2012-03-06 93184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-06-18 19032]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-06-18 12384]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-07-16 1099248]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc; [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub; [x]
R3 VGPU;VGPU; [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384]
R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2007-03-18 301824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-05 1255736]
R3 ZSMC0303;INTEX Game Camera;c:\windows\system32\Drivers\usbVM303.sys [2007-03-25 1494656]
R4 Ireniceaesse;Ireniceaesse; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-18 55856]
S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys [2009-06-01 27120]
S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys [2009-06-01 19952]
S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys [2009-06-01 27632]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-06-02 457200]
S2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-07-13 32240]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-02-01 509104]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-03 271872]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\SidebarExecute.job
- c:\program files\Windows Sidebar\sidebar.exe [2011-04-09 13:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.in/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C3D5A4FB-98D0-46EC-8865-32390EE39FB8}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\zpqxsszw.default\
FF - prefs.js: browser.startup.homepage - www.google.co.in
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-msthnv - (no file)
HKLM-Run-wladmg - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Adobe Connect Add-in - c:\users\Desktop\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-08-18 10:14:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 04:44
ComboFix2.txt 2012-08-14 15:54
.
Pre-Run: 64,101,474,304 bytes free
Post-Run: 64,003,125,248 bytes free
.
- - End Of File - - 98FA337365362CC746FE14B943863608

 

[Jay Pfoutz]

There are other potentially serious infections on your computer.. Time to bring out a power tool...

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

• Double-click the Setup file to install it on your computer.
• Once it has installed, review and accept the agreement and press the Start button.
• You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
  
  
• On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
  
  
• On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
  
  
• Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
• Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
  
  
• Then, choose Save. Also, in the Automatic Report tab, select Save:
  
  
• Please post the reports in your next reply.
• Once you exit, the tool should uninstall automatically.

 

[krazeefly]

Am having some problem with Bband connection.......will post the report in a day or two !!!

 

[Jay Pfoutz]

OKie dokie. See you then.

 

[krazeefly]

Solved Bband problem & ran the tool............ (took more than 2 hrs.)
This is the detected threats report......
Status: Disinfected (events: 1)
20-Aug-12 2:36:37 PMDisinfectedvirus Virus.Win64.ZAccess.aC:\Qoobox\Quarantine\C\Windows\System32\services.exe.virHigh
Status: Deleted (events: 5)
20-Aug-12 2:36:16 PMDeletedTrojan program Trojan.Win32.Miner.dwC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@.virHigh
20-Aug-12 2:36:16 PMDeletedTrojan program Trojan.Win32.Miner.dwC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\00000008.@.vir//data0000.resHigh
20-Aug-12 2:36:03 PMDeletedTrojan program Backdoor.Win32.ZAccess.mbsC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\000000cb.@.virHigh
20-Aug-12 2:36:16 PMDeletedTrojan program Backdoor.Win32.ZAccess.xulC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000032.@.virHigh
20-Aug-12 2:36:16 PMDeletedTrojan program Backdoor.Win32.ZAccess.xukC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000064.@.virHigh
Status: Quarantined (events: 1)
20-Aug-12 2:35:56 PMQuarantinedTrojan program HEUR:Backdoor.Win64.GenericC:\Qoobox\Quarantine\C\Windows\Installer\{589e96b4-2f37-e487-882e-05eb34b2f5bb}\U\80000000.@.virHigh
Status: Vulnerability (events: 12)
20-Aug-12 2:06:51 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exeLow
20-Aug-12 2:09:51 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457C:\Program Files (x86)\Adobe\Adobe Photoshop CS5\Photoshop.exeLow
20-Aug-12 2:10:33 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/47133C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exeLow
20-Aug-12 2:15:09 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835C:\Program Files (x86)\VideoLAN\VLC\vlc-cache-gen.exeLow
20-Aug-12 2:15:09 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835C:\Program Files (x86)\VideoLAN\VLC\vlc.exeLow
20-Aug-12 2:15:22 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/46624C:\Program Files (x86)\Winamp\winamp.exeLow
20-Aug-12 2:48:12 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/50283C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exeLow
20-Aug-12 3:15:55 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/47133c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exeLow
20-Aug-12 3:16:13 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457c:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exeLow
20-Aug-12 3:16:21 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/46624c:\Program Files (x86)\Winamp\winamp.exeLow
20-Aug-12 3:16:56 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/49835c:\Program Files (x86)\VideoLAN\VLC\vlc.exeLow
20-Aug-12 3:20:26 PMVulnerabilityvulnerability http://www.securelist.com/en/advisories/48457c:\program files\Adobe\adobe photoshop cs5 (64 bit)\photoshop.exeLow

 

[krazeefly]

It is mentioned in the rules not to attach or zip any report,but the Kaspersky Virus removal tool ran for more than 2 hours and the report generated was a whopping 108 MB on notepad. I tried to split the report and then to copy it, but my browser got frozen every time I tried to do that,so I tried zipping it, but the forum won't let me upload it saying it is a very large zip file.....

Please let me know, how can I post the Scan report in the forum ???

 

[Jay Pfoutz]

That's okay. It looked like most of it found quarantined files anyway.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

 

[krazeefly]

No, Thank You......No more issues at present !!!!

After running combofix for second time, and applying all the tools you recommended,my PC is back to normal.Firewall, defender and action center is back to normal & windows have again started updating itself........Thanks once again !!!

 

[Jay Pfoutz]

Let's finish up now... so you can prevent malware.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran CCleaner
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[krazeefly]

I have performed all the tasks you have mentioned..........

• Cleaned System Restore
• Ran OTC
• Ran CCleaner
• Ran Security Check

Below is the Checkup log.....But I would like to mention 1 thing, my security service center is up and working. I have checked in the services menu, it is shown to be working and also my adobe reader is up-to date.Donno why it is mentioned as outdated !!!

Results of screen317's Security Check version 0.99.46
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.3001)
Malwarebytes Anti-Malware version 1.62.0.1300
Java 7 Update 6
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.60
Google Chrome 21.0.1180.79
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

 

[Jay Pfoutz]

It's not outdated. It should be fine.

Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?

 

[krazeefly]

Thanks for all your help and tips....Presently my PC is working like before. (y) The start-up speed has also improved.......Don't have words to Thank You !!!! May GOD BLESS you all for all the efforts you people take to help others.

Did what you said....installed new Adobe reader,also removed the older version of Chrome , below is the latest Security Check Log !!

Results of screen317's Security Check version 0.99.46
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.3001)
Malwarebytes Anti-Malware version 1.62.0.1300
Java 7 Update 6
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

[Jay Pfoutz]

You're welcome and thank you! Marked as solved. √