Solved Svchost.exe Trojan Agent causing blue screens crashes

Status
Not open for further replies.

Fadil Khan

Posts: 14   +0
I need help with removing this Trojan and making sure that my computer is Threat Free. I cannot seem to fix it on my own. Malwarebytes detects it each scan and "removes" it but it does not. Please help... I cannot replace this laptop. It is my Lifeline....Thanks a Lot!
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Please review the 5-Step removal instructions and post the logs back here for my review.

Also, include this scan:

Download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
 
HIJACKTHIS LOG FILE

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:43:16 AM, on 11/9/2012
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avast\AvastUI.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\System32\control.exe
C:\Windows\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/?

cid={8E9EE8F6-5D45-401A-9192-CEA92801ABC3}&mid=51d8fbda1c1447d08b47d15a927e952e-

ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=is015&pr=sa&d=2012-11-08

21:10:49&v=11.0.0.9&sap=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files

\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:

\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:

\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files

\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program

Files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office

\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-

Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run] "C:\Program

Files\Google\Chrome\Application\chrome.exe" --type=service
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DriverMax_RESTART] "C:\Program Files\DriverMax\drivermax.exe" -RESTART
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK

SERVICE')
O4 - Startup: CleanTemp.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:

\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:

\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:

\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows

live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows

live\wlidnsp.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:

\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files

\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated

- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files

\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn

\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files

\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: vToolbarUpdater11.0.2 - Unknown owner - C:\Program Files\Common Files\AVG

Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe

--
End of file - 6277 bytes
 
[FONT=Helvetica Neue]ATTACH LOG FILE IS ATTACHED....[/FONT]
[FONT=Helvetica Neue] [/FONT]
[FONT=Helvetica Neue] [/FONT]
[FONT=Helvetica Neue] [/FONT]
[FONT=Helvetica Neue]DDS LOG FILE[/FONT]
[FONT=Helvetica Neue] [/FONT]
[FONT=Helvetica Neue] [/FONT]
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385
Run by silentarts at 6:14:12 on 2012-11-09
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1015.238 [GMT -4.5:30]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avast\AvastUI.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={8E9EE8F6-5D45-401A-9192-CEA92801ABC3}&mid=51d8fbda1c1447d08b47d15a927e952e-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=is015&pr=sa&d=2012-11-08 21:10:49&v=11.0.0.9&sap=hp
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
uRun: [6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [DriverMax_RESTART] "c:\program files\drivermax\drivermax.exe" -RESTART
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast\avastUI.exe" /nogui
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
StartupFolder: c:\users\silentarts\appdata\roaming\microsoft\windows\start menu\programs\startup\CleanTemp.bat
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{01BDEBE6-6ADA-4388-8946-8C629255A3D0} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{51132BB7-1E3C-4E2A-A31A-D5913FDF449E} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{A0D72338-71F0-4196-965C-82982C94B637} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-11-8 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-11-8 353688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-11-8 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-11-8 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast\AvastSvc.exe [2012-11-8 44808]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-6-8 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-11-8 47640]
R3 analog;analog;c:\windows\system32\drivers\analog.sys [2012-11-8 11264]
R3 iegdmini;iegdmini;c:\windows\system32\drivers\iegdmini.sys [2012-11-8 1677440]
R3 lvds;lvds;c:\windows\system32\drivers\lvds.sys [2012-11-8 10496]
R3 sdvo;sdvo;c:\windows\system32\drivers\sdvo.sys [2012-11-8 38784]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 tv;tv;c:\windows\system32\drivers\tv.sys [2012-11-8 36864]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== Created Last 30 ================
.
2012-11-09 15:32:35--------d-----w-c:\programdata\Spybot - Search & Destroy
2012-11-09 15:32:35--------d-----w-c:\program files\Spybot - Search & Destroy
2012-11-09 08:53:05--------d-----w-C:\c164e047adc2ebfd466b
2012-11-09 03:32:29--------d-----w-C:\8274542b4bdfad142084d6
2012-11-09 02:47:48--------d-----w-C:\3dbed645ae825410e7b6e08a9367
2012-11-09 02:45:37--------d-----w-C:\bd43dce6287d498487db4e6d0ad7
2012-11-09 02:17:1536864----a-w-c:\windows\system32\drivers\tv.sys
2012-11-09 02:17:1338784----a-w-c:\windows\system32\drivers\sdvo.sys
2012-11-09 02:17:1310496----a-w-c:\windows\system32\drivers\lvds.sys
2012-11-09 02:17:091677440----a-w-c:\windows\system32\drivers\iegdmini.sys
2012-11-09 02:17:06403328----a-w-c:\windows\system32\iegddis.dll
2012-11-09 02:16:59401792----a-w-c:\windows\system32\iegd3dg3.dll
2012-11-09 02:16:5711264----a-w-c:\windows\system32\drivers\analog.sys
2012-11-09 02:14:58--------d-----w-C:\6c5648bb766312e7cfb5e23427
2012-11-09 02:14:13196608----a-w-c:\windows\system32\mfreadwrite.dll
2012-11-09 02:14:123181568----a-w-c:\windows\system32\mf.dll
2012-11-09 02:14:101619456----a-w-c:\windows\system32\WMVDECOD.DLL
2012-11-09 01:59:5340960----a-w-c:\windows\system32\F5D9050.dll
2012-11-09 01:59:49--------d-----w-c:\program files\Belkin
2012-11-09 01:59:29225280----a-w-c:\program files\common files\installshield\iscript\iscript.dll
2012-11-09 01:59:29176128----a-w-c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-11-09 01:59:2877824----a-w-c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-11-09 01:59:2832768----a-w-c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-11-09 01:59:12614532----a-w-c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2012-11-09 01:58:42--------d-----w-C:\Belkin
2012-11-09 01:43:14--------d-----w-c:\users\silentarts\appdata\local\Innovative Solutions
2012-11-09 01:42:52--------d-----w-c:\program files\DriverMax
2012-11-09 01:42:25--------d-----w-c:\users\silentarts\appdata\local\AVG Secure Search
2012-11-09 01:40:27--------d-----w-c:\program files\common files\AVG Secure Search
2012-11-09 01:40:11--------d-----w-c:\program files\AVG Secure Search
2012-11-09 01:37:41--------d-----w-c:\programdata\AVG Secure Search
2012-11-09 01:37:25--------d--h--w-c:\programdata\Common Files
2012-11-09 01:37:12--------d-----w-c:\users\silentarts\appdata\roaming\mIRC
2012-11-09 01:37:11--------d-----w-c:\program files\mIRC
2012-11-09 01:06:52--------d-----w-c:\windows\Panther
2012-11-09 00:59:37--------d-----w-c:\program files\RocketDock
2012-11-08 22:35:476918632----a-w-c:\programdata\microsoft\windows defender\definition updates\{4bfdeddf-ddb2-47d5-a791-34054722a925}\mpengine.dll
2012-11-08 22:35:44237072------w-c:\windows\system32\MpSigStub.exe
2012-11-08 21:50:00--------d-----w-c:\users\silentarts\appdata\local\LogMeIn
2012-11-08 21:49:5152128----a-w-c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-11-08 21:49:5130624----a-w-c:\windows\system32\LMIport.dll
2012-11-08 21:49:5083392----a-w-c:\windows\system32\LMIRfsClientNP.dll
2012-11-08 21:49:5047640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys
2012-11-08 21:49:4687456----a-w-c:\windows\system32\LMIinit.dll
2012-11-08 21:49:37--------d-----w-c:\programdata\LogMeIn
2012-11-08 21:49:05--------d-----w-c:\program files\LogMeIn
2012-11-08 21:44:40--------d-----w-c:\windows\system32\Adobe
2012-11-08 21:43:37--------d-----w-c:\users\silentarts\appdata\local\Adobe
2012-11-08 21:36:30--------d-----w-C:\Torrents
2012-11-08 21:31:04--------d-----w-c:\program files\uTorrent
2012-11-08 21:28:58--------d-----w-c:\users\silentarts\appdata\roaming\uTorrent
2012-11-08 21:26:501096----a-w-c:\users\silentarts\appdata\roaming\microsoft\windows\start menu\programs\startup\CleanTemp.bat
2012-11-08 20:39:57--------d-----w-c:\windows\system32\BestPractices
2012-11-08 20:39:56--------d-----w-C:\inetpub
2012-11-08 20:23:39--------d-----w-c:\program files\CCleaner
2012-11-08 20:20:3444784----a-w-c:\windows\system32\drivers\aswRdr2.sys
2012-11-08 20:20:28721000----a-w-c:\windows\system32\drivers\aswSnx.sys
2012-11-08 20:20:2057656----a-w-c:\windows\system32\drivers\aswMonFlt.sys
2012-11-08 20:19:1841224----a-w-c:\windows\avastSS.scr
2012-11-08 20:18:50--------d-----w-c:\programdata\AVAST Software
2012-11-08 20:18:49--------d-----w-c:\program files\Avast
2012-11-08 20:16:22--------d-----w-c:\program files\VirtualDJ
2012-11-08 20:11:42889416-c--a-w-c:\program files\common files\windows live\.cache\4389400c1cdbded03\dotNetFx40_Full_setup.exe
2012-11-08 20:09:21--------d-----w-c:\users\silentarts\appdata\local\Windows Live
2012-11-08 20:08:46--------d-----w-c:\program files\common files\Windows Live
2012-11-08 19:58:58--------d-----w-c:\users\silentarts\appdata\roaming\QuickLaunch
2012-11-08 19:38:3053248----a-w-c:\windows\system32\CSVer.dll
2012-11-08 19:38:06--------d-----w-C:\Intel
2012-11-08 19:33:10248672----a-w-c:\windows\system32\d3dx11_43.dll
2012-11-08 19:32:31470880----a-w-c:\windows\system32\d3dx10_43.dll
2012-11-08 19:31:511998168----a-w-c:\windows\system32\D3DX9_43.dll
2012-11-08 19:30:251868128----a-w-c:\windows\system32\d3dcsx_43.dll
2012-11-08 19:29:302106216----a-w-c:\windows\system32\D3DCompiler_43.dll
2012-11-08 19:28:3290112----a-w-c:\windows\system32\snymsico.dll
2012-11-08 19:28:3144544----a-w-c:\windows\system32\drivers\rimsptsk.sys
2012-11-08 19:28:05--------d-----w-c:\users\silentarts\appdata\roaming\WinBatch
2012-11-08 19:04:1733104----a-w-c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2012-11-08 19:04:1732592----a-w-c:\windows\system32\msonpmon.dll
2012-11-08 18:58:38--------d-----w-c:\windows\PCHEALTH
2012-11-08 18:55:51--------d-----w-c:\program files\Microsoft Visual Studio 8
2012-11-08 18:54:24--------d-----w-c:\users\silentarts\appdata\local\Microsoft Help
2012-11-08 18:42:07--------d-----w-c:\users\silentarts\appdata\roaming\Blitware
2012-11-08 18:42:05--------d-----w-c:\program files\Driver Robot
2012-11-08 18:32:01--------d-sh--w-c:\windows\Installer
2012-11-08 18:28:14--------d-----w-c:\users\silentarts\appdata\local\ElevatedDiagnostics
2012-11-08 18:27:30--------d-----w-c:\users\silentarts\appdata\local\Google
2012-11-08 18:24:58--------d-----w-c:\users\silentarts\appdata\local\Apps
2012-11-08 18:24:57--------d-----w-c:\users\silentarts\appdata\local\Deployment
2012-11-08 17:50:27--------d-----w-c:\windows\system32\wbem\Performance
2012-11-08 17:47:26--------d-sh--w-C:\Recovery
.
==================== Find3M ====================
.
2012-09-12 20:37:4458368----a-w-c:\windows\system32\sirenacm.dll
.
============= FINISH: 6:16:58.68 ===============
 

Attachments

  • attach.txt
    14.2 KB · Views: 0
COMBOFIX LOGFILE


[FONT=Helvetica Neue]ComboFix 12-11-09.02 - silentarts 11/09/2012 6:54.1.1 - x86[/FONT]
[FONT=Helvetica Neue]Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1015.448 [GMT -4.5:30][/FONT]
[FONT=Helvetica Neue]Running from: c:\users\silentarts\Desktop\ComboFix.exe[/FONT]
[FONT=Helvetica Neue]AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}[/FONT]
[FONT=Helvetica Neue]SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}[/FONT]
[FONT=Helvetica Neue]SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]C:\install.exe[/FONT]
[FONT=Helvetica Neue]c:\users\silentarts\AppData\Roaming\mIRC\logs\status.log[/FONT]
[FONT=Helvetica Neue]c:\windows\system32\F5D9050.dll[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]2012-11-09 15:32 . 2012-11-09 15:42--------d-----w-c:\program files\Spybot - Search & Destroy[/FONT]
[FONT=Helvetica Neue]2012-11-09 15:32 . 2012-11-09 05:02--------d-----w-c:\programdata\Spybot - Search & Destroy[/FONT]
[FONT=Helvetica Neue]2012-11-09 11:33 . 2012-11-09 11:33--------d-----w-c:\users\Default\AppData\Local\temp[/FONT]
[FONT=Helvetica Neue]2012-11-09 11:08 . 2012-11-09 11:08--------d-----w-c:\program files\TrendMicro[/FONT]
[FONT=Helvetica Neue]2012-11-09 11:06 . 2012-11-09 11:18--------d-----w-c:\program files\Malwarebytes' Anti-Malware[/FONT]
[FONT=Helvetica Neue]2012-11-09 10:53 . 2012-11-09 10:53--------d-----w-C:\TDSSKiller_Quarantine[/FONT]
[FONT=Helvetica Neue]2012-11-09 09:24 . 2012-11-09 09:30--------d-----w-c:\program files\Windows Live[/FONT]
[FONT=Helvetica Neue]2012-11-09 08:53 . 2012-11-09 08:53--------d-----w-C:\c164e047adc2ebfd466b[/FONT]
[FONT=Helvetica Neue]2012-11-09 03:32 . 2012-11-09 03:36--------d-----w-C:\8274542b4bdfad142084d6[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:47 . 2012-11-09 02:47--------d-----w-C:\3dbed645ae825410e7b6e08a9367[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:45 . 2012-11-09 02:45--------d-----w-C:\bd43dce6287d498487db4e6d0ad7[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:17 . 2011-02-01 20:3936864----a-w-c:\windows\system32\drivers\tv.sys[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:17 . 2011-02-01 20:3938784----a-w-c:\windows\system32\drivers\sdvo.sys[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:17 . 2011-02-01 20:3910496----a-w-c:\windows\system32\drivers\lvds.sys[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:17 . 2011-02-01 20:391677440----a-w-c:\windows\system32\drivers\iegdmini.sys[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:17 . 2011-02-01 20:39403328----a-w-c:\windows\system32\iegddis.dll[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:16 . 2011-02-01 20:39401792----a-w-c:\windows\system32\iegd3dg3.dll[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:16 . 2011-02-01 20:3911264----a-w-c:\windows\system32\drivers\analog.sys[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:14 . 2012-11-09 02:15--------d-----w-C:\6c5648bb766312e7cfb5e23427[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:14 . 2010-05-23 10:11196608----a-w-c:\windows\system32\mfreadwrite.dll[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:14 . 2010-05-23 10:113181568----a-w-c:\windows\system32\mf.dll[/FONT]
[FONT=Helvetica Neue]2012-11-09 02:14 . 2010-05-23 10:151619456----a-w-c:\windows\system32\WMVDECOD.DLL[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:59 . 2012-11-09 01:59--------d-----w-c:\program files\Belkin[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:59 . 2012-11-09 01:59--------d-----w-c:\program files\Common Files\InstallShield[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:58 . 2012-11-09 01:58--------d-----w-C:\Belkin[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:46 . 2012-11-09 01:47--------d-----w-c:\programdata\WinZip[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:42 . 2012-11-09 02:09--------d-----w-c:\program files\DriverMax[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:40 . 2012-11-09 01:40--------d-----w-c:\program files\Common Files\AVG Secure Search[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:40 . 2012-11-09 01:42--------d-----w-c:\program files\AVG Secure Search[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:37 . 2012-11-09 01:42--------d-----w-c:\programdata\AVG Secure Search[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:37 . 2012-11-09 01:37--------d--h--w-c:\programdata\Common Files[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:37 . 2012-11-09 01:43--------d-----w-c:\program files\mIRC[/FONT]
[FONT=Helvetica Neue]2012-11-09 01:06 . 2012-11-08 21:34--------d-----w-c:\windows\Panther[/FONT]
[FONT=Helvetica Neue]2012-11-09 00:59 . 2012-11-09 00:59--------d-----w-c:\program files\RocketDock[/FONT]
[FONT=Helvetica Neue]2012-11-08 22:35 . 2012-10-17 06:026918632----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BFDEDDF-DDB2-47D5-A791-34054722A925}\mpengine.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 22:35 . 2012-05-31 15:55237072------w-c:\windows\system32\MpSigStub.exe[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-07-05 22:3952128----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-07-05 22:3930624----a-w-c:\windows\system32\LMIport.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-07-05 22:4083392----a-w-c:\windows\system32\LMIRfsClientNP.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-06-08 16:3647640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-07-05 22:3987456----a-w-c:\windows\system32\LMIinit.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-11-09 10:10--------d-----w-c:\programdata\LogMeIn[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:49 . 2012-11-09 02:40--------d-----w-c:\program files\LogMeIn[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:44 . 2012-11-08 21:44--------d-----w-c:\windows\system32\Adobe[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:36 . 2012-11-08 21:36--------d-----w-C:\Torrents[/FONT]
[FONT=Helvetica Neue]2012-11-08 21:31 . 2012-11-08 21:31--------d-----w-c:\program files\uTorrent[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:39 . 2012-11-08 20:39--------d-----w-c:\windows\system32\BestPractices[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:39 . 2012-11-08 20:39--------d-----w-C:\inetpub[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:23 . 2012-11-08 20:24--------d-----w-c:\program files\CCleaner[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:2121256----a-w-c:\windows\system32\drivers\aswFsBlk.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:21353688----a-w-c:\windows\system32\drivers\aswSP.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:2144784----a-w-c:\windows\system32\drivers\aswRdr2.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:2154232----a-w-c:\windows\system32\drivers\aswTdi.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:21721000----a-w-c:\windows\system32\drivers\aswSnx.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:20 . 2012-07-03 16:2157656----a-w-c:\windows\system32\drivers\aswMonFlt.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:19 . 2012-07-03 16:2141224----a-w-c:\windows\avastSS.scr[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:19 . 2012-07-03 16:21227648----a-w-c:\windows\system32\aswBoot.exe[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:18 . 2012-11-08 20:18--------d-----w-c:\programdata\AVAST Software[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:18 . 2012-11-08 20:19--------d-----w-c:\program files\Avast[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:18 . 2012-11-09 16:17--------d-----w-c:\program files\Common Files\Adobe[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:16 . 2012-11-08 20:18--------d-----w-c:\program files\VirtualDJ[/FONT]
[FONT=Helvetica Neue]2012-11-08 20:08 . 2012-11-08 20:08--------d-----w-c:\program files\Common Files\Windows Live[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:38 . 2012-11-08 19:38--------d-----w-c:\program files\Intel[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:38 . 2012-11-08 19:3753248----a-w-c:\windows\system32\CSVer.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:38 . 2012-11-08 19:38--------d-----w-C:\Intel[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:33 . 2010-05-26 16:11248672----a-w-c:\windows\system32\d3dx11_43.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:32 . 2010-05-26 16:11470880----a-w-c:\windows\system32\d3dx10_43.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:31 . 2010-05-26 16:111998168----a-w-c:\windows\system32\D3DX9_43.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:30 . 2010-05-26 16:111868128----a-w-c:\windows\system32\d3dcsx_43.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:29 . 2010-05-26 16:112106216----a-w-c:\windows\system32\D3DCompiler_43.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:28 . 2004-09-04 07:3090112----a-w-c:\windows\system32\snymsico.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:28 . 2012-11-08 19:28--------d--h--w-c:\program files\InstallShield Installation Information[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:28 . 2009-06-25 20:4044544----a-w-c:\windows\system32\drivers\rimsptsk.sys[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:04 . 2006-10-27 00:2633104----a-w-c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:04 . 2006-10-27 00:2632592----a-w-c:\windows\system32\msonpmon.dll[/FONT]
[FONT=Helvetica Neue]2012-11-08 19:01 . 2012-11-08 19:01--------d-----w-c:\program files\Microsoft Works[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:58 . 2012-11-09 09:14--------d-----w-c:\program files\Microsoft.NET[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:58 . 2012-11-08 18:58--------d-----w-c:\windows\PCHEALTH[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:55 . 2012-11-08 18:55--------d-----w-c:\program files\Microsoft Visual Studio 8[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:54 . 2012-11-08 19:05--------d-----w-c:\programdata\Microsoft Help[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:51 . 2012-11-08 18:51--------d-----r-C:\MSOCache[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:42 . 2012-11-08 18:42--------d-----w-c:\program files\Driver Robot[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:32 . 2012-11-09 11:08--------d-sh--w-c:\windows\Installer[/FONT]
[FONT=Helvetica Neue]2012-11-08 18:27 . 2012-11-08 19:47--------d-----w-c:\program files\Google[/FONT]
[FONT=Helvetica Neue]2012-11-08 17:53 . 2012-11-09 03:09--------d-----w-c:\users\silentarts[/FONT]
[FONT=Helvetica Neue]2012-11-08 17:50 . 2012-11-08 21:58--------d-----w-c:\windows\system32\wbem\Performance[/FONT]
[FONT=Helvetica Neue]2012-11-08 17:47 . 2012-11-08 17:47--------d-----w-C:\Recovery[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue](((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]2012-09-12 20:37 . 2012-09-12 20:3758368----a-w-c:\windows\system32\sirenacm.dll[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]*Note* empty entries & legit default entries are not shown [/FONT]
[FONT=Helvetica Neue]REGEDIT4[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}][/FONT]
[FONT=Helvetica Neue]2012-11-09 01:402067328----a-w-c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar][/FONT]
[FONT=Helvetica Neue]"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-11-09 2067328][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}][/FONT]
[FONT=Helvetica Neue][HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1][/FONT]
[FONT=Helvetica Neue][HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast][/FONT]
[FONT=Helvetica Neue]@="{472083B0-C522-11CF-8763-00608CC02F24}"[/FONT]
[FONT=Helvetica Neue][HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}][/FONT]
[FONT=Helvetica Neue]2012-07-03 16:21121528----a-w-c:\program files\Avast\ashShell.dll[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/FONT]
[FONT=Helvetica Neue]"6C3AAF785BFCE2EA504830082CE1FE1093961000._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2012-10-31 1242136][/FONT]
[FONT=Helvetica Neue]"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616][/FONT]
[FONT=Helvetica Neue]"DriverMax_RESTART"="c:\program files\DriverMax\drivermax.exe" [2012-10-19 11325376][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/FONT]
[FONT=Helvetica Neue]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016][/FONT]
[FONT=Helvetica Neue]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008][/FONT]
[FONT=Helvetica Neue]"avast"="c:\program files\Avast\avastUI.exe" [2012-07-03 4273976][/FONT]
[FONT=Helvetica Neue]"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-06-08 63048][/FONT]
[FONT=Helvetica Neue]"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-09 1116544][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]c:\users\silentarts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[/FONT]
[FONT=Helvetica Neue]CleanTemp.bat [2012-11-8 1096][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system][/FONT]
[FONT=Helvetica Neue]"ConsentPromptBehaviorAdmin"= 0 (0x0)[/FONT]
[FONT=Helvetica Neue]"ConsentPromptBehaviorUser"= 3 (0x3)[/FONT]
[FONT=Helvetica Neue]"EnableLUA"= 0 (0x0)[/FONT]
[FONT=Helvetica Neue]"EnableUIADesktopToggle"= 0 (0x0)[/FONT]
[FONT=Helvetica Neue]"PromptOnSecureDesktop"= 0 (0x0)[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32][/FONT]
[FONT=Helvetica Neue]"aux"=wdmaud.drv[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [x][/FONT]
[FONT=Helvetica Neue]S1 aswSnx;aswSnx; [x][/FONT]
[FONT=Helvetica Neue]S1 aswSP;aswSP; [x][/FONT]
[FONT=Helvetica Neue]S2 aswFsBlk;aswFsBlk; [x][/FONT]
[FONT=Helvetica Neue]S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x][/FONT]
[FONT=Helvetica Neue]S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x][/FONT]
[FONT=Helvetica Neue]S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x][/FONT]
[FONT=Helvetica Neue]S3 analog;analog;c:\windows\system32\DRIVERS\analog.sys [x][/FONT]
[FONT=Helvetica Neue]S3 iegdmini;iegdmini;c:\windows\system32\DRIVERS\iegdmini.sys [x][/FONT]
[FONT=Helvetica Neue]S3 lvds;lvds;c:\windows\system32\DRIVERS\lvds.sys [x][/FONT]
[FONT=Helvetica Neue]S3 sdvo;sdvo;c:\windows\system32\DRIVERS\sdvo.sys [x][/FONT]
[FONT=Helvetica Neue]S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x][/FONT]
[FONT=Helvetica Neue]S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x][/FONT]
[FONT=Helvetica Neue]S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x][/FONT]
[FONT=Helvetica Neue]S3 tv;tv;c:\windows\system32\DRIVERS\tv.sys [x][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]--- Other Services/Drivers In Memory ---[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]*NewlyCreated* - 63271854[/FONT]
[FONT=Helvetica Neue]*Deregistered* - 63271854[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost][/FONT]
[FONT=Helvetica Neue]iissvcsREG_MULTI_SZ w3svc was[/FONT]
[FONT=Helvetica Neue]apphostREG_MULTI_SZ apphostsvc[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]Contents of the 'Scheduled Tasks' folder[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]2012-11-08 c:\windows\Tasks\Driver Robot.job[/FONT]
[FONT=Helvetica Neue]- c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2012-11-08 21:59][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job[/FONT]
[FONT=Helvetica Neue]- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-08 18:27][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job[/FONT]
[FONT=Helvetica Neue]- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-08 18:27][/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]------- Supplementary Scan -------[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]uStart Page = hxxp://www.google.tt/[/FONT]
[FONT=Helvetica Neue]IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000[/FONT]
[FONT=Helvetica Neue]TCP: DhcpNameServer = 192.168.1.1[/FONT]
[FONT=Helvetica Neue]Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]--------------------- LOCKED REGISTRY KEYS ---------------------[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings][/FONT]
[FONT=Helvetica Neue]@Denied: (A) (Users)[/FONT]
[FONT=Helvetica Neue]@Denied: (A) (Everyone)[/FONT]
[FONT=Helvetica Neue]@Allowed: (B 1 2 3 4 5) (S-1-5-20)[/FONT]
[FONT=Helvetica Neue]"BlindDial"=dword:00000000[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security][/FONT]
[FONT=Helvetica Neue]@Denied: (Full) (Everyone)[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]Completion time: 2012-11-09 07:06:58[/FONT]
[FONT=Helvetica Neue]ComboFix-quarantined-files.txt 2012-11-09 11:36[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]Pre-Run: 12,485,107,712 bytes free[/FONT]
[FONT=Helvetica Neue]Post-Run: 12,409,049,088 bytes free[/FONT]
[FONT=Helvetica Neue].[/FONT]
[FONT=Helvetica Neue]- - End Of File - - C52651716C3CE8523318C510F7663549[/FONT]
 
[FONT=Helvetica Neue]I ALSO DOWNLOADED Malwarebytes' Anti-Malware and here is the log file for it...[/FONT]
[FONT=Helvetica Neue]Malwarebytes' Anti-Malware 1.41[/FONT]
[FONT=Helvetica Neue]Database version: 2775[/FONT]
[FONT=Helvetica Neue]Windows 6.1.7600[/FONT]
[FONT=Helvetica Neue]11/9/2012 10:21:37 AM[/FONT]
[FONT=Helvetica Neue]mbam-log-2012-11-09 (10-21-37).txt[/FONT]
[FONT=Helvetica Neue]Scan type: Full Scan (C:\|)[/FONT]
[FONT=Helvetica Neue]Objects scanned: 163112[/FONT]
[FONT=Helvetica Neue]Time elapsed: 1 hour(s), 27 minute(s), 57 second(s)[/FONT]
[FONT=Helvetica Neue]Memory Processes Infected: 0[/FONT]
[FONT=Helvetica Neue]Memory Modules Infected: 0[/FONT]
[FONT=Helvetica Neue]Registry Keys Infected: 0[/FONT]
[FONT=Helvetica Neue]Registry Values Infected: 0[/FONT]
[FONT=Helvetica Neue]Registry Data Items Infected: 0[/FONT]
[FONT=Helvetica Neue]Folders Infected: 0[/FONT]
[FONT=Helvetica Neue]Files Infected: 0[/FONT]
[FONT=Helvetica Neue]Memory Processes Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Memory Modules Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Registry Keys Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Registry Values Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Registry Data Items Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Folders Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
[FONT=Helvetica Neue]Files Infected:[/FONT]
[FONT=Helvetica Neue](No malicious items detected)[/FONT]
 
TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg


-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg


------------------------

Click the Start Scan button.

tdss_3.jpg


-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


tdss_4.jpg


----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


tdss_5.jpg



--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


avast! aswMBR

Please download aswMBR from here
  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Uncheck "Trace disk IO calls".
  • Click the Scan button to start the scan as illustrated below
aswMBR_Scan.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.
  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review
  • Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.
 
The TDSS Log File is too large so I Attached it...

Also, I am currently running the aswMBR Scan...
 

Attachments

  • TDSSKiller.txt
    131.9 KB · Views: 1
aswMBR Log File


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-10 01:23:19
-----------------------------
01:23:19.458 OS Version: Windows 6.1.7600
01:23:19.458 Number of processors: 1 586 0xD06
01:23:19.461 ComputerName: SILENTARTS_PC UserName: silentarts
01:23:22.937 Initialize success
01:23:26.189 AVAST engine defs: 12111001
01:23:48.645 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:23:48.645 Disk 0 Vendor: TOSHIBA_MK3029GACE RB102A Size: 28615MB BusType: 3
01:23:48.661 Disk 0 MBR read successfully
01:23:48.661 Disk 0 MBR scan
01:23:48.661 Disk 0 Windows 7 default MBR code
01:23:48.676 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:23:48.692 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 28513 MB offset 206848
01:23:48.692 Disk 0 scanning sectors +58601472
01:23:48.786 Disk 0 scanning C:\Windows\system32\drivers
01:24:07.727 Service scanning
01:24:41.827 Modules scanning
01:25:02.952 AVAST engine scan C:\
02:01:03.097 Scan finished successfully
02:04:00.894 Disk 0 MBR has been saved successfully to "C:\Users\silentarts\Desktop\Logs\MBR.dat"
02:04:00.899 The log file has been saved successfully to "C:\Users\silentarts\Desktop\Logs\aswMBR.txt"
 
MBRscan Log File

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~ | …ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu÷Á tþFf`€~ t&fh fÿvh h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu €~ €„Š ²€ë„U2äŠV Í]랁>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh» fh  fh fSfSfUfh fh | fah ÍZ2öê | Í ·ë ¶ë µ2ä ‹ð¬< t» ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system c{šøT € ! ß   ß þÿÿ ( { Uª
 
We'll take care of that later.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
Did everything you said. Found only one virus...

C:\Users\silentarts\Downloads\Unlocker1.9.1.exeWin32/Adware.ADON applicationcleaned by deleting - quarantined
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
That seems to be all.. Just one question...Is it normal to have this many svchost.exe files running at once? Check Attachment for an Idea of what I am talking about...
 

Attachments

  • svchost image.jpg
    svchost image.jpg
    177.1 KB · Views: 0
Yes, it is very normal. Svchost.exe has multiple instances in the processes, because it has so many different purposed in the file system.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete
Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

  • Double-click the CCleaner shortcut on the desktop to start the program.
  • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
  • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
  • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
OTC is currently running...I did all the steps above so far...just one question...

After OTC Runs....You said download and install CCleaner Slim...I have the normal CCleaner version...is that the same, because I use that for everyday cleaning...

PS: How long does OTC take to run?
 
OTC Done, CCleaner Done...with all browsers closed....

Security Check Scan Log...

Results of screen317's Security Check version 0.99.54
Windows 7 x86 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Reader X (10.1.4)
Google Chrome 23.0.1271.64
````````Process Check: objlist.exe by Laurent````````
Avast AvastSvc.exe
Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 10%
````````````````````End of Log``````````````````````
 
Thanks a lot! No more questions...All issues solved...Will try my best to keep it that way...

Now...about my question....What antivirus software should I be using?
 
Status
Not open for further replies.
Back