Solved Win64/Patched.A infected services.exe file

Status
Not open for further replies.

costin

Posts: 9   +0
Hi,
I'm new here and I hope I can get some help...
I've got infected with Win64/Patched.A virus in services.exe file. AVG cannot remove the file because it's critical to Windows. Also, I ran some scans with AVG and it detects a lot of other viruses, but they can be removed. After I do another scan they appera again...

Can you please help me remove the virus manually?

Thanks in advance!
Costin.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


Farbar Recovery Scan Tool x64

Download Farbar Recovery Scan Tool and save it to a flash drive.


Please make sure to get the 64-bit version

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button. It will do its scan and save a log on your flash drive.
  • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
    frst2.jpg

    When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  • Type exit in the Command Prompt window and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
 
FRST.txt log file:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2012
Ran by SYSTEM at 16-11-2012 13:48:13
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [] [x]
HKU\Constantin\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
HKU\Constantin\...\Run: [AdobeBridge] [x]
Tcpip\Parameters: [DhcpNameServer] 62.215.6.51 62.215.6.4

==================== Services (Whitelisted) ===================

2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [19232 2012-01-30] (Autodesk, Inc.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 KMService; C:\Windows\SysWow64\srvany.exe [8192 2012-08-23] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
2 mi-raysat_3dsmax2013_64; "C:\Program Files\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_64server.exe" [86016 2011-09-14] ()

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-01] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-20] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-04] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-20] (AVG Technologies CZ, s.r.o.)
3 bcm44amd64; C:\Windows\System32\DRIVERS\b44amd64.sys [87552 2009-06-10] (Broadcom Corporation)
3 cpudrv64; \??\C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [17864 2011-06-02] ()
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-08-23] (DT Soft Ltd)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
3 OEM02Dev; C:\Windows\System32\Drivers\OEM02Dev.sys [266624 2007-10-10] (Creative Technology Ltd.)
3 OEM02Vfx; C:\Windows\System32\Drivers\OEM02Vfx.sys [12288 2007-03-04] (EyePower Games Pte. Ltd.)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-16 13:48 - 2012-11-16 13:48 - 00000000 ____D C:\FRST
2012-11-16 00:58 - 2012-11-16 00:58 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Malwarebytes
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-16 00:58 - 2012-09-29 08:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-16 00:50 - 2012-11-16 00:51 - 00000000 ____D C:\Users\Constantin\Desktop\jarallah
2012-11-16 00:39 - 2012-11-16 00:54 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Constantin\Desktop\mbam-setup-1.65.1.1000.exe
2012-11-15 11:47 - 2012-11-15 11:47 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
2012-11-14 09:32 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-14 09:32 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-13 21:33 - 2012-11-13 21:33 - 00000059 ____A C:\Users\Constantin\Downloads\listen (1).pls
2012-11-12 21:32 - 2012-11-12 21:32 - 00000067 ____A C:\Users\Constantin\Downloads\listen.pls
2012-11-12 21:29 - 2012-11-14 23:16 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Winamp
2012-11-12 21:29 - 2012-11-12 21:30 - 00000000 ____D C:\Program Files (x86)\Winamp
2012-11-12 21:29 - 2012-11-12 21:29 - 00000985 ____A C:\Users\Public\Desktop\Winamp.lnk
2012-11-12 21:29 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp Detect
2012-11-12 21:27 - 2012-11-12 21:27 - 17335648 ____A (Nullsoft, Inc.) C:\Users\Constantin\Downloads\winamp563_full_emusic-7plus_all.exe
2012-11-12 12:32 - 2012-03-12 02:06 - 00000000 ____D C:\Users\Constantin\Desktop\Ex_Files_Revit_House
2012-11-03 01:53 - 2012-11-03 02:52 - 00000000 ____D C:\Users\Constantin\Downloads\Evermotion_Archmodels_72_BtTrove
2012-11-03 01:52 - 2012-11-03 01:52 - 00021263 ____A C:\Users\Constantin\Downloads\[isoHunt] Evermotion_Archmodels_72_BtTrove.torrent
2012-11-03 01:48 - 2012-11-03 01:48 - 00000000 ____D C:\Users\Constantin\Downloads\nature-backgrounds-vector
2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector
2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\abstract-trees-vector
2012-11-03 01:00 - 2012-11-03 01:01 - 04050921 ____A C:\Users\Constantin\Downloads\nature-backgrounds-vector.zip
2012-11-03 01:00 - 2012-11-03 01:00 - 03304569 ____A C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector.zip
2012-11-03 00:58 - 2012-11-03 00:59 - 07564516 ____A C:\Users\Constantin\Downloads\abstract-trees-vector.zip
2012-11-03 00:49 - 2012-11-03 00:49 - 00000000 ____D C:\Users\Constantin\Downloads\watercolor-postcards-vector
2012-11-03 00:47 - 2012-11-03 00:48 - 07391864 ____A C:\Users\Constantin\Downloads\watercolor-postcards-vector.zip
2012-10-29 19:07 - 2012-10-29 19:07 - 00000000 ____D C:\Users\Constantin\Downloads\19
2012-10-29 18:53 - 2012-10-29 18:53 - 00409752 ____A C:\Users\Constantin\Downloads\bench_08.3ds
2012-10-29 13:11 - 2012-10-29 13:11 - 00057125 ____A C:\Users\Constantin\Downloads\19.rar
2012-10-29 13:10 - 2012-10-29 13:10 - 00000000 ____D C:\Users\Constantin\Downloads\30
2012-10-29 13:09 - 2012-10-29 13:09 - 00171534 ____A C:\Users\Constantin\Downloads\30.rar
2012-10-22 20:59 - 2012-10-22 20:59 - 00000132 ____A C:\Users\Constantin\AppData\Roaming\Adobe PNG Format CS6 Prefs
2012-10-22 20:23 - 2012-10-22 20:23 - 00093969 ____A C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!.htm
2012-10-22 20:23 - 2012-10-22 20:23 - 00000000 ____D C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!_files
2012-10-22 11:32 - 2012-10-25 03:52 - 00001556 ____A C:\Users\Constantin\Desktop\Adobe Illustrator CS6 (64 Bit).lnk
2012-10-22 11:32 - 2012-10-22 11:32 - 00001240 ____A C:\Users\Constantin\Desktop\Adobe Photoshop CS6 (64 Bit).lnk
2012-10-22 11:31 - 2012-10-22 11:31 - 53863379 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload
2012-10-22 11:31 - 2012-10-22 11:31 - 00000809 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload.aamd
2012-10-22 11:19 - 2012-10-22 11:19 - 00000000 ____D C:\Users\All Users\ALM
2012-10-22 11:04 - 2012-10-22 11:21 - 00000000 ____D C:\Program Files\Adobe
2012-10-22 02:02 - 2012-10-22 02:02 - 00154464 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
2012-10-20 03:50 - 2012-10-20 03:50 - 00000000 ____D C:\Users\Constantin\Downloads\Trei Parale - BAZAR I
2012-10-19 00:01 - 2012-10-19 00:01 - 00001168 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-10-17 12:41 - 2012-10-17 12:41 - 00000000 ____D C:\Users\Constantin\Documents\Random_Select
2012-10-17 12:40 - 2012-10-17 12:40 - 00009908 ____A C:\Users\Constantin\Documents\Random_Select.zip

==================== One Month Modified Files and Folders =======

2012-11-16 02:40 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-16 02:33 - 2012-08-23 23:12 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\vlc
2012-11-16 02:30 - 2012-10-03 12:34 - 00000000 ____D C:\Users\All Users\AVG2013
2012-11-16 02:30 - 2012-08-23 23:18 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\uTorrent
2012-11-16 02:29 - 2012-08-19 04:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-16 01:48 - 2012-08-21 22:27 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-16 01:24 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-16 01:24 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-16 01:18 - 2012-08-22 00:07 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\DAEMON Tools Lite
2012-11-16 01:17 - 2012-08-21 22:26 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-16 01:16 - 2012-08-30 21:23 - 00012245 ____A C:\Windows\setupact.log
2012-11-16 01:16 - 2012-08-21 23:20 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-11-16 01:16 - 2012-08-19 02:33 - 00026368 ____A C:\Windows\PFRO.log
2012-11-16 01:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-16 00:58 - 2012-11-16 00:58 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Malwarebytes
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-16 00:58 - 2012-11-16 00:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-16 00:54 - 2012-11-16 00:39 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Constantin\Desktop\mbam-setup-1.65.1.1000.exe
2012-11-16 00:51 - 2012-11-16 00:50 - 00000000 ____D C:\Users\Constantin\Desktop\jarallah
2012-11-15 22:02 - 2012-08-21 23:50 - 00000000 ____D C:\Users\All Users\MFAData
2012-11-15 15:00 - 2012-08-21 22:33 - 00000000 ____D C:\Users\Constantin\AppData\Local\Adobe
2012-11-15 12:14 - 2012-09-19 08:32 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Skype
2012-11-15 11:47 - 2012-11-15 11:47 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
2012-11-15 11:47 - 2012-08-19 12:21 - 01818552 ____A C:\Windows\WindowsUpdate.log
2012-11-14 23:16 - 2012-11-12 21:29 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Winamp
2012-11-13 21:33 - 2012-11-13 21:33 - 00000059 ____A C:\Users\Constantin\Downloads\listen (1).pls
2012-11-13 11:09 - 2012-08-19 04:33 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Adobe
2012-11-12 21:32 - 2012-11-12 21:32 - 00000067 ____A C:\Users\Constantin\Downloads\listen.pls
2012-11-12 21:30 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp
2012-11-12 21:29 - 2012-11-12 21:29 - 00000985 ____A C:\Users\Public\Desktop\Winamp.lnk
2012-11-12 21:29 - 2012-11-12 21:29 - 00000000 ____D C:\Program Files (x86)\Winamp Detect
2012-11-12 21:27 - 2012-11-12 21:27 - 17335648 ____A (Nullsoft, Inc.) C:\Users\Constantin\Downloads\winamp563_full_emusic-7plus_all.exe
2012-11-09 20:59 - 2009-07-13 21:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-08 20:53 - 2012-08-21 22:28 - 00002374 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-07 10:47 - 2012-08-22 23:59 - 00000000 ____D C:\Users\Constantin\AppData\Local\Autodesk
2012-11-07 10:47 - 2012-08-22 12:45 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\Autodesk
2012-11-07 10:47 - 2012-08-22 12:45 - 00000000 ____D C:\Users\All Users\Autodesk
2012-11-07 09:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-05 12:36 - 2012-09-19 08:32 - 00000000 ____D C:\Users\All Users\Skype
2012-11-03 02:52 - 2012-11-03 01:53 - 00000000 ____D C:\Users\Constantin\Downloads\Evermotion_Archmodels_72_BtTrove
2012-11-03 01:52 - 2012-11-03 01:52 - 00021263 ____A C:\Users\Constantin\Downloads\[isoHunt] Evermotion_Archmodels_72_BtTrove.torrent
2012-11-03 01:48 - 2012-11-03 01:48 - 00000000 ____D C:\Users\Constantin\Downloads\nature-backgrounds-vector
2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector
2012-11-03 01:01 - 2012-11-03 01:01 - 00000000 ____D C:\Users\Constantin\Downloads\abstract-trees-vector
2012-11-03 01:01 - 2012-11-03 01:00 - 04050921 ____A C:\Users\Constantin\Downloads\nature-backgrounds-vector.zip
2012-11-03 01:00 - 2012-11-03 01:00 - 03304569 ____A C:\Users\Constantin\Downloads\spring-trees-backgrounds-vector.zip
2012-11-03 00:59 - 2012-11-03 00:58 - 07564516 ____A C:\Users\Constantin\Downloads\abstract-trees-vector.zip
2012-11-03 00:49 - 2012-11-03 00:49 - 00000000 ____D C:\Users\Constantin\Downloads\watercolor-postcards-vector
2012-11-03 00:48 - 2012-11-03 00:47 - 07391864 ____A C:\Users\Constantin\Downloads\watercolor-postcards-vector.zip
2012-10-29 22:30 - 2012-08-23 22:42 - 00000000 ____D C:\Users\Constantin\AppData\Local\cache
2012-10-29 19:07 - 2012-10-29 19:07 - 00000000 ____D C:\Users\Constantin\Downloads\19
2012-10-29 18:53 - 2012-10-29 18:53 - 00409752 ____A C:\Users\Constantin\Downloads\bench_08.3ds
2012-10-29 13:11 - 2012-10-29 13:11 - 00057125 ____A C:\Users\Constantin\Downloads\19.rar
2012-10-29 13:10 - 2012-10-29 13:10 - 00000000 ____D C:\Users\Constantin\Downloads\30
2012-10-29 13:09 - 2012-10-29 13:09 - 00171534 ____A C:\Users\Constantin\Downloads\30.rar
2012-10-25 14:17 - 2012-08-30 06:03 - 00000000 ____D C:\Users\Constantin\Downloads\@Torrents
2012-10-25 03:52 - 2012-10-22 11:32 - 00001556 ____A C:\Users\Constantin\Desktop\Adobe Illustrator CS6 (64 Bit).lnk
2012-10-23 10:21 - 2009-07-13 20:45 - 05065576 ____A C:\Windows\System32\FNTCACHE.DAT
2012-10-22 20:59 - 2012-10-22 20:59 - 00000132 ____A C:\Users\Constantin\AppData\Roaming\Adobe PNG Format CS6 Prefs
2012-10-22 20:23 - 2012-10-22 20:23 - 00093969 ____A C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!.htm
2012-10-22 20:23 - 2012-10-22 20:23 - 00000000 ____D C:\Users\Constantin\Downloads\All sizes Nutella Flickr - Photo Sharing!_files
2012-10-22 11:32 - 2012-10-22 11:32 - 00001240 ____A C:\Users\Constantin\Desktop\Adobe Photoshop CS6 (64 Bit).lnk
2012-10-22 11:31 - 2012-10-22 11:31 - 53863379 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload
2012-10-22 11:31 - 2012-10-22 11:31 - 00000809 ____A C:\Users\Constantin\AppData\Local\AdobeSetupUtility.zip.aamdownload.aamd
2012-10-22 11:27 - 2012-08-23 22:07 - 00000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
2012-10-22 11:27 - 2012-08-19 02:37 - 00122544 ____A C:\Users\Constantin\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-22 11:23 - 2012-08-21 22:20 - 00000000 ____D C:\Users\All Users\Adobe
2012-10-22 11:21 - 2012-10-22 11:04 - 00000000 ____D C:\Program Files\Adobe
2012-10-22 11:21 - 2012-08-23 21:49 - 00000000 ____D C:\Program Files\Common Files\Adobe
2012-10-22 11:19 - 2012-10-22 11:19 - 00000000 ____D C:\Users\All Users\ALM
2012-10-22 11:12 - 2012-08-21 22:20 - 00000000 ____D C:\Program Files (x86)\Adobe
2012-10-22 02:02 - 2012-10-22 02:02 - 00154464 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
2012-10-20 03:50 - 2012-10-20 03:50 - 00000000 ____D C:\Users\Constantin\Downloads\Trei Parale - BAZAR I
2012-10-19 07:51 - 2012-10-01 07:22 - 00000000 ____D C:\Users\Constantin\AppData\Roaming\TeamViewer
2012-10-19 00:01 - 2012-10-19 00:01 - 00001168 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-10-17 12:41 - 2012-10-17 12:41 - 00000000 ____D C:\Users\Constantin\Documents\Random_Select
2012-10-17 12:40 - 2012-10-17 12:40 - 00009908 ____A C:\Users\Constantin\Documents\Random_Select.zip


ZeroAccess:
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\@
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\L
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\00000004.@
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\00000008.@
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\000000cb.@
C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3}\U\80000032.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-15 17:41:02

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3070.04 MB
Available physical RAM: 2477.04 MB
Total Pagefile: 3068.19 MB
Available Pagefile: 2463.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (SYSTEM) (Fixed) (Total:68.36 GB) (Free:4.09 GB) NTFS
2 Drive e: (WORK) (Fixed) (Total:98.41 GB) (Free:48.87 GB) NTFS
3 Drive f: (TEMP) (Fixed) (Total:19.43 GB) (Free:14.85 GB) NTFS
5 Drive h: (A-DATA UFD) (Removable) (Total:7.5 GB) (Free:6.9 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 186 GB 9 MB
Disk 1 Online 7701 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 19 GB 101 MB
Partition 0 Extended 166 GB 19 GB
Partition 3 Logical 68 GB 19 GB
Partition 4 Logical 98 GB 87 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F TEMP NTFS Partition 19 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C SYSTEM NTFS Partition 68 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E WORK NTFS Partition 98 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7695 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H A-DATA UFD FAT32 Removable 7695 MB Healthy

=========================================================

Last Boot: 2012-11-14 13:26

==================== End Of Log =============================
 
Search.txt file log:

Farbar Recovery Scan Tool (x64) Version: 12-11-2012
Ran by SYSTEM at 2012-11-16 13:49:48
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

C:\Windows\erdnt\cache64\services.exe
[2012-10-03 10:25] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======
 
Good job!

Next step...

FRST Fixlist

Please download attached fixlist.txt below, and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 

Attachments

  • fixlist.txt
    326 bytes · Views: 23
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-11-2012
Ran by SYSTEM at 2012-11-16 22:14:22 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{6eca4627-24d8-deae-7b1d-c3c79bfe2fc3} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
c:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to c:\Windows\System32\services.exe

==== End of Fixlog ====
 
Thank you very much!
I scanned the computer with AVG and it seems OK, I will do another scan with Malwarebytes Anti-Malware and tell you what happened...
Thanks again, I wish you all the best!
Costin.
 
ComboFix scan

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on ComboFix.exe & follow the prompts.
  • When ComboFix finishes, it will produce a report for you.
  • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
Hi!
I scanned many times with AVG and Malwarebytes Anti-Malware and it seems everything is OK.
Do I need to do something more?

 
Please do ComboFix and trust my lead. Let's make sure all malware is gone, so you don't run your computer at further risk.
 
Hi again, sorry for the misunderstanding. I did ComboFix, here is the log:


ComboFix 12-11-16.02 - Constantin 11/19/2012 22:13:03.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1939 [GMT 3:00]
Running from: c:\users\Constantin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2013 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\Public\AppData\Local\temp
2012-11-19 19:20 . 2012-11-19 19:20--------d-----w-c:\users\Default\AppData\Local\temp
2012-11-19 05:54 . 2012-07-26 04:472560----a-w-c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-19 05:54 . 2012-07-26 04:55785512----a-w-c:\windows\system32\drivers\Wdf01000.sys
2012-11-19 05:54 . 2012-07-26 04:5554376----a-w-c:\windows\system32\drivers\WdfLdr.sys
2012-11-19 05:54 . 2012-07-26 02:369728----a-w-c:\windows\system32\Wdfres.dll
2012-11-19 05:47 . 2012-07-26 03:0884992----a-w-c:\windows\system32\WUDFSvc.dll
2012-11-19 05:47 . 2012-07-26 03:08194048----a-w-c:\windows\system32\WUDFPlatform.dll
2012-11-19 05:47 . 2012-07-26 02:2687040----a-w-c:\windows\system32\drivers\WUDFPf.sys
2012-11-19 05:47 . 2012-07-26 02:26198656----a-w-c:\windows\system32\drivers\WUDFRd.sys
2012-11-19 05:47 . 2012-07-26 03:08229888----a-w-c:\windows\system32\WUDFHost.exe
2012-11-19 05:47 . 2012-07-26 03:08744448----a-w-c:\windows\system32\WUDFx.dll
2012-11-19 05:47 . 2012-07-26 03:0845056----a-w-c:\windows\system32\WUDFCoinstaller.dll
2012-11-19 04:50 . 2012-10-18 18:253149824----a-w-c:\windows\system32\win32k.sys
2012-11-16 21:48 . 2012-11-16 21:48--------d-----w-C:\FRST
2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\users\Constantin\AppData\Roaming\Malwarebytes
2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\programdata\Malwarebytes
2012-11-16 08:58 . 2012-11-16 08:58--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 08:58 . 2012-09-29 16:5425928----a-w-c:\windows\system32\drivers\mbam.sys
2012-11-15 19:48 . 2012-11-15 19:48220160----a-w-c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
2012-11-15 19:47 . 2012-11-15 19:47--------d-----w-c:\program files (x86)\Mega Codec Pack
2012-11-14 17:32 . 2012-09-25 22:4778336----a-w-c:\windows\SysWow64\synceng.dll
2012-11-14 17:32 . 2012-09-25 22:4695744----a-w-c:\windows\system32\synceng.dll
2012-11-13 05:29 . 2012-11-13 05:29--------d-----w-c:\program files (x86)\Winamp Detect
2012-11-13 05:29 . 2012-11-13 05:29--------d-----w-c:\program files (x86)\Common Files\PX Storage Engine
2012-11-13 05:29 . 2012-11-15 07:16--------d-----w-c:\users\Constantin\AppData\Roaming\Winamp
2012-11-13 05:29 . 2012-11-13 05:30--------d-----w-c:\program files (x86)\Winamp
2012-10-22 19:19 . 2012-10-22 19:19--------d-----w-c:\programdata\ALM
2012-10-22 19:04 . 2012-10-22 19:21--------d-----w-c:\program files\Adobe
2012-10-22 10:02 . 2012-10-22 10:02154464----a-w-c:\windows\system32\drivers\avgidsdrivera.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-19 05:47 . 2012-08-23 10:1066395536----a-w-c:\windows\system32\MRT.exe
2012-10-15 00:48 . 2012-10-15 00:4863328----a-w-c:\windows\system32\drivers\avgidsha.sys
2012-10-10 02:30 . 2012-08-19 12:3373656----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-10 02:30 . 2012-08-19 12:33696760----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-05 00:32 . 2012-10-05 00:32111456----a-w-c:\windows\system32\drivers\avgmfx64.sys
2012-10-02 00:30 . 2012-10-02 00:30185696----a-w-c:\windows\system32\drivers\avgldx64.sys
2012-09-21 00:46 . 2012-09-21 00:46200032----a-w-c:\windows\system32\drivers\avgtdia.sys
2012-09-21 00:46 . 2012-09-21 00:46225120----a-w-c:\windows\system32\drivers\avgloga.sys
2012-09-14 19:19 . 2012-10-10 01:492048----a-w-c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-10 01:492048----a-w-c:\windows\SysWow64\tzres.dll
2012-09-14 00:05 . 2012-09-14 00:0540800----a-w-c:\windows\system32\drivers\avgrkx64.sys
2012-08-31 18:19 . 2012-10-10 01:511659760----a-w-c:\windows\system32\drivers\ntfs.sys
2012-08-30 18:03 . 2012-10-10 01:505559664----a-w-c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 01:503968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12 . 2012-10-10 01:503914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05 . 2012-10-10 01:50220160----a-w-c:\windows\system32\wintrust.dll
2012-08-24 16:57 . 2012-10-10 01:50172544----a-w-c:\windows\SysWow64\wintrust.dll
2012-08-24 07:56 . 2012-08-24 07:568192----a-w-c:\windows\SysWow64\srvany.exe
2012-08-23 16:27 . 2012-08-23 16:27283200----a-w-c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-23 16:13 . 2009-07-14 02:36175616----a-w-c:\windows\system32\msclmd.dll
2012-08-23 16:13 . 2009-07-14 02:36152576----a-w-c:\windows\SysWow64\msclmd.dll
2012-08-22 18:12 . 2012-09-14 09:41950128----a-w-c:\windows\system32\drivers\ndis.sys
2012-08-22 18:12 . 2012-09-14 09:40376688----a-w-c:\windows\system32\drivers\netio.sys
2012-08-22 18:12 . 2012-09-14 09:40288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-22 07:09 . 2012-08-22 07:0921712----a-w-c:\windows\SysWow64\drivers\DrvAgent64.SYS
2012-08-22 06:39 . 2012-08-22 06:3995208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-22 06:39 . 2012-08-22 06:40746984----a-w-c:\windows\SysWow64\deployJava1.dll
2012-08-22 06:39 . 2012-08-22 06:40821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
2012-08-21 21:01 . 2012-09-27 17:41245760----a-w-c:\windows\system32\OxpsConverter.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-11-06 17:32220160----a-w-c:\program files (x86)\Mega Codec Pack\Filters\Haali\mmdinfo.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"AdobeBridge"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 KMService;KMService;c:\windows\system32\srvany.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-05-13 36328]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-06-02 17864]
R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2012-08-22 21712]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-08-23 1432400]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-13 157672]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-13 16872]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-13 177640]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-20 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-10-05 111456]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-23 283200]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-06 5814392]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 mi-raysat_3dsmax2013_64;mental ray 3.10 Satellite for Autodesk 3ds Max 2013 64-bit;c:\program files\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_64server.exe [2011-09-14 86016]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-14 382272]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-08-31 2754984]
S3 bcm44amd64;Broadcom 440x 10/100 Integrated Controller XP Driver;c:\windows\system32\DRIVERS\b44amd64.sys [2009-06-10 87552]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [1999-12-31 292864]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2012-08-07 35112]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 02:30]
.
2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-22 06:26]
.
2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-22 06:26]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://isearch.avg.com/?cid={A264A...7db239a45&lang=en&ds=is015&pr=sa&d=2012-08-22 10:25&v=12.2.0.5&sap=hp
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.215.6.51 62.215.6.4
TCP: Interfaces\{443C9D70-F490-428B-B6D6-B640627BD433}: DhcpNameServer = 62.215.6.51 62.215.6.4
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-WinRAR - c:\windows\WinRAR\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2012-11-19 22:28:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-19 19:28
.
Pre-Run: 4,806,926,336 bytes free
Post-Run: 4,743,483,392 bytes free
.
- - End Of File - - 55BAA57CC0547A880658C95571B40BFF
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
Sorry for delay. I just came back from my short vacation. :)


Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
No problem..

I believe everything is fine...I don't have any other issues...
Can you recommend an antivirus/firewall/antimalware/etc. I am using AVG free antivirus, and for another few days Malwarebytes-Anti-malware. Is it enough? Should I change anything?
Sometimes I use Teamviewer, and I know it's not very secured. Is it that bad?

Thanks for the help!!
Costin.
 
Hi there. Let's finish up and we'll see with Security Check tool...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete
Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

  • Double-click the CCleaner shortcut on the desktop to start the program.
  • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
  • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
  • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Status
Not open for further replies.
Back