Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with svchost.exe via apparent rootkit


  • This topic is locked This topic is locked
46 replies to this topic

#31 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 23 January 2012 - 11:48 AM

Excellent! It seems that everything is running smoothly again. Thank you very much. My security is beefed up (too secure, but I can tweak that over time) and no notifications on security breaches are happening. Since I now have MBAM, would you recommend removing AVG?

BC AdBot (Login to Remove)

 


#32 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 23 January 2012 - 11:51 AM

Also, the sound doesn't seem to work now, but I can look at some troubleshooters to try to fix that. Any chance we deleted a DLL in the process or something?

#33 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:30 AM

Posted 23 January 2012 - 04:33 PM

Hello


when did the sound go out?


try to go to the computers web site and redownload the drivers




gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#34 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 23 January 2012 - 09:29 PM

Well, first and fore-mostly, Can I use MBAM instead of AVG, or should I use both? I think you overlooked the post three posts back. But I'm not sure when the audio problem happened. I am sure it was sometime during the fix though. I hover over the speaker icon in the bottom right that has a red X on it and it says "the audio device is not running". I click the button and it says "resolving problems", then it says "one or more audio device isn't running." I open "control panel > manage audio devices" and a pop-up says

"Audio service not running
This computer cannot play audio because the windows audio service is not enabled. WOuld you like to enable the windows audio service?"

I click yes, and it brings up a "sound" window with playback, recording, sounds, and communications tabs. In the box it says "no audio devices are installed." Here is the device driver page http://support.gateway.com/us/en/product/default.aspx?tab=1&modelId=2302 and it doesn't look like any of those are for sound.

Anyway, the computer looks clear of all virus-related problems and thank you VERY much for that. If you can offer help on the sound (maybe something we disabled?), that would be great, but the main problem is gone. But Whether or not to somehow uninstall the unresponsive AVG is still a question. Thanks.

#35 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:30 AM

Posted 23 January 2012 - 09:38 PM

Hello


I would uninstall AVG and if you like it reinstall and see if it works again.

there are a few that are better and lower on resources if you would like to try them out.

as far as the sound I rechecked the thread and didn't see anything that would cause it but that does not mean we did not break it - there are a few things I would try first

one go to the computers web site and download the sound drivers and reinstall them

two uninstall the sound divices in the device manager and restart the computer and let them get reinstalled


and last go to windows update and do any updates that it asks to do


Let me know if anything works


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#36 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 24 January 2012 - 11:28 AM

I tried uninstalling the drivers so windows could reinstall them after a reboot. The drivers reappeared, but still the same no-sound problem. I downloaded all the model-specific drivers from Gateway and reinstalled them. Nothing changed. I tried to install all windows updates waiting to be installed (a big number), but after shutting the computer down and waiting for the updates, It seemed to start to install the updates. I let the computer install updated overnight, but in the morning, the computer still was saying "shutting down". I rebooted into windows, but windows was acting very slow (when I clicked windows updates, it took 30 seconds to open long after windows had loaded). Once that had opened, I saw that 5 updates had failed.

#37 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 24 January 2012 - 11:50 AM

Update: After trying to install the updates again, installing the updates was a success. The sound still does not work though. The computer is still slower, but not quite as slow.

AVG finally seems to be removed.

After the virus removal, I also noticed that my gadgets no longer loaded when windows loaded. EDIT: It looks like they DO load, but it takes about 5 minutes after windows opens.

Edited by kjax82, 24 January 2012 - 11:50 AM.


#38 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 26 January 2012 - 12:50 PM

bump

#39 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 29 January 2012 - 10:02 PM

bump

#40 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:30 AM

Posted 29 January 2012 - 10:23 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#41 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 30 January 2012 - 02:30 AM

ComboFix 12-01-29.02 - Kris 01/30/2012 1:07.7.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8183.5535 [GMT -6:00]
Running from: c:\users\Kris\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-24 17:25 . 2012-01-24 17:25 -------- d-----w- c:\windows\system32\SPReview
2012-01-24 17:25 . 2012-01-24 17:25 -------- d-----w- c:\windows\system32\EventProviders
2012-01-24 17:25 . 2012-01-24 17:35 -------- d-----w- C:\346773eb3cff1fe85b5c08dfcd
2012-01-24 17:20 . 2010-11-20 12:17 327168 ----a-w- c:\windows\SysWow64\RMActivate_isv.exe
2012-01-24 17:19 . 2010-11-20 13:26 281600 ----a-w- c:\windows\system32\DShowRdpFilter.dll
2012-01-24 17:18 . 2010-11-20 13:27 605696 ----a-w- c:\windows\system32\wmpeffects.dll
2012-01-24 17:18 . 2010-11-20 13:27 2072576 ----a-w- c:\windows\system32\WMPEncEn.dll
2012-01-24 17:18 . 2010-11-20 13:26 257024 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-01-24 17:15 . 2010-11-20 13:27 236032 ----a-w- c:\windows\system32\srvsvc.dll
2012-01-24 17:13 . 2010-11-20 12:51 424448 ----a-w- c:\windows\system32\aeinv.dll
2012-01-24 17:10 . 2010-11-20 13:27 406016 ----a-w- c:\windows\system32\scesrv.dll
2012-01-24 17:09 . 2010-11-20 13:25 3745792 ----a-w- c:\windows\system32\accessibilitycpl.dll
2012-01-24 17:08 . 2010-11-20 12:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2012-01-24 17:08 . 2010-11-20 13:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
2012-01-24 17:08 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2012-01-24 17:08 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2012-01-24 17:08 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2012-01-24 17:08 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\sqmapi.dll
2012-01-24 17:08 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
2012-01-24 17:08 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2012-01-24 17:08 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2012-01-24 17:08 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2012-01-24 17:08 . 2010-11-20 12:21 189952 ----a-w- c:\program files (x86)\Windows Portable Devices\sqmapi.dll
2012-01-24 17:08 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2012-01-24 17:07 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2012-01-24 17:07 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2012-01-24 17:07 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2012-01-24 17:07 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2012-01-24 17:07 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2012-01-24 17:07 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2012-01-24 17:07 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2012-01-24 17:07 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2012-01-24 17:07 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2012-01-24 16:10 . 2012-01-24 16:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-24 01:27 . 2012-01-24 01:27 -------- d-----w- c:\program files\iTunes
2012-01-24 01:27 . 2012-01-24 01:27 -------- d-----w- c:\program files\iPod
2012-01-23 16:57 . 2011-03-03 06:24 183296 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-01-23 16:56 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2012-01-23 16:56 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2012-01-23 16:56 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2012-01-23 16:56 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2012-01-23 16:56 . 2010-11-20 13:24 288256 ----a-w- c:\windows\system32\MSNP.ax
2012-01-23 16:56 . 2010-11-20 13:24 75776 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-01-23 16:56 . 2010-11-20 13:24 104960 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-01-23 16:56 . 2010-11-20 12:16 72704 ----a-w- c:\windows\SysWow64\Mpeg2Data.ax
2012-01-23 16:56 . 2010-11-20 12:16 59904 ----a-w- c:\windows\SysWow64\MSDvbNP.ax
2012-01-23 16:56 . 2010-11-20 12:16 204288 ----a-w- c:\windows\SysWow64\MSNP.ax
2012-01-23 16:54 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll
2012-01-23 16:54 . 2011-03-12 11:23 870912 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2012-01-23 16:53 . 2011-03-11 06:34 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2012-01-23 16:53 . 2011-03-11 06:34 1395712 ----a-w- c:\windows\system32\mfc42.dll
2012-01-23 16:53 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2012-01-23 16:53 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2012-01-23 16:47 . 2011-07-16 05:37 421888 ----a-w- c:\windows\system32\KernelBase.dll
2012-01-23 16:46 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-01-23 16:41 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-23 16:41 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-23 16:38 . 2012-01-23 16:38 -------- d-----w- c:\program files (x86)\SpywareBlaster
2012-01-23 16:37 . 2012-01-23 16:37 -------- d-----w- c:\users\Kris\AppData\Roaming\WinPatrol
2012-01-23 16:37 . 2012-01-23 16:37 -------- d-----w- c:\programdata\InstallMate
2012-01-23 16:37 . 2012-01-23 16:37 -------- d-----w- c:\program files (x86)\BillP Studios
2012-01-23 06:18 . 2012-01-23 06:18 -------- d-----w- c:\program files (x86)\ESET
2012-01-23 05:32 . 2012-01-23 05:32 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-01-23 03:14 . 2012-01-23 03:14 -------- d-----w- c:\users\Kris\AppData\Roaming\FixTDSS
2012-01-23 03:14 . 2012-01-23 03:14 27256 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-01-19 18:13 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-19 17:30 . 2012-01-19 17:30 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-01-19 06:41 . 2012-01-19 06:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\DivX
2012-01-11 04:16 . 2012-01-11 04:16 -------- d-----w- c:\users\Kris\AppData\Roaming\bizarre creations
2012-01-06 20:58 . 2012-01-06 20:58 -------- d-----w- c:\users\Kris\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-01-06 20:58 . 2012-01-06 20:58 -------- d-----w- c:\users\Kris\AppData\Roaming\Adobe Mini Bridge CS5
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 18:26 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-24 18:26 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-23 05:31 . 2011-02-07 03:30 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-16 05:03 . 2011-09-30 01:02 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-01-16 05:03 . 2011-09-29 13:19 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-01-16 05:03 . 2011-09-29 13:19 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-01-10 00:24 . 2011-09-29 13:19 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-12-28 21:42 . 2010-08-03 04:07 2829 ----a-w- c:\windows\War3Unin.pif
2011-12-28 21:42 . 2010-08-03 04:07 139264 ----a-w- c:\windows\War3Unin.exe
2011-12-20 02:41 . 2010-12-01 06:47 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-20 02:41 . 2010-12-01 06:47 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-12-20 02:41 . 2010-12-01 06:47 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-12-19 02:13 . 2011-12-19 02:13 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-10 04:39 . 2011-11-10 04:39 69632 ----a-w- c:\windows\system32\OpenVideo64.dll
2011-11-10 04:39 . 2011-11-10 04:39 59904 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-11-10 04:39 . 2011-11-10 04:39 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2011-11-10 04:39 . 2011-11-10 04:39 54784 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-11-10 04:39 . 2011-11-10 04:39 17442304 ----a-w- c:\windows\system32\amdocl64.dll
2011-11-10 04:38 . 2011-11-10 04:38 14375936 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-11-10 03:45 . 2011-11-10 03:45 10567680 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-11-10 03:20 . 2011-11-10 03:20 25218048 ----a-w- c:\windows\system32\atio6axx.dll
2011-11-10 03:17 . 2011-11-10 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-11-10 03:16 . 2011-09-24 02:03 774656 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-11-10 03:15 . 2011-09-24 02:01 927232 ----a-w- c:\windows\system32\aticfx64.dll
2011-11-10 03:12 . 2011-11-10 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-11-10 03:12 . 2011-11-10 03:12 516608 ----a-w- c:\windows\system32\atieclxx.exe
2011-11-10 03:11 . 2011-11-10 03:11 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-11-10 03:10 . 2011-11-10 03:10 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-11-10 03:09 . 2011-11-10 03:09 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-11-10 03:09 . 2011-11-10 03:09 360448 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-11-10 03:09 . 2011-11-10 03:09 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-11-10 03:09 . 2011-11-10 03:09 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-11-10 03:09 . 2011-11-10 03:09 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-11-10 03:09 . 2011-11-10 03:09 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-11-10 03:06 . 2011-09-24 01:53 6077952 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-11-10 02:58 . 2011-11-10 02:58 18996224 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-11-10 02:51 . 2011-09-24 01:43 7405056 ----a-w- c:\windows\system32\atidxx64.dll
2011-11-10 02:40 . 2011-11-10 02:40 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-11-10 02:40 . 2011-11-10 02:40 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-11-10 02:40 . 2011-09-24 01:42 4061696 ----a-w- c:\windows\system32\atiumd6a.dll
2011-11-10 02:34 . 2011-11-10 02:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-11-10 02:34 . 2011-11-10 02:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-11-10 02:34 . 2011-11-10 02:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-11-10 02:34 . 2011-11-10 02:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-11-10 02:34 . 2011-11-10 02:34 13552640 ----a-w- c:\windows\system32\aticaldd64.dll
2011-11-10 02:33 . 2011-09-24 01:32 5852672 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-11-10 02:29 . 2011-11-10 02:29 11300864 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-11-10 02:29 . 2011-09-24 01:32 4200960 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-11-10 02:24 . 2011-09-24 01:26 7439360 ----a-w- c:\windows\system32\atiumd64.dll
2011-11-10 02:18 . 2010-04-21 08:10 58880 ----a-w- c:\windows\system32\coinst.dll
2011-11-10 02:13 . 2010-04-21 08:10 494592 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 348160 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-11-10 02:13 . 2011-11-10 02:13 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-11-10 02:12 . 2011-11-10 02:12 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-11-10 02:12 . 2011-11-10 02:12 325632 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-11-10 02:11 . 2011-09-24 01:18 41984 ----a-w- c:\windows\system32\atiuxp64.dll
2011-11-10 02:11 . 2011-09-24 01:18 32256 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-11-10 02:11 . 2011-09-24 01:18 39424 ----a-w- c:\windows\system32\atiu9p64.dll
2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-11-10 02:11 . 2011-09-24 01:18 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-11-10 02:10 . 2011-11-10 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-11-17 244480]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2010-01-22 1016320]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2012-01-02 325728]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 136176]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-06-01 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-06-01 79360]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 136176]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [x]
S0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-04-10 9663848]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-12-20 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2010-05-31 15928]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-11-17 255744]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe [2009-12-09 76320]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 05:37]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 05:37]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RunDLLEntry_THXCfg"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2010-05-31 57928]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060320]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=fx6840&r=17360710z316p04d5v185k4611r431
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\jnyif2h7.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
AddRemove-Steam App 102700 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 105600 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 107900 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 12360 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 1250 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 211 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 215 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 220 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 22350 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 22610 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 26800 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 39800 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 400 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 42640 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 550 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 563 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 564 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 629 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 630 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 63200 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 91310 - c:\program files (x86)\Steam\steam.exe
AddRemove-Steam App 99300 - c:\program files (x86)\Steam\steam.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-30 01:15:14
ComboFix-quarantined-files.txt 2012-01-30 07:15
.
Pre-Run: 591,551,176,704 bytes free
Post-Run: 591,375,732,736 bytes free
.
- - End Of File - - 9034D4FCA3D031D1FA0A83B51EE970C4


When first running the new version of combofix, I still got the message box saying

"Combofix has detected the following real time scanners to be active:
antivirus: AVG Anti-Virus Free Edition 2012
antispyware: AVG Anti-Virus Free Edition 2012
..."

This is odd because I uninstalled this before. I looked in the control panel and I have no more AVG.

The computer didn't show any out of the ordinary signs during the scan.

#42 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:30 AM

Posted 30 January 2012 - 02:58 AM

are you still having the same problems?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#43 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 30 January 2012 - 11:53 AM

OK. The computer seems to be at a normal speed now. Normal Windows load time, normal program response time. It seems that everything is acting correctly except for the sound.

#44 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:30 AM

Posted 30 January 2012 - 12:53 PM

Hello


I would check in the windows forum for the sound problem - I don't know even where to start looking for that type of problem and would only be giving lame guesses and that is how to turn computers into doorstops


Make sure to do the cleanup on post 30


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#45 kjax82

kjax82
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 30 January 2012 - 01:07 PM

Alright. This thread can be closed then. Thanks so much again for help with the malware removal!

-Kris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users