Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Patched_c.LXT


  • This topic is locked This topic is locked
7 replies to this topic

#1 RohanShah

RohanShah

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 13 August 2012 - 10:34 AM

EDIT: Please read second post it's by me too before replying. Thanks for the help again. I found out some answers by doing some research.

Hello I have recently been infected with this virus and AVG was able to pick up on it but it can only white-list the services since it is a key component
Here are the log files:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.5.1
Run by Hampton Bay Plaza at 11:28:49 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1975.480 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\AVG\AVG2012\avgui.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hampton Bay Plaza\AppData\Local\Google\Chrome\Application\chrome.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?mtmhp=hyplogusaolp00000005
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll
uRun: [Google Update] "C:\Users\Hampton Bay Plaza\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.11
TCP: Interfaces\{A1D0521D-6EDF-47AC-A3A1-417AC99D7D69} : DhcpNameServer = 68.105.28.12 68.105.29.11
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 69.25.20.193 secure.logmein.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Hampton Bay Plaza\AppData\Roaming\Mozilla\Firefox\Profiles\xq8i5ghi.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\12.2.0\npsitesafety.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Hampton Bay Plaza\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 AntiLog32;AntiLog32;C:\Program Files (x86)\AntiLogger\AntiLog64.sys [2012-2-2 35096]
R1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6a.sys --> C:\Windows\system32\DRIVERS\avgfwd6a.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 avgtp;avgtp;\??\C:\Windows\system32\drivers\avgtpx64.sys --> C:\Windows\system32\drivers\avgtpx64.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-7-30 92160]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2012-6-13 2321560]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 BPowMon;Broadcom Power monitoring service;C:\Program Files\Broadcom\BPowMon\BPowMon.exe [2009-8-17 117568]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-8-2 13336]
R2 MSSQL$YELLOWSTONEHS;SQL Server (YELLOWSTONEHS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-12-15 373640]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-2 250056]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-24 113120]
S3 Samsung UPD Service;Samsung UPD Service;"C:\Windows\System32\SUPDSvc.exe" --> C:\Windows\System32\SUPDSvc.exe [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
.
=============== File Associations ===============
.
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2012-08-13 14:58:22 -------- d-----w- C:\Users\Hampton Bay Plaza\AppData\Roaming\AVG
2012-08-13 14:34:34 -------- d-----w- C:\Users\Hampton Bay Plaza\AppData\Roaming\AVG2012
2012-08-13 14:34:16 -------- d-----w- C:\Users\Hampton Bay Plaza\AppData\Local\AVG Secure Search
2012-08-13 14:34:14 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-08-13 14:34:10 31080 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2012-08-13 14:34:08 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-08-13 14:34:07 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-08-13 14:33:32 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2012-08-13 14:33:04 -------- d--h--w- C:\$AVG
2012-08-13 14:33:04 -------- d-----w- C:\Windows\System32\drivers\AVG
2012-08-13 14:33:04 -------- d-----w- C:\ProgramData\AVG2012
2012-08-13 14:32:32 -------- d-----w- C:\Program Files (x86)\AVG
2012-08-13 14:30:08 -------- d--h--w- C:\ProgramData\Common Files
2012-08-13 14:30:07 -------- d-----w- C:\ProgramData\MFAData
2012-08-13 14:18:53 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-08-03 18:43:39 -------- d-----w- C:\Users\Hampton Bay Plaza\AppData\Local\{9451F423-7B6A-4835-96CF-468906707209}
2012-07-24 02:04:17 -------- d-----w- C:\Program Files (x86)\Oracle
2012-07-24 02:03:57 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-08-02 18:02:08 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-02 18:02:08 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-06 02:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-06-12 03:02:52 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-21 20:28:13 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-05-21 20:28:13 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
.
============= FINISH: 11:29:48.91 ===============

Attached Files


Edited by RohanShah, 13 August 2012 - 02:19 PM.


BC AdBot (Login to Remove)

 


#2 RohanShah

RohanShah
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 13 August 2012 - 02:12 PM

Well after doing some research I saw similar problems with other people.
So first I ran frst64, after that I used search to find the different services.exe.
Here are the two logs:
FRST:

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 13-08-2012 14:16:32
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [166424 2010-04-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391192 2010-04-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [413720 2010-04-07] (Intel Corporation)
HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized [2975688 2012-02-02] (Zemana Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1162848 2012-08-13] ()
HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [1020512 2012-08-13] ()
HKU\Hampton Bay Plaza\...\Run: [Google Update] "C:\Users\Hampton Bay Plaza\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-12-08] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\PFW:
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.11

==================== Services (Whitelisted) ======

2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2321560 2012-06-12] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [373640 2011-02-17] (LogMeIn, Inc.)
2 MSSQL$YELLOWSTONEHS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sYELLOWSTONEHS [29293408 2010-12-10] (Microsoft Corporation)
2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)
2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)
2 vToolbarUpdater12.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe [927840 2012-08-13] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [451072 2009-07-13] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [396288 2009-07-13] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

1 AntiLog32; \??\C:\Program Files (x86)\AntiLogger\AntiLog64.sys [35096 2012-02-02] (Zemana Ltd.)
1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-08-13] (AVG Technologies)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-13 14:16 - 2012-08-13 14:16 - 00000000 ____D C:\FRST
2012-08-13 10:03 - 2012-08-13 10:03 - 00002980 ____A C:\Users\Hampton Bay Plaza\Downloads\Attach.zip
2012-08-13 09:46 - 2012-08-13 09:46 - 00000616 ____A C:\Users\Hampton Bay Plaza\Downloads\FixList.txt
2012-08-13 07:33 - 2012-08-13 07:33 - 00019466 ____A C:\Users\Hampton Bay Plaza\Desktop\DDS.txt
2012-08-13 07:33 - 2012-08-13 07:33 - 00010010 ____A C:\Users\Hampton Bay Plaza\Desktop\Attach.txt
2012-08-13 07:33 - 2012-08-13 07:33 - 00002980 ____A C:\Users\Hampton Bay Plaza\Desktop\Attach.zip
2012-08-13 07:28 - 2012-08-13 07:28 - 00607260 ____R (Swearware) C:\Users\Hampton Bay Plaza\Downloads\dds.com
2012-08-13 06:58 - 2012-08-13 06:58 - 00000000 ____D C:\Users\Hampton Bay Plaza\AppData\Roaming\AVG
2012-08-13 06:49 - 2012-08-13 06:49 - 08351064 ____A (AVG ) C:\Users\Hampton Bay Plaza\Downloads\avg_pct_stf_all_10_27_c6.exe
2012-08-13 06:34 - 2012-08-13 06:34 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-08-13 06:34 - 2012-08-13 06:34 - 00000927 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-13 06:34 - 2012-08-13 06:34 - 00000000 ____D C:\Users\Hampton Bay Plaza\AppData\Roaming\AVG2012
2012-08-13 06:34 - 2012-08-13 06:34 - 00000000 ____D C:\Users\Hampton Bay Plaza\AppData\Local\AVG Secure Search
2012-08-13 06:34 - 2012-08-13 06:34 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-08-13 06:34 - 2012-08-13 06:34 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-08-13 06:33 - 2012-08-13 06:47 - 00000000 ____D C:\Users\All Users\AVG2012
2012-08-13 06:33 - 2012-08-13 06:39 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-08-13 06:33 - 2012-08-13 06:33 - 00000000 ___HD C:\$AVG
2012-08-13 06:33 - 2012-08-13 06:33 - 00000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-08-13 06:32 - 2012-08-13 06:56 - 00000000 ____D C:\Program Files (x86)\AVG
2012-08-13 06:30 - 2012-08-13 06:39 - 00000000 ____D C:\Users\All Users\MFAData
2012-08-13 06:29 - 2012-08-13 06:29 - 03879808 ____A (AVG Technologies) C:\Users\Hampton Bay Plaza\Downloads\avg_isct_stb_all_2012_2197.exe
2012-08-13 06:18 - 2012-08-13 06:18 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-09 09:18 - 2012-08-09 09:18 - 04070912 ____A C:\Users\Hampton Bay Plaza\Downloads\SHRINATHJI_DARSHAN.pps
2012-08-09 09:10 - 2012-08-09 09:11 - 14675606 ____A C:\Users\Hampton Bay Plaza\Downloads\aesha.zip
2012-08-08 11:11 - 2012-08-13 06:37 - 00000168 ____A C:\Windows\setupact.log
2012-08-08 11:11 - 2012-08-08 11:11 - 00001716 ____A C:\Windows\PFRO.log
2012-08-08 11:11 - 2012-08-08 11:11 - 00000000 ____A C:\Windows\setuperr.log
2012-08-03 10:43 - 2012-08-03 10:43 - 00000000 ____D C:\Users\Hampton Bay Plaza\AppData\Local\{9451F423-7B6A-4835-96CF-468906707209}
2012-08-03 09:47 - 2012-08-09 06:01 - 00000024 ____A C:\Users\Hampton Bay Plaza\random.dat
2012-08-03 09:47 - 2012-08-03 09:47 - 00000061 ____A C:\Users\Hampton Bay Plaza\jagex_cl_runescape_LIVE_BETA.dat
2012-08-02 11:03 - 2012-08-02 11:03 - 00684356 ____A C:\Users\Hampton Bay Plaza\Downloads\fwdbshmerchantoffer.zip
2012-07-30 09:28 - 2012-07-05 18:06 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-30 03:39 - 2012-07-30 03:39 - 00072746 ____A C:\Users\Hampton Bay Plaza\Downloads\DONT DRINK AND DRIVE.pptx
2012-07-24 05:35 - 2012-07-24 05:35 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-24 05:35 - 2012-07-24 05:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-07-24 05:29 - 2012-07-24 05:29 - 00020283 ____A C:\Users\Hampton Bay Plaza\Downloads\Attachments_2012_07_24.zip
2012-07-23 18:04 - 2012-07-23 18:04 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-07-23 18:03 - 2012-07-05 18:06 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-23 18:02 - 2012-07-23 18:02 - 00000000 ____D C:\Users\All Users\McAfee

============ 3 Months Modified Files ========================

2012-08-13 10:12 - 2009-07-13 21:13 - 00915136 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 10:03 - 2012-08-13 10:03 - 00002980 ____A C:\Users\Hampton Bay Plaza\Downloads\Attach.zip
2012-08-13 10:02 - 2012-05-02 07:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 09:59 - 2010-12-08 17:14 - 00000956 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109344474-1062627693-2962381851-1007UA.job
2012-08-13 09:46 - 2012-08-13 09:46 - 00000616 ____A C:\Users\Hampton Bay Plaza\Downloads\FixList.txt
2012-08-13 07:39 - 2009-07-13 20:45 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 07:39 - 2009-07-13 20:45 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 07:33 - 2012-08-13 07:33 - 00019466 ____A C:\Users\Hampton Bay Plaza\Desktop\DDS.txt
2012-08-13 07:33 - 2012-08-13 07:33 - 00010010 ____A C:\Users\Hampton Bay Plaza\Desktop\Attach.txt
2012-08-13 07:33 - 2012-08-13 07:33 - 00002980 ____A C:\Users\Hampton Bay Plaza\Desktop\Attach.zip
2012-08-13 07:28 - 2012-08-13 07:28 - 00607260 ____R (Swearware) C:\Users\Hampton Bay Plaza\Downloads\dds.com
2012-08-13 06:49 - 2012-08-13 06:49 - 08351064 ____A (AVG ) C:\Users\Hampton Bay Plaza\Downloads\avg_pct_stf_all_10_27_c6.exe
2012-08-13 06:37 - 2012-08-08 11:11 - 00000168 ____A C:\Windows\setupact.log
2012-08-13 06:37 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-13 06:34 - 2012-08-13 06:34 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-08-13 06:34 - 2012-08-13 06:34 - 00000927 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-13 06:29 - 2012-08-13 06:29 - 03879808 ____A (AVG Technologies) C:\Users\Hampton Bay Plaza\Downloads\avg_isct_stb_all_2012_2197.exe
2012-08-13 06:13 - 2009-07-13 21:10 - 01544002 ____A C:\Windows\WindowsUpdate.log
2012-08-12 13:59 - 2010-12-08 17:14 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109344474-1062627693-2962381851-1007Core.job
2012-08-12 08:30 - 2011-07-27 12:14 - 00000472 ___AH C:\Windows\Tasks\Norton Security Scan for Hampton Bay Plaza.job
2012-08-09 13:00 - 2010-12-08 17:16 - 00002477 ____A C:\Users\Hampton Bay Plaza\Desktop\Google Chrome.lnk
2012-08-09 09:18 - 2012-08-09 09:18 - 04070912 ____A C:\Users\Hampton Bay Plaza\Downloads\SHRINATHJI_DARSHAN.pps
2012-08-09 09:11 - 2012-08-09 09:10 - 14675606 ____A C:\Users\Hampton Bay Plaza\Downloads\aesha.zip
2012-08-09 06:01 - 2012-08-03 09:47 - 00000024 ____A C:\Users\Hampton Bay Plaza\random.dat
2012-08-09 05:53 - 2011-10-25 05:50 - 00000032 ____A C:\Users\Hampton Bay Plaza\jagex_cl_runescape_LIVE.dat
2012-08-08 18:23 - 2011-11-19 19:01 - 00024576 ____A C:\Users\Hampton Bay Plaza\Desktop\HOUSEKEEPING SHEET.xls
2012-08-08 11:11 - 2012-08-08 11:11 - 00001716 ____A C:\Windows\PFRO.log
2012-08-08 11:11 - 2012-08-08 11:11 - 00000000 ____A C:\Windows\setuperr.log
2012-08-05 20:04 - 2010-11-26 18:40 - 00012067 ____A C:\Users\Hampton Bay Plaza\Desktop\bill.xlsx
2012-08-03 09:48 - 2011-02-04 20:03 - 00000129 ____A C:\Users\Hampton Bay Plaza\jagex_runescape_preferences2.dat
2012-08-03 09:47 - 2012-08-03 09:47 - 00000061 ____A C:\Users\Hampton Bay Plaza\jagex_cl_runescape_LIVE_BETA.dat
2012-08-03 09:47 - 2011-02-04 20:02 - 00000035 ____A C:\Users\Hampton Bay Plaza\jagex_runescape_preferences.dat
2012-08-02 11:03 - 2012-08-02 11:03 - 00684356 ____A C:\Users\Hampton Bay Plaza\Downloads\fwdbshmerchantoffer.zip
2012-08-02 10:02 - 2012-05-02 07:17 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-02 10:02 - 2011-06-21 12:48 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-30 11:07 - 2011-10-26 03:42 - 00000057 ____A C:\Users\Hampton Bay Plaza\jagex_cl_runescape_LIVE1.dat
2012-07-30 09:28 - 2012-04-03 08:29 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-30 09:28 - 2012-04-03 08:29 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-30 03:39 - 2012-07-30 03:39 - 00072746 ____A C:\Users\Hampton Bay Plaza\Downloads\DONT DRINK AND DRIVE.pptx
2012-07-24 05:35 - 2012-07-24 05:35 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-24 05:29 - 2012-07-24 05:29 - 00020283 ____A C:\Users\Hampton Bay Plaza\Downloads\Attachments_2012_07_24.zip
2012-07-11 23:22 - 2009-07-13 20:45 - 00438072 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 23:04 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-11 23:01 - 2010-11-13 05:09 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-05 18:06 - 2012-07-30 09:28 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-05 18:06 - 2012-07-23 18:03 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 18:06 - 2010-08-02 14:54 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-06-11 19:02 - 2012-07-11 23:04 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:30 - 2012-07-11 05:41 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:46 - 2012-07-11 05:41 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 21:50 - 2012-07-11 05:41 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:50 - 2012-07-11 05:41 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:09 - 2012-07-11 05:41 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:09 - 2012-07-11 05:41 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-02 14:19 - 2012-06-20 17:39 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 17:39 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 17:39 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 17:39 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 17:39 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-20 17:39 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-20 17:39 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-20 17:38 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-20 17:38 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:38 - 2012-07-11 05:41 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:38 - 2012-07-11 05:41 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:37 - 2012-07-11 05:41 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:27 - 2012-07-11 05:41 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:27 - 2012-07-11 05:41 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:48 - 2012-07-11 05:41 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:48 - 2012-07-11 05:41 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:47 - 2012-07-11 05:41 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:42 - 2012-07-11 05:41 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 09:16 - 2012-06-01 09:13 - 00000309 ____A C:\Windows\SoftWriting.ini
2012-06-01 09:13 - 2012-06-01 09:13 - 00001041 ____A C:\Users\harry\Desktop\SimpleOCR.lnk
2012-05-31 12:35 - 2012-05-31 12:35 - 00009216 ____A C:\Users\Hampton Bay Plaza\Downloads\Jollif_Road_Eviction_Notice.wps
2012-05-21 12:28 - 2011-07-27 11:54 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-05-21 12:28 - 2011-07-27 11:54 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-05-21 12:28 - 2011-07-27 11:54 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-05-21 12:28 - 2011-07-27 11:54 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-05-21 12:28 - 2011-07-27 11:54 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-05-21 12:28 - 2011-07-27 10:16 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-05-17 08:37 - 2012-01-26 11:36 - 00002016 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk


ZeroAccess:
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\L
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\L\00000004.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\L\201d3dde
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\00000004.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\00000008.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\000000cb.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\80000000.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\80000032.@
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 27%
Total physical RAM: 1975.11 MB
Available physical RAM: 1440.15 MB
Total Pagefile: 1975.11 MB
Available Pagefile: 1417.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:232.05 GB) (Free:186.38 GB) NTFS
3 Drive f: (ROHAN SHAH) (Removable) (Total:3.73 GB) (Free:0.76 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.5 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3835 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 47 MB 31 KB
Partition 2 Primary 750 MB 48 MB
Partition 3 Primary 232 GB 798 MB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 47 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 750 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F ROHAN SHAH FAT32 Removable 3823 MB Healthy

==================================================================================

Last Boot: 2012-08-06 20:51

======================= End Of Log ==========================

SEARCH:
Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-13 14:17:38
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======


I was able to figure out what fix I had to make so I created this FixList file and ran the FRST64 tool again and fixed:
The FixList I created:

start
C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813}
C:\Users\user\AppData\Local\{8bc0fc71-2340-ce23-215e-fdddd2d438ac}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace:C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

FIXLOG:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-13 14:30:46 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{7bbce600-9582-5c95-649f-59a8d2f5f813} moved successfully.
C:\Users\user\AppData\Local\{8bc0fc71-2340-ce23-215e-fdddd2d438ac} not found.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

After that I ran ComboFix and I have received this log:
ComboFix log:

ComboFix 12-08-13.01 - Hampton Bay Plaza 08/13/2012 14:50:15.1.4 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1975.1059 [GMT -4:00]
Running from: c:\users\Hampton Bay Plaza\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\StartNow Toolbar
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 22:16 . 2012-08-13 22:16 -------- d-----w- C:\FRST
2012-08-13 14:58 . 2012-08-13 14:58 -------- d-----w- c:\users\Hampton Bay Plaza\AppData\Roaming\AVG
2012-08-13 14:34 . 2012-08-13 14:34 -------- d-----w- c:\users\Hampton Bay Plaza\AppData\Local\AVG Secure Search
2012-08-13 14:34 . 2012-08-13 14:34 -------- d-----w- c:\programdata\AVG Secure Search
2012-08-13 14:34 . 2012-08-13 14:34 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-08-13 14:34 . 2012-08-13 14:34 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-08-13 14:34 . 2012-08-13 14:34 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-08-13 14:33 . 2012-08-13 14:33 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-08-13 14:33 . 2012-08-13 14:47 -------- d-----w- c:\programdata\AVG2012
2012-08-13 14:33 . 2012-08-13 14:39 -------- d-----w- c:\windows\system32\drivers\AVG
2012-08-13 14:33 . 2012-08-13 14:33 -------- d-----w- C:\$AVG
2012-08-13 14:32 . 2012-08-13 14:56 -------- d-----w- c:\program files (x86)\AVG
2012-08-13 14:30 . 2012-08-13 14:30 -------- d--h--w- c:\programdata\Common Files
2012-08-13 14:30 . 2012-08-13 14:39 -------- d-----w- c:\programdata\MFAData
2012-08-13 14:18 . 2012-08-13 14:18 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-24 02:04 . 2012-07-24 02:04 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-07-24 02:04 . 2012-07-24 02:04 -------- d-----w- c:\program files (x86)\Oracle
2012-07-24 02:03 . 2012-07-06 02:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-07-24 02:02 . 2012-07-24 02:02 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 18:02 . 2012-05-02 15:17 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-02 18:02 . 2011-06-21 20:48 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 07:01 . 2010-11-13 13:09 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-06 02:06 . 2010-08-02 22:54 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-06-12 03:02 . 2012-07-12 07:04 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:30 . 2012-07-11 13:41 14165504 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 05:50 . 2012-07-11 13:41 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:50 . 2012-07-11 13:41 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:09 . 2012-07-11 13:41 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-11 13:41 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-21 01:39 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 01:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 01:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 01:39 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 01:39 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 01:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 01:39 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 01:38 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 01:38 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:38 . 2012-07-11 13:41 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-11 13:41 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-11 13:41 459216 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-11 13:41 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-11 13:41 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-11 13:41 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-11 13:41 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-11 13:41 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-11 13:41 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-05-21 20:28 . 2011-07-27 19:54 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2012-05-21 20:28 . 2011-07-27 19:54 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-08-13 14:34 2045024 ----a-w- c:\program files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll" [2012-08-13 2045024]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-10 98304]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"AntiLogger"="c:\program files (x86)\AntiLogger\AntiLogger.exe" [2012-02-02 2975688]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-08-13 1162848]
"ROC_roc_ssl_v12"="c:\program files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" [2012-08-13 1020512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-04 5160568]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-02-17 373640]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-02 250056]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-03-16 167280]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-04 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 AntiLog32;AntiLog32;c:\program files (x86)\AntiLogger\AntiLog64.sys [2012-02-02 35096]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [2011-05-23 48992]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-08-13 31080]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]
S2 avgfws;AVG Firewall;c:\program files (x86)\AVG\AVG2012\avgfws.exe [2012-06-13 2321560]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 117568]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 MSSQL$YELLOWSTONEHS;SQL Server (YELLOWSTONEHS);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 vToolbarUpdater12.2.0;vToolbarUpdater12.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe [2012-08-13 927840]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-21 320040]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 18:02]
.
2012-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109344474-1062627693-2962381851-1007Core.job
- c:\users\Hampton Bay Plaza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-09 01:14]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109344474-1062627693-2962381851-1007UA.job
- c:\users\Hampton Bay Plaza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-09 01:14]
.
2012-08-12 c:\windows\Tasks\Norton Security Scan for Hampton Bay Plaza.job
- c:\progra~2\NORTON~2\Engine\351~1.6\Nss.exe [2011-07-27 06:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-19 8067616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-07 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-07 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-07 413720]
"WrtMon.exe"="c:\windows\system32\spool\drivers\x64\3\WrtMon.exe" [2006-09-20 20480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aol.com/?mtmhp=hyplogusaolp00000005
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.12 68.105.29.11
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Hampton Bay Plaza\AppData\Roaming\Mozilla\Firefox\Profiles\xq8i5ghi.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2109344474-1062627693-2962381851-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2109344474-1062627693-2962381851-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\System32\spool\drivers\x64\3\WrtProc.exe
c:\program files (x86)\AVG\AVG2012\avgcfgex.exe
.
**************************************************************************
.
Completion time: 2012-08-13 15:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-13 19:00
.
Pre-Run: 200,041,984,000 bytes free
Post-Run: 199,726,985,216 bytes free
.
- - End Of File - - ADF0429B497A736C8D5AF874084B58A9


Now I just need guidance what to do:
Thanks,
Rohan

Edited by RohanShah, 13 August 2012 - 02:14 PM.


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:50 PM

Posted 14 August 2012 - 11:50 AM

good job! I understand why you went ahead on your own and you obviously found a thread to follow with the exact same problem,I know it's frustrating having to wait for an answer while the computer is infected but I don't advocate users do this on their own as there is too much that could go wrong, so for any users reading this thread, while this user was successful in running a FRST fix on his own, please wait for a helper to guide you through, (I have dealt with too many unbootable computers.)



we just need to run a couple more scans to make sure there are no leftovers or broken services

please run the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT

Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 RohanShah

RohanShah
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 14 August 2012 - 12:12 PM

MBAM:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.14.03

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Hampton Bay Plaza :: HARRY-PC [administrator]

8/14/2012 10:00:35 AM
mbam-log-2012-08-14 (10-00-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228568
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET:

C:\FRST\Quarantine\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{7bbce600-9582-5c95-649f-59a8d2f5f813}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Program Files (x86)\Cheat Engine 6.1\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined

FARBAR:

Farbar Service Scanner Version: 06-08-2012
Ran by Hampton Bay Plaza (administrator) on 14-08-2012 at 13:10:24
Running from "C:\Users\Hampton Bay Plaza\Downloads"
Microsoft Windows 7 Professional (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-14 19:24] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-10 03:37] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-06-12 17:50] - [2012-04-24 01:59] - 0182272 ____A (Microsoft Corporation) F02786B66375292E58C8777082D4396D

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:50 PM

Posted 14 August 2012 - 12:29 PM

your BITS registry key is missing, please download the attached reg fix and save it to your desktop, right click it and choose to merge it into your registry (then delete the file as you wont need it again





NEXT


The detections by ESET are either OK or already in quarantine


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


Make sure your windows updates are working, then please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 RohanShah

RohanShah
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 16 August 2012 - 09:11 PM

Hello,
Sorry for the late reply and I have followed the instruction and the computer seems to be running fine. I run the ESET online scanner again and uninstalled the software after all the scan was clean.
Thanks,
Rohan Shah

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:50 PM

Posted 16 August 2012 - 09:15 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS and all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:50 PM

Posted 25 August 2012 - 05:03 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users