Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus is stopping new antivirus programs from running


  • This topic is locked This topic is locked
20 replies to this topic

#1 bhiller

bhiller

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 October 2012 - 12:02 PM

Good day, this is my first post as I am stuck. I apparently have an unknown virus as I have gotten e-mail rejected lately and Google has responded twice that I am sending outbond messages. I have been running AVG Free 2012 and all my microsoft pathes are done aoutomatically. I have tried to download and run AVG Free 2013 and AVG 2013 internet security both extract and stop. I have run Trend micro housecall 7.2 and after a 12 hour scan it deteched a problem and closed. Per the guide in bleeping computrer I am enclosing the DDS & GMER logs in hopes someone can find the problem.

Thank you for your help.



DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Bill Hiller at 20:07:59 on 2012-10-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3062.1386 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ACT\Act for Windows\Sage.ACT.Integration.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\CMS Products\BounceBack Ultimate\BBLauncher.exe
C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\dinotify.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Windows\system32\taskhost.exe
C:\Windows\explorer.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {D5233FCD-D258-4903-89B8-FB1568E7413D} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
StartupFolder: c:\users\billhi~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\bill hiller\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\billhi~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms products\bounceback ultimate\BBStartup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\sageac~1.lnk - c:\program files\act\act for windows\Sage.ACT.Integration.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} -
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cooperindustries.webex.com/client/WBXclient-T27L10NSP28-11263/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\162727F677D27657563747 : DHCPNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\4444745756374775966696 : DHCPNameServer = 10.240.156.1
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\745554354535 : DHCPNameServer = 172.16.111.161 172.16.111.162 172.16.111.3
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\845696C696E646 : DHCPNameServer = 206.165.152.3
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\C45485D275942554C4543535D2841513 : DHCPNameServer = 192.168.9.8
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\D6563686 : DHCPNameServer = 68.87.71.226 68.87.73.242
TCP: Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}\E4544574541425 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B5BB3F19-8D99-4CE0-B322-D1B2409947C2} : DHCPNameServer = 10.210.17.2 10.201.12.32
TCP: Interfaces\{FD1B138C-E5E4-4BB3-84B3-EEDAA6D1BB07} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-7-26 237408]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-8-24 301920]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ActService;ACT! Service Host;c:\program files\act\act for windows\Act.Server.Host.exe [2012-6-15 26624]
R2 ActSmartTaskService;ACT! Smart Task Service Host;c:\program files\act\act for windows\Act.Server.Host.exe [2012-6-15 26624]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 BBWatcherService;BBWatcherService;c:\program files\cms products\bounceback ultimate\BBWatcherService.exe [2011-9-17 65536]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\sqlservr.exe [2010-5-5 42884448]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-9-24 68928]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2012-10-26 439632]
R2 tmrkb;tmrkb;c:\windows\system32\drivers\tmrkb.sys [2012-10-26 65808]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Sage ACT! Scheduler;Sage ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2012-6-15 81920]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-10-18 40776]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-6-3 174720]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [2012-1-28 215552]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [2012-1-28 83968]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2012-1-28 208128]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-22 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-21 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\SQLAGENT.EXE [2010-5-5 367456]
.
=============== Created Last 30 ================
.
2012-10-27 23:40:41 -------- d-sh--w- C:\$RECYCLE.BIN
2012-10-27 23:30:33 98816 ----a-w- c:\windows\sed.exe
2012-10-27 23:30:33 256000 ----a-w- c:\windows\PEV.exe
2012-10-27 23:30:33 208896 ----a-w- c:\windows\MBR.exe
2012-10-27 21:42:37 -------- d-----w- c:\programdata\Trend Micro
2012-10-27 12:38:19 388096 ------r- c:\users\bill hiller\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-10-26 21:33:55 65808 ------w- c:\windows\system32\drivers\tmrkb.sys
2012-10-26 21:32:25 -------- d-----w- c:\program files\WinPcap
2012-10-26 21:32:15 -------- d-----w- c:\program files\Trend Micro
2012-10-23 15:46:45 53248 ------r- c:\users\bill hiller\appdata\roaming\microsoft\installer\{38676c9c-270f-43d1-926a-e45de8820a6b}\ARPPRODUCTICON.exe
2012-10-18 17:42:37 40776 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-10 05:03:54 1211760 ------w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 05:03:53 542208 ------w- c:\windows\system32\kerberos.dll
2012-10-10 05:03:50 3968880 ------w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 05:03:50 3914096 ------w- c:\windows\system32\ntoskrnl.exe
2012-10-09 12:28:46 -------- d-----w- c:\users\bill hiller\appdata\roaming\AVG
2012-10-09 12:28:12 -------- d-----w- c:\programdata\AVG
2012-10-09 12:28:06 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-09-29 22:45:27 -------- d-----w- c:\users\bill hiller\appdata\local\MFAData
2012-09-29 22:45:27 -------- d-----w- c:\users\bill hiller\appdata\local\Avg2013
.
==================== Find3M ====================
.
2012-10-09 01:09:28 73656 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 01:09:28 696760 ------w- c:\windows\system32\FlashPlayerApp.exe
2012-09-14 18:28:53 2048 ------w- c:\windows\system32\tzres.dll
2012-08-24 19:43:18 301920 ------w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 16:57:48 172544 ------w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ------w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ------w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ------w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ------w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ------w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ------w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ------w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ------w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ------w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ------w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12:27 245760 ------w- c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40:31 169984 ------w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ------w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ------w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---h--w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---h--w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---h--w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---h--w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-02 16:57:20 490496 ------w- c:\windows\system32\d3d10level9.dll
.
============= FINISH: 20:08:19.56 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-28 13:01:18
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9320423AS rev.0002SDM1
Running: 1kdf33cn.exe; Driver: C:\Users\BILLHI~1\AppData\Local\Temp\axliyuog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9A568004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9A5680D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9A567D76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9A567E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9A567EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9A567F56]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C75A49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CAF4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82CB678C 8 Bytes [04, 80, 56, 9A, D4, 80, 56, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82CB67D4 4 Bytes [76, 7D, 56, 9A]
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82CB6AA4 8 Bytes [1E, 7E, 56, 9A, BA, 7E, 56, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82CB6B18 4 Bytes [56, 7F, 56, 9A]
? system32\DRIVERS\tmcomm.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\BILLHI~1\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\BILLHI~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[3320] kernel32.dll!SetUnhandledExceptionFilter 76CDF4FB 5 Bytes JMP 51B87DFE C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[3320] ole32.dll!OleLoadFromStream 765A6143 5 Bytes JMP 52057978 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] kernel32.dll!CreateThread 76CDDCC2 5 Bytes JMP 673775E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!EnableWindow 76148D02 5 Bytes JMP 673B9EBC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!CallNextHookEx 7614ABE1 5 Bytes JMP 673D7FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!UnhookWindowsHookEx 7614ADF9 5 Bytes JMP 673FED00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DefWindowProcA 7614BB1C 7 Bytes JMP 6737980D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!CreateWindowExA 7614BF40 5 Bytes JMP 67383643 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!SetWindowsHookExW 7614E30C 5 Bytes JMP 673B25B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!CreateWindowExW 7614EC7C 5 Bytes JMP 673E03CF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DefWindowProcW 7615507D 7 Bytes JMP 673D8042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DialogBoxParamW 76163B9B 5 Bytes JMP 67311893 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DialogBoxIndirectParamW 76173B7F 5 Bytes JMP 6750902E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DialogBoxParamA 7618CF42 5 Bytes JMP 67508FC9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!DialogBoxIndirectParamA 7618D274 5 Bytes JMP 67509093 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!MessageBoxIndirectA 7619E869 5 Bytes JMP 67508F50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!MessageBoxIndirectW 7619E963 5 Bytes JMP 67508ED7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!MessageBoxExA 7619E9C9 5 Bytes JMP 67508E73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] USER32.dll!MessageBoxExW 7619E9ED 5 Bytes JMP 67508E0F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6156] ole32.dll!OleLoadFromStream 765A6143 5 Bytes JMP 675097FC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!EnableWindow 76148D02 5 Bytes JMP 673B9EBC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!DialogBoxParamW 76163B9B 5 Bytes JMP 67311893 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!DialogBoxIndirectParamW 76173B7F 5 Bytes JMP 6750902E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!DialogBoxParamA 7618CF42 5 Bytes JMP 67508FC9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!DialogBoxIndirectParamA 7618D274 5 Bytes JMP 67509093 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!MessageBoxIndirectA 7619E869 5 Bytes JMP 67508F50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!MessageBoxIndirectW 7619E963 5 Bytes JMP 67508ED7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!MessageBoxExA 7619E9C9 5 Bytes JMP 67508E73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7636] USER32.dll!MessageBoxExW 7619E9ED 5 Bytes JMP 67508E0F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 28 October 2012 - 05:07 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Edited by CatByte, 28 October 2012 - 05:10 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 October 2012 - 06:31 PM

Thank you for your help. I have cut and pasted the requested files. I am hopeful you will find what I am infected with.

Thank you again for taking the time to help.

Best Regards,

Farbar Recovery Scan Tool (x86) Version: 26-10-2012
Ran by SYSTEM at 2012-10-28 19:14:13
Running from E:\

================== Search: "services.exe" ===================

C:\Windows.old\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-05-27 06:53] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows.old\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-04-23 17:53] - [2008-01-18 23:33] - 0279040 ____N (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows.old\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____N (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows.old\Windows\System32\services.exe
[2009-05-27 06:53] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____N (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____N (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\erdnt\cache\services.exe
[2012-10-27 15:39] - [2009-07-13 17:14] - 0259072 ____N (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-10-2012
Ran by SYSTEM at 28-10-2012 19:12:15
Running from E:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [1458176 2009-10-26] (Motorola Inc.)
HKLM\...\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe" [18432 2012-06-15] (Sage Software, Inc.)
HKLM\...\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload [337256 2012-06-15] (Sage Software, Inc.)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2596984 2012-07-30] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe [1103184 2010-12-17] (Trend Micro Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk
ShortcutTarget: BounceBack Launcher.lnk -> C:\Program Files\CMS Products\BounceBack Ultimate\BBStartup.exe ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Sage ACT! Integration.lnk
ShortcutTarget: Sage ACT! Integration.lnk -> C:\Program Files\ACT\Act for Windows\Sage.ACT.Integration.exe (Sage Software, Inc)
Startup: C:\Users\Bill Hiller\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Bill Hiller\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ActService; "C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe" [26624 2012-06-15] (Microsoft)
2 ActSmartTaskService; "C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe" [26624 2012-06-15] (Microsoft)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\avgidsagent.exe" [5167736 2012-08-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
2 BBWatcherService; "C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe" [65536 2010-06-14] (CMS Products, Inc.)
2 MSSQL$ACT7; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe" -sACT7 [42884448 2010-05-05] (Microsoft Corporation)
4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [44896 2010-04-03] (Microsoft Corporation)
2 PSI_SVC_2; "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [251832 2010-12-02] (arvato digital services llc)
2 RUBotSrv; C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe [439632 2010-12-17] (Trend Micro Inc.)
2 Sage ACT! Scheduler; "C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe" [81920 2012-06-15] (Sage Software, Inc.)
4 SQLAgent$ACT7; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE" -i ACT7 [367456 2010-05-05] (Microsoft Corporation)
3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) ====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [139856 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [237408 2012-07-25] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [301920 2012-08-24] (AVG Technologies CZ, s.r.o.)
3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-10] (Hewlett-Packard Development Company, L.P.)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-10-18] (Malwarebytes Corporation)
3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [657408 2009-07-13] (Ralink Technology Corp.)
2 NPF; C:\Windows\System32\drivers\npf.sys [50704 2009-10-20] (CACE Technologies, Inc.)
3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [174720 2009-06-03] (Novatel Wireless Inc.)
4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-03] (Microsoft Corporation)
3 swg3kser00; C:\Windows\System32\DRIVERS\swg3kser00.sys [215552 2011-05-13] (Sierra Wireless Incorporated)
3 swiwdmbx; C:\Windows\System32\DRIVERS\swiwdmbx.sys [83968 2011-05-16] (Sierra Wireless Inc.)
3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [208128 2011-03-03] (Sierra Wireless Inc.)
3 catchme; \??\C:\Users\BILLHI~1\AppData\Local\Temp\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-10-28 19:11 - 2012-10-28 19:11 - 00000000 ____D C:\FRST
2012-10-27 16:08 - 2012-10-27 16:08 - 00017322 ____N C:\Users\Bill Hiller\Desktop\dds.txt
2012-10-27 16:08 - 2012-10-27 16:08 - 00009046 ____N C:\Users\Bill Hiller\Desktop\attach.txt
2012-10-27 15:40 - 2012-10-27 15:40 - 00013725 ____N C:\ComboFix.txt
2012-10-27 15:30 - 2011-06-25 22:45 - 00256000 ____N C:\Windows\PEV.exe
2012-10-27 15:30 - 2010-11-07 09:20 - 00208896 ____N C:\Windows\MBR.exe
2012-10-27 15:30 - 2009-04-19 20:56 - 00060416 ____N (NirSoft) C:\Windows\NIRCMD.exe
2012-10-27 15:30 - 2000-08-30 16:00 - 00518144 ____N (SteelWerX) C:\Windows\SWREG.exe
2012-10-27 15:30 - 2000-08-30 16:00 - 00406528 ____N (SteelWerX) C:\Windows\SWSC.exe
2012-10-27 15:30 - 2000-08-30 16:00 - 00098816 ____N C:\Windows\sed.exe
2012-10-27 15:30 - 2000-08-30 16:00 - 00080412 ____N C:\Windows\grep.exe
2012-10-27 15:30 - 2000-08-30 16:00 - 00068096 ____N C:\Windows\zip.exe
2012-10-27 15:28 - 2012-10-27 15:40 - 00000000 ___AD C:\Qoobox
2012-10-27 15:28 - 2012-10-27 15:39 - 00000000 ____D C:\Windows\erdnt
2012-10-27 15:27 - 2012-10-27 15:27 - 04989309 ____R (Swearware) C:\Users\Bill Hiller\Downloads\ComboFix.exe
2012-10-27 15:17 - 2012-10-27 15:17 - 04418880 ____N (AVG Technologies) C:\Users\Bill Hiller\Downloads\avg_isct_stb_all_2013_2742.exe
2012-10-27 13:42 - 2012-10-27 13:42 - 00000000 ____D C:\Users\All Users\Trend Micro
2012-10-27 13:42 - 2012-10-27 13:42 - 00000000 ____D C:\Users\All Users\Application Data\Trend Micro
2012-10-27 05:46 - 2012-10-27 05:46 - 01678240 ____N (Bleeping Computer, LLC) C:\Users\Bill Hiller\Downloads\rkill.exe
2012-10-27 04:45 - 2012-10-27 04:45 - 02002944 ____N (Trend Micro Inc.) C:\Users\Bill Hiller\Downloads\HousecallLauncher.exe
2012-10-27 04:38 - 2012-10-27 04:38 - 00002991 ____N C:\Users\Bill Hiller\Desktop\HiJackThis.lnk
2012-10-26 13:39 - 2012-10-26 13:39 - 01402880 ____N C:\Users\Bill Hiller\Downloads\HiJackThis.msi
2012-10-26 13:33 - 2012-10-26 13:34 - 00065808 ____N (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2012-10-26 13:32 - 2012-10-27 04:38 - 00000000 ____D C:\Program Files\Trend Micro
2012-10-26 13:32 - 2012-10-26 13:32 - 00000000 ____D C:\Program Files\WinPcap
2012-10-23 07:58 - 2012-10-23 07:58 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_RimUsb_01007.Wdf
2012-10-18 09:42 - 2012-10-18 09:42 - 00040776 ____N (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-10-18 09:18 - 2012-10-18 09:20 - 120489664 ____N (AVG Technologies) C:\Users\Bill Hiller\Downloads\avg_free_x86_all_2013_2741a5824.exe
2012-10-09 21:04 - 2012-09-14 10:28 - 00002048 ____N (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-09 21:04 - 2012-08-24 08:57 - 00172544 ____N (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-09 21:04 - 2012-08-20 09:40 - 00868352 ____N (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-10-09 21:04 - 2012-08-20 09:40 - 00293376 ____N (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-10-09 21:04 - 2012-08-20 09:40 - 00169984 ____N (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-10-09 21:04 - 2012-08-20 09:37 - 00271360 ____N (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-10-09 21:04 - 2012-08-20 09:32 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 09:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 07:33 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 07:33 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 07:33 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-09 21:04 - 2012-08-20 07:33 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-10-09 21:04 - 2012-06-01 20:36 - 01159680 ____N (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-09 21:04 - 2012-06-01 20:36 - 00140288 ____N (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-09 21:04 - 2012-06-01 20:36 - 00103936 ____N (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-09 21:03 - 2012-08-31 09:18 - 01211760 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-10-09 21:03 - 2012-08-30 09:12 - 03968880 ____N (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-10-09 21:03 - 2012-08-30 09:12 - 03914096 ____N (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-09 21:03 - 2012-08-10 15:56 - 00542208 ____N (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-10-09 04:28 - 2012-10-09 04:29 - 00000000 ____D C:\Users\All Users\AVG
2012-10-09 04:28 - 2012-10-09 04:29 - 00000000 ____D C:\Users\All Users\Application Data\AVG
2012-10-09 04:28 - 2012-10-09 04:28 - 00000000 __SHD C:\Users\All Users\Application Data\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-10-09 04:28 - 2012-10-09 04:28 - 00000000 __SHD C:\Users\All Users\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-10-09 04:28 - 2012-10-09 04:28 - 00000000 ____D C:\Users\Bill Hiller\AppData\Roaming\AVG
2012-09-29 14:45 - 2012-09-29 14:45 - 00000000 ____D C:\Users\Bill Hiller\AppData\Local\MFAData
2012-09-29 14:45 - 2012-09-29 14:45 - 00000000 ____D C:\Users\Bill Hiller\AppData\Local\Avg2013

==================== 3 Months Modified Files ==================

2012-10-28 15:09 - 2012-08-20 09:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-28 15:09 - 2012-08-08 08:16 - 00265805 ____A C:\Windows\WindowsUpdate.log
2012-10-28 15:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-28 15:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-28 15:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-27 16:08 - 2012-10-27 16:08 - 00017322 ____N C:\Users\Bill Hiller\Desktop\dds.txt
2012-10-27 16:08 - 2012-10-27 16:08 - 00009046 ____N C:\Users\Bill Hiller\Desktop\attach.txt
2012-10-27 15:40 - 2012-10-27 15:40 - 00013725 ____N C:\ComboFix.txt
2012-10-27 15:39 - 2009-07-13 18:04 - 00000215 ____N C:\Windows\system.ini
2012-10-27 15:27 - 2012-10-27 15:27 - 04989309 ____R (Swearware) C:\Users\Bill Hiller\Downloads\ComboFix.exe
2012-10-27 15:17 - 2012-10-27 15:17 - 04418880 ____N (AVG Technologies) C:\Users\Bill Hiller\Downloads\avg_isct_stb_all_2013_2742.exe
2012-10-27 15:11 - 2012-04-29 07:59 - 00358295 _____ C:\Users\Bill Hiller\AppData\Local\census.cache
2012-10-27 15:11 - 2012-04-29 07:58 - 00112698 _____ C:\Users\Bill Hiller\AppData\Local\ars.cache
2012-10-27 05:46 - 2012-10-27 05:46 - 01678240 ____N (Bleeping Computer, LLC) C:\Users\Bill Hiller\Downloads\rkill.exe
2012-10-27 04:45 - 2012-10-27 04:45 - 02002944 ____N (Trend Micro Inc.) C:\Users\Bill Hiller\Downloads\HousecallLauncher.exe
2012-10-27 04:38 - 2012-10-27 04:38 - 00002991 ____N C:\Users\Bill Hiller\Desktop\HiJackThis.lnk
2012-10-26 13:39 - 2012-10-26 13:39 - 01402880 ____N C:\Users\Bill Hiller\Downloads\HiJackThis.msi
2012-10-26 13:34 - 2012-10-26 13:33 - 00065808 ____N (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2012-10-26 13:28 - 2011-06-20 08:28 - 00876378 ____N C:\Windows\System32\PerfStringBackup.INI
2012-10-26 08:30 - 2011-09-17 04:58 - 00000474 ____N C:\Windows\Tasks\CMS Application Updater.job
2012-10-23 08:25 - 2011-09-10 15:07 - 00004236 _____ C:\Users\Bill Hiller\AppData\Roaming\Rim.Desktop.Exception.log
2012-10-23 08:25 - 2011-09-10 15:07 - 00003311 _____ C:\Users\Bill Hiller\AppData\Roaming\Rim.DesktopHelper.Exception.log
2012-10-23 07:58 - 2012-10-23 07:58 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_RimUsb_01007.Wdf
2012-10-18 09:42 - 2012-10-18 09:42 - 00040776 ____N (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-10-18 09:20 - 2012-10-18 09:18 - 120489664 ____N (AVG Technologies) C:\Users\Bill Hiller\Downloads\avg_free_x86_all_2013_2741a5824.exe
2012-10-15 08:14 - 2011-06-22 10:35 - 00000969 ____N C:\Users\Public\Desktop\CCleaner.lnk
2012-10-15 08:14 - 2011-06-22 10:35 - 00000969 ____N C:\Users\All Users\Desktop\CCleaner.lnk
2012-10-09 23:03 - 2011-06-21 14:32 - 62968832 ____N (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-10-08 17:09 - 2012-03-29 07:30 - 00696760 ____N (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 17:09 - 2011-06-20 08:47 - 00073656 ____N (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-14 10:28 - 2012-10-09 21:04 - 00002048 ____N (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-11 09:40 - 2012-06-15 11:00 - 00000935 ____N C:\Users\Public\Desktop\AVG 2012.lnk
2012-09-11 09:40 - 2012-06-15 11:00 - 00000935 ____N C:\Users\All Users\Desktop\AVG 2012.lnk
2012-09-06 08:49 - 2009-07-13 20:53 - 00032640 ____N C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-31 09:18 - 2012-10-09 21:03 - 01211760 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-08-30 09:12 - 2012-10-09 21:03 - 03968880 ____N (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-08-30 09:12 - 2012-10-09 21:03 - 03914096 ____N (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-24 11:43 - 2012-08-24 11:43 - 00301920 ____N (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdix.sys
2012-08-24 08:57 - 2012-10-09 21:04 - 00172544 ____N (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-23 23:27 - 2012-09-21 23:00 - 12319744 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-23 23:03 - 2012-09-21 23:00 - 09738240 ____N (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-23 22:59 - 2012-09-21 23:00 - 01800704 ____N (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-23 22:51 - 2012-09-21 23:00 - 01427968 ____N (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-23 22:51 - 2012-09-21 23:00 - 01129472 ____N (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-23 22:51 - 2012-09-21 23:00 - 01103872 ____N (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-23 22:49 - 2012-09-21 23:00 - 00231936 ____N (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-23 22:48 - 2012-09-21 23:00 - 00065024 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00717824 ____N (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00420864 ____N (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00142848 ____N (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-23 22:45 - 2012-09-21 23:00 - 00607744 ____N (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-23 22:44 - 2012-09-21 23:00 - 01793024 ____N (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-23 22:44 - 2012-09-21 23:00 - 00073216 ____N (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-23 22:43 - 2012-09-21 23:00 - 02382848 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-23 22:40 - 2012-09-21 23:00 - 00176640 ____N (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-22 09:16 - 2012-09-12 00:35 - 01292144 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 09:16 - 2012-09-12 00:35 - 00712048 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 09:16 - 2012-09-12 00:35 - 00240496 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 09:16 - 2012-09-12 00:35 - 00187760 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 12:12 - 2012-09-25 20:14 - 00245760 ____N (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-20 09:40 - 2012-10-09 21:04 - 00868352 ____N (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-08-20 09:40 - 2012-10-09 21:04 - 00293376 ____N (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-08-20 09:40 - 2012-10-09 21:04 - 00169984 ____N (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-08-20 09:37 - 2012-10-09 21:04 - 00271360 ____N (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-08-20 09:32 - 2012-10-09 21:04 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 09:32 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 07:33 - 2012-10-09 21:04 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 07:33 - 2012-10-09 21:04 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 07:33 - 2012-10-09 21:04 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 07:33 - 2012-10-09 21:04 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-08-15 12:42 - 2009-07-13 20:33 - 00406272 ____N C:\Windows\System32\FNTCACHE.DAT
2012-08-15 04:59 - 2012-08-15 04:59 - 00002453 ____N C:\Users\Bill Hiller\Desktop\GoToMeeting Quick Connect.lnk
2012-08-10 15:56 - 2012-10-09 21:03 - 00542208 ____N (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-08-10 10:49 - 2012-08-10 10:49 - 00001975 ____N C:\Users\Public\Desktop\CompanionLink.lnk
2012-08-10 10:49 - 2012-08-10 10:49 - 00001975 ____N C:\Users\All Users\Desktop\CompanionLink.lnk
2012-08-10 10:42 - 2012-08-10 10:41 - 22496720 ____N (CompanionLink Software, Inc. ) C:\Users\Bill Hiller\Downloads\CompanionLink50_beta (1).exe
2012-08-02 08:57 - 2012-09-12 00:35 - 00490496 ____N (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-10 23:00:29
Restore point made on: 2012-10-11 08:57:30
Restore point made on: 2012-10-14 04:15:29
Restore point made on: 2012-10-14 04:16:17
Restore point made on: 2012-10-14 04:18:27
Restore point made on: 2012-10-15 08:58:57
Restore point made on: 2012-10-16 08:30:23
Restore point made on: 2012-10-21 06:48:13
Restore point made on: 2012-10-21 08:26:34
Restore point made on: 2012-10-23 07:43:26
Restore point made on: 2012-10-23 08:56:07
Restore point made on: 2012-10-26 13:39:32
Restore point made on: 2012-10-27 04:38:12
Restore point made on: 2012-10-27 08:07:28
Restore point made on: 2012-10-28 08:43:30

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 4086.43 MB
Available physical RAM: 3613.43 MB
Total Pagefile: 4084.71 MB
Available Pagefile: 3615.98 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.48 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:200.62 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (USB MEMORY) (Removable) (Total:0.11 GB) (Free:0.1 GB) FAT
4 Drive f: (BB) (Fixed) (Total:149.04 GB) (Free:43.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 117 MB 0 B
Disk 2 Online 149 GB 8 MB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 298 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 117 MB 1024 B

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E USB MEMORY FAT Removable 117 MB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 31 KB

=========================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F BB NTFS Partition 149 GB Healthy

=========================================================

Last Boot: 2012-10-25 20:44

==================== End Of Log ============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 28 October 2012 - 07:11 PM

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy from the link below, disable your security programs and run it, post the resulting log

Link

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 October 2012 - 07:38 PM

thank you again for the help. Below please find the log. Interesting thing happened when I downloaded Combofix. It knocked out my IE9 and I had to restart the computer to get it back. I am still missing my icon and have to go into my programs to launch. In any case the log is below and I truly appreciate the help.


ComboFix 12-10-26.05 - Bill Hiller 10/28/2012 20:19:26.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3062.1814 [GMT -4:00]
Running from: c:\users\Bill Hiller\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-29 )))))))))))))))))))))))))))))))
.
.
2012-10-29 03:11 . 2012-10-29 03:11 -------- d-----w- C:\FRST
2012-10-29 00:26 . 2012-10-29 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-27 21:42 . 2012-10-27 21:42 -------- d-----w- c:\programdata\Trend Micro
2012-10-27 12:38 . 2012-10-27 12:38 388096 ------r- c:\users\Bill Hiller\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-26 21:33 . 2012-10-26 21:34 65808 ------w- c:\windows\system32\drivers\tmrkb.sys
2012-10-26 21:32 . 2012-10-26 21:32 -------- d-----w- c:\program files\WinPcap
2012-10-26 21:32 . 2012-10-27 12:38 -------- d-----w- c:\program files\Trend Micro
2012-10-23 15:46 . 2012-10-23 15:46 53248 ------r- c:\users\Bill Hiller\AppData\Roaming\Microsoft\Installer\{38676C9C-270F-43D1-926A-E45DE8820A6B}\ARPPRODUCTICON.exe
2012-10-18 17:42 . 2012-10-18 17:42 40776 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-10 05:03 . 2012-08-31 17:18 1211760 ------w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 05:03 . 2012-08-10 23:56 542208 ------w- c:\windows\system32\kerberos.dll
2012-10-10 05:03 . 2012-08-30 17:12 3968880 ------w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 05:03 . 2012-08-30 17:12 3914096 ------w- c:\windows\system32\ntoskrnl.exe
2012-10-09 12:28 . 2012-10-09 12:28 -------- d-----w- c:\users\Bill Hiller\AppData\Roaming\AVG
2012-10-09 12:28 . 2012-10-09 12:29 -------- d-----w- c:\programdata\AVG
2012-10-09 12:28 . 2012-10-09 12:28 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-09-29 22:45 . 2012-09-29 22:45 -------- d-----w- c:\users\Bill Hiller\AppData\Local\MFAData
2012-09-29 22:45 . 2012-09-29 22:45 -------- d-----w- c:\users\Bill Hiller\AppData\Local\Avg2013
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 01:09 . 2012-03-29 15:30 696760 ------w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 01:09 . 2011-06-20 16:47 73656 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-24 19:43 . 2012-08-24 19:43 301920 ------w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:00 1800704 ------w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:00 1129472 ------w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:00 1427968 ------w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:00 142848 ------w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:00 420864 ------w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:00 2382848 ------w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 08:35 1292144 ------w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 08:35 712048 ------w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 08:35 240496 ------w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 08:35 187760 ------w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-26 04:14 245760 ------w- c:\windows\system32\OxpsConverter.exe
2012-08-02 16:57 . 2012-09-12 08:35 490496 ------w- c:\windows\system32\d3d10level9.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2012-06-15 18432]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2012-06-15 337256]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\users\Bill Hiller\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Ultimate\BBStartup.exe [2011-9-17 46464]
Sage ACT! Integration.lnk - c:\program files\ACT\Act for Windows\Sage.ACT.Integration.exe [2012-6-15 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [x]
R2 Sage ACT! Scheduler;Sage ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [x]
R3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys [x]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]
R4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 ActService;ACT! Service Host;c:\program files\ACT\Act for Windows\Act.Server.Host.exe [x]
S2 ActSmartTaskService;ACT! Smart Task Service Host;c:\program files\ACT\Act for Windows\Act.Server.Host.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Ultimate\BBWatcherService.exe [x]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe [x]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:09]
.
2012-10-26 c:\windows\Tasks\CMS Application Updater.job
- c:\program files\CMS Products\Updater\CmsUpdater.exe [2011-09-17 17:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\pstorsvc.dll
c:\windows\system32\psbase.dll
.
- - - - - - - > 'Explorer.exe'(1872)
c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-10-28 20:28:24
ComboFix-quarantined-files.txt 2012-10-29 00:28
ComboFix2.txt 2012-10-27 23:40
.
Pre-Run: 215,901,446,144 bytes free
Post-Run: 215,890,558,976 bytes free
.
- - End Of File - - 9E314116CF55ADDAAAD00359766C61AC

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 28 October 2012 - 07:43 PM

I am still missing my icon


what exactly are you missing?

please run the following:

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 October 2012 - 08:19 PM

I was missing my IE icon. It gave me an access denied after running combofix and became unpinned from the task bar. when I tried to start it from all programs it denied me again. I restarted the computer and was able to launch from all programs and repinned it to the task bar so we should be good to go with IE. Unhide has finished processing the C: drive and is now running my back up.

#8 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 October 2012 - 08:51 PM

Enclosed please find the log from Unhide.

thank you again for the continued assistance.

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 10/28/2012 08:50:03 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 1106599 files processed.

Processing the J:\ drive
Finished processing the J:\ drive. 1298397 files processed.

The C:\Users\BILLHI~1\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 10/28/2012 09:49:29 PM
Execution time: 0 hours(s), 59 minute(s), and 26 seconds(s)

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 28 October 2012 - 09:40 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 30 October 2012 - 07:45 AM

Good morning, It looks like we have found the virus. Win32/Toolbar.babylon application. I have enclosed all of the files below. ESET was the only one that found anything. I hope the weather up your way is better than it is here and thank you for your confinued assistance.

C:\Program Files\AIViewer\MyBabylonTB.exe Win32/Toolbar.Babylon application
J:\Program Files\AIViewer\MyBabylonTB.exe Win32/Toolbar.Babylon application

# AdwCleaner v2.005 - Logfile created 10/29/2012 at 06:22:42
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Bill Hiller - BILLHILLER-PC
# Boot Mode : Normal
# Running from : C:\Users\Bill Hiller\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Users\Bill Hiller\AppData\Roaming\Mozilla\Firefox\Profiles\4ceytd5o.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1307 octets] - [29/10/2012 06:17:08]
AdwCleaner[S1].txt - [1220 octets] - [29/10/2012 06:18:29]
AdwCleaner[S2].txt - [974 octets] - [29/10/2012 06:20:12]
AdwCleaner[S3].txt - [906 octets] - [29/10/2012 06:22:42]

########## EOF - C:\AdwCleaner[S3].txt - [965 octets] ##########

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.29.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Bill Hiller :: BILLHILLER-PC [administrator]

10/29/2012 7:17:51 AM
mbam-log-2012-10-29 (07-17-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194074
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 30 October 2012 - 12:50 PM

Good day, I am not sure if you are thinking I have removed this or not. As you have gotten me this far I wanted to wait for your instructions. I have seen some removal tools out there but not sure which are the best. Again I very much appreciate your help and was hoping you would take me the rest of the way. Please don't think I am pushing but just not sure if you are busy, if so I am happy to wait, or thought I had done the removal.

Again thank you very much for the help.
Best Regards,

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 30 October 2012 - 05:22 PM

sorry, I have just got home from work

please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\AIViewer\MyBabylonTB.exe 
J:\Program Files\AIViewer\MyBabylonTB.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 30 October 2012 - 07:37 PM

Good evening, Again thank you, please find the log below. so far things seem to be running fine but they were not running bad before. I still cannot get AVG Internet Security 2013 to run but AVG Free 2012 updated and seems to be running well. I am not sure if I am cured or if there is still something there. I have read some of the babylon virus and it seems to be deep rooted. Would running one of the online tools perhpas be a good double check to make sure it is all gone? I have also removed the AI program it was in and deleted the program folder as it was a program I no longer needed anyway. In any case thanks again and here is the log.

ComboFix 12-10-30.03 - Bill Hiller 10/30/2012 19:37:07.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3062.1932 [GMT -4:00]
Running from: c:\users\Bill Hiller\Downloads\ComboFix.exe
Command switches used :: c:\users\Bill Hiller\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\program files\AIViewer\MyBabylonTB.exe"
"j:\program files\AIViewer\MyBabylonTB.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\AIViewer\MyBabylonTB.exe
j:\program files\AIViewer\MyBabylonTB.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-30 23:44 . 2012-10-30 23:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-29 22:06 . 2012-10-29 22:06 -------- d-----w- c:\program files\ESET
2012-10-29 11:17 . 2012-10-29 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-29 11:17 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-29 03:11 . 2012-10-29 03:11 -------- d-----w- C:\FRST
2012-10-27 12:38 . 2012-10-27 12:38 388096 ------r- c:\users\Bill Hiller\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-26 21:33 . 2012-10-26 21:34 65808 ------w- c:\windows\system32\drivers\tmrkb.sys
2012-10-26 21:32 . 2012-10-26 21:32 -------- d-----w- c:\program files\WinPcap
2012-10-26 21:32 . 2012-10-30 23:29 -------- d-----w- c:\program files\Trend Micro
2012-10-23 15:46 . 2012-10-23 15:46 53248 ------r- c:\users\Bill Hiller\AppData\Roaming\Microsoft\Installer\{38676C9C-270F-43D1-926A-E45DE8820A6B}\ARPPRODUCTICON.exe
2012-10-10 05:03 . 2012-08-31 17:18 1211760 ------w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 05:03 . 2012-08-10 23:56 542208 ------w- c:\windows\system32\kerberos.dll
2012-10-10 05:03 . 2012-08-30 17:12 3968880 ------w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 05:03 . 2012-08-30 17:12 3914096 ------w- c:\windows\system32\ntoskrnl.exe
2012-10-09 12:28 . 2012-10-09 12:28 -------- d-----w- c:\users\Bill Hiller\AppData\Roaming\AVG
2012-10-09 12:28 . 2012-10-09 12:29 -------- d-----w- c:\programdata\AVG
2012-10-09 12:28 . 2012-10-09 12:28 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 01:09 . 2012-03-29 15:30 696760 ------w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 01:09 . 2011-06-20 16:47 73656 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-24 19:43 . 2012-08-24 19:43 301920 ------w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:00 1800704 ------w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:00 1129472 ------w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:00 1427968 ------w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:00 142848 ------w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:00 420864 ------w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:00 2382848 ------w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 08:35 1292144 ------w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 08:35 712048 ------w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 08:35 240496 ------w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 08:35 187760 ------w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-26 04:14 245760 ------w- c:\windows\system32\OxpsConverter.exe
2012-08-02 16:57 . 2012-09-12 08:35 490496 ------w- c:\windows\system32\d3d10level9.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2012-06-15 18432]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2012-06-15 337256]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
.
c:\users\Bill Hiller\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Bill Hiller\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Ultimate\BBStartup.exe [2011-9-17 46464]
Sage ACT! Integration.lnk - c:\program files\ACT\Act for Windows\Sage.ACT.Integration.exe [2012-6-15 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [x]
R2 Sage ACT! Scheduler;Sage ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys [x]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]
R4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 ActService;ACT! Service Host;c:\program files\ACT\Act for Windows\Act.Server.Host.exe [x]
S2 ActSmartTaskService;ACT! Smart Task Service Host;c:\program files\ACT\Act for Windows\Act.Server.Host.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Ultimate\BBWatcherService.exe [x]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe [x]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:09]
.
2012-10-26 c:\windows\Tasks\CMS Application Updater.job
- c:\program files\CMS Products\Updater\CmsUpdater.exe [2011-09-17 17:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-10-30 19:46:14
ComboFix-quarantined-files.txt 2012-10-30 23:46
ComboFix2.txt 2012-10-27 23:40
ComboFix3.txt 2012-10-27 23:40
.
Pre-Run: 215,038,242,816 bytes free
Post-Run: 216,630,345,728 bytes free
.
- - End Of File - - 38B88B1EA73AE9917B875A2CB41E8707

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:18 PM

Posted 30 October 2012 - 07:51 PM

I still cannot get AVG Internet Security 2013 to run but AVG Free 2012 updated and seems to be running well.


what happens when you try and install AVG Internet Security 2013? You might have to completely uninstall AVG Free 2012 first using their removal tool before it will install,

I don't believe that is related to malware, it's just an AVG thing

there are other free antivirus programs that are excellent and free - I use Microsoft Security Essentials

ESET is an online scanner which located those remnants of Babylon,

I believe we have found it all, but we can take another look with a different diagnostic tool

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 bhiller

bhiller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 31 October 2012 - 04:52 PM

Good evening, Log is listed below. I have no idea if this is good or bad. Hopefully we are all done and I truly appreciate you taking your time to help me.

OTL logfile created on: 10/31/2012 5:21:25 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Bill Hiller\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 51.23% Memory free
5.98 Gb Paging File | 4.32 Gb Available in Paging File | 72.19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 199.44 Gb Free Space | 66.91% Space Free | Partition Type: NTFS
Drive J: | 149.04 Gb Total Space | 42.63 Gb Free Space | 28.60% Space Free | Partition Type: NTFS

Computer Name: BILLHILLER-PC | User Name: Bill Hiller | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/31 17:18:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Bill Hiller\Downloads\OTL.exe
PRC - [2012/08/13 03:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2012/07/31 03:37:02 | 002,596,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/07/26 03:23:08 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/06/15 14:31:22 | 000,099,840 | ---- | M] (Sage Software, Inc) -- C:\Program Files\ACT\Act for Windows\Sage.ACT.Integration.exe
PRC - [2012/06/15 14:30:54 | 000,018,432 | ---- | M] (Sage Software, Inc.) -- C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
PRC - [2012/06/15 14:28:22 | 000,026,624 | ---- | M] (Microsoft) -- C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe
PRC - [2012/06/13 03:48:50 | 002,321,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgfws.exe
PRC - [2012/06/13 03:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/05/24 14:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Users\Bill Hiller\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/03/19 05:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/03/15 18:07:54 | 020,774,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 04:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/11/02 02:00:44 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2011/09/24 15:03:42 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\System32\NLSSRV32.EXE
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/21 01:07:48 | 000,227,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
PRC - [2010/12/02 19:03:02 | 000,251,832 | ---- | M] (arvato digital services llc) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/06/14 05:16:50 | 000,112,000 | ---- | M] () -- C:\Program Files\CMS Products\BounceBack Ultimate\BBLauncher.exe
PRC - [2010/06/14 05:16:48 | 000,394,624 | ---- | M] () -- C:\Program Files\CMS Products\BounceBack Ultimate\BBBackup.exe
PRC - [2010/06/14 05:09:18 | 000,065,536 | ---- | M] (CMS Products, Inc.) -- C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe
PRC - [2009/10/26 14:46:54 | 001,458,176 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2008/01/15 03:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/09 13:47:42 | 001,072,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\bd28f26b18b8ffeee1a0fbaa98f5810e\System.IdentityModel.ni.dll
MOD - [2012/07/09 13:47:39 | 018,058,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\cfece6f67593b4d8bb58d23b7fdcc470\System.ServiceModel.ni.dll
MOD - [2012/07/09 13:46:48 | 012,079,616 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web\fdb5565e4c807a8cd79de9f40c0cd644\System.Web.ni.dll
MOD - [2012/07/09 13:46:36 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\94b346f2ab12d38efb1331ded5783396\System.Runtime.Remoting.ni.dll
MOD - [2012/07/09 13:46:35 | 000,787,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\bb40644f323a93fa9bc09be350918ef3\System.EnterpriseServices.ni.dll
MOD - [2012/07/09 13:46:34 | 000,649,728 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\67a386434938003bceb0752e979dabb3\System.Transactions.ni.dll
MOD - [2012/07/09 13:46:34 | 000,236,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\bb40644f323a93fa9bc09be350918ef3\System.EnterpriseServices.Wrapper.dll
MOD - [2012/07/09 13:46:33 | 001,021,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Dura#\79ac99fe5274fb82ffcff2c15f71854c\System.Runtime.DurableInstancing.ni.dll
MOD - [2012/07/09 13:46:32 | 000,143,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\bb97517e4ca64e02282fca24612ce8ad\SMDiagnostics.ni.dll
MOD - [2012/07/09 13:46:31 | 002,647,040 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Seri#\8a9fac9cb825b5d2db0bdb867fff940e\System.Runtime.Serialization.ni.dll
MOD - [2012/07/09 13:46:15 | 001,838,080 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas#\09c2f8f606e09d85cfe6e0ad89fbe729\Microsoft.VisualBasic.ni.dll
MOD - [2012/07/09 13:45:52 | 000,194,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\f11d5fea7ded12068e8cdb8b2f1bdbd9\CustomMarshalers.ni.dll
MOD - [2012/07/09 13:39:22 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\9b2f17fb61b7197f2a04108f5d1a1cc6\System.Management.ni.dll
MOD - [2012/07/09 13:33:07 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll
MOD - [2012/07/09 13:33:00 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/07/09 13:32:21 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/07/09 13:31:34 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/07/09 13:31:27 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/07/09 13:31:23 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/07/09 13:31:13 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/07/09 13:17:54 | 013,198,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\3971e166cf827b6726e142f344061dc9\System.Windows.Forms.ni.dll
MOD - [2012/07/09 13:17:43 | 006,815,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\99d0f7ba920eea1117e45dcd9fec0eb5\System.Data.ni.dll
MOD - [2012/07/09 13:17:40 | 001,666,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\8c40f40ef36622109793788049fbe9ab\System.Drawing.ni.dll
MOD - [2012/07/09 13:16:48 | 000,145,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\7b7719d46a4da2e91e8c501347e48ab9\System.Numerics.ni.dll
MOD - [2012/07/09 13:16:47 | 000,736,768 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\5a3beae8b211b91bfc620c029cf4c2d4\System.Security.ni.dll
MOD - [2012/07/09 13:16:44 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
MOD - [2012/07/09 13:16:39 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\623d2a0f11dd82bb9bc13d1cb981b239\System.Configuration.ni.dll
MOD - [2012/07/09 13:16:35 | 007,069,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
MOD - [2012/07/09 13:16:23 | 009,091,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
MOD - [2012/07/09 13:16:11 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
MOD - [2012/06/15 14:01:12 | 000,550,328 | ---- | M] () -- C:\Program Files\ACT\Act for Windows\PSIClient.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/06/14 05:16:50 | 000,112,000 | ---- | M] () -- C:\Program Files\CMS Products\BounceBack Ultimate\BBLauncher.exe
MOD - [2010/06/14 05:16:48 | 000,394,624 | ---- | M] () -- C:\Program Files\CMS Products\BounceBack Ultimate\BBBackup.exe
MOD - [2010/06/14 05:16:42 | 000,126,976 | ---- | M] () -- C:\Program Files\CMS Products\BounceBack Ultimate\DMO.dll


========== Services (SafeList) ==========

SRV - [2012/10/08 21:09:29 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/08/13 03:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/06/15 14:35:44 | 000,081,920 | ---- | M] (Sage Software, Inc.) [Auto | Stopped] -- C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe -- (Sage ACT! Scheduler)
SRV - [2012/06/15 14:28:22 | 000,026,624 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe -- (ActSmartTaskService)
SRV - [2012/06/15 14:28:22 | 000,026,624 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe -- (ActService)
SRV - [2012/06/13 03:48:50 | 002,321,560 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgfws.exe -- (avgfws)
SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/09/24 15:03:42 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2011/06/21 09:00:34 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/12/02 19:03:02 | 000,251,832 | ---- | M] (arvato digital services llc) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2010/06/14 05:09:18 | 000,065,536 | ---- | M] (CMS Products, Inc.) [Auto | Running] -- C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe -- (BBWatcherService)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\BILLHI~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/08/24 15:43:18 | 000,301,920 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/07/26 03:21:30 | 000,237,408 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 13:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 13:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2011/12/23 13:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2011/05/23 01:03:28 | 000,047,968 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2011/05/16 12:44:17 | 000,083,968 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swiwdmbx.sys -- (swiwdmbx)
DRV - [2011/05/13 14:53:00 | 000,215,552 | ---- | M] (Sierra Wireless Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swg3kser00.sys -- (swg3kser00)
DRV - [2011/03/03 15:40:22 | 000,208,128 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8ua3.sys -- (SWNC8UA3)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/04/03 12:02:54 | 000,240,608 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RsFx0150.sys -- (RsFx0150)
DRV - [2009/10/26 15:09:06 | 001,095,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 18:02:53 | 000,657,408 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2009/06/25 16:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 16:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 16:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/06/03 10:01:28 | 000,230,400 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/06/03 10:01:26 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/06/03 10:01:26 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/06/03 10:01:26 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2007/07/11 02:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A B8 77 FA 67 2F CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {4A702CBB-CDD0-46E0-ABAF-529CF3E1320B}
IE - HKCU\..\SearchScopes\{4A702CBB-CDD0-46E0-ABAF-529CF3E1320B}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledAddons: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1423
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/02 09:21:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/09/11 13:40:47 | 000,000,000 | ---D | M]

[2011/11/07 08:38:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bill Hiller\AppData\Roaming\Mozilla\Extensions
File not found (No name found) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX4

O1 HOSTS File: ([2012/10/30 19:44:45 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Act! Preloader] C:\Program Files\ACT\Act for Windows\ActSage.exe (Sage Software, Inc.)
O4 - HKLM..\Run: [Act.Outlook.Service] C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe (Sage Software, Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - Startup: C:\Users\Bill Hiller\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Bill Hiller\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Bill Hiller\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://cooperindustries.webex.com/client/WBXclient-T27L10NSP28-11263/webex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F43E33D-E3A3-4B6B-A9E2-4D291F7D7CDC}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FD1B138C-E5E4-4BB3-84B3-EEDAA6D1BB07}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - J:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/10/30 19:46:17 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/10/30 19:46:16 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/10/30 19:46:16 | 000,000,000 | ---D | C] -- C:\Users\Bill Hiller\AppData\Local\temp
[2012/10/30 19:35:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/10/29 18:06:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/10/28 23:11:41 | 000,000,000 | ---D | C] -- C:\FRST
[2012/10/27 19:30:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/10/27 19:30:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/10/27 19:28:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/10/27 19:28:09 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/10/26 17:33:55 | 000,065,808 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2012/10/09 08:28:46 | 000,000,000 | ---D | C] -- C:\Users\Bill Hiller\AppData\Roaming\AVG
[2012/10/09 08:28:12 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG
[2012/10/09 08:28:06 | 000,000,000 | -HSD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
[2011/09/10 18:42:57 | 011,104,216 | ---- | C] (Sage Software ) -- C:\Users\Bill Hiller\AppData\Roaming\ACT2012HotFix_SS.exe
[2011/06/28 14:48:14 | 021,046,160 | ---- | C] (Sage Software ) -- C:\Users\Bill Hiller\AppData\Roaming\ACT1200HotFix_SS.exe

========== Files - Modified Within 30 Days ==========

[2012/10/31 17:09:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/10/31 16:18:48 | 000,013,440 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/31 16:18:48 | 000,013,440 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/31 16:11:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/31 16:11:19 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/31 08:24:27 | 099,046,039 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/10/30 20:14:30 | 000,629,010 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavifw.avm
[2012/10/30 19:44:45 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/10/30 19:33:23 | 000,001,181 | ---- | M] () -- C:\Users\Bill Hiller\Desktop\ComboFix - Shortcut.lnk
[2012/10/27 19:11:46 | 000,358,295 | ---- | M] () -- C:\Users\Bill Hiller\AppData\Local\census.cache
[2012/10/27 19:11:45 | 000,112,698 | ---- | M] () -- C:\Users\Bill Hiller\AppData\Local\ars.cache
[2012/10/26 17:34:29 | 000,065,808 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2012/10/26 17:28:12 | 000,729,622 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/10/26 17:28:12 | 000,147,068 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/10/26 12:30:00 | 000,000,474 | ---- | M] () -- C:\Windows\tasks\CMS Application Updater.job
[2012/10/23 18:08:49 | 000,859,539 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/10/23 11:58:51 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
[2012/10/15 12:14:29 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk

========== Files Created - No Company Name ==========

[2012/10/30 19:33:23 | 000,001,181 | ---- | C] () -- C:\Users\Bill Hiller\Desktop\ComboFix - Shortcut.lnk
[2012/10/27 19:30:33 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/10/27 19:30:33 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/10/27 19:30:33 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/10/27 19:30:33 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/10/27 19:30:33 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/10/23 11:58:51 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
[2012/06/16 23:13:40 | 000,007,601 | ---- | C] () -- C:\Users\Bill Hiller\AppData\Local\Resmon.ResmonCfg
[2012/06/15 14:02:20 | 000,266,327 | ---- | C] () -- C:\Windows\System32\ADErrorHandling.dll
[2012/04/29 11:59:15 | 000,358,295 | ---- | C] () -- C:\Users\Bill Hiller\AppData\Local\census.cache
[2012/04/29 11:58:30 | 000,112,698 | ---- | C] () -- C:\Users\Bill Hiller\AppData\Local\ars.cache
[2012/04/29 11:42:24 | 000,000,036 | ---- | C] () -- C:\Users\Bill Hiller\AppData\Local\housecall.guid.cache
[2011/06/28 15:00:52 | 000,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2011/06/20 17:43:00 | 000,000,120 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2011/06/20 12:21:55 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 00:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users