Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Access Denied Message after FBI Malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 metrotheme

metrotheme

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2012 - 06:59 PM

I was infected with the FBI Malware yesterday. I ran Avira and it quarantined a bunch of files, but when I went to update Avira, it wouldn't let me update. I un-installed and installed the program several times (Avira) and then deleted it, as I kept getting access denied messages. Somewhat stupidly, I ran ComboFix after reading through a bunch of posts that looked similar to my symptoms. I downloaded Avast and I cannot run the graphical interface of the program.

Here is my DDS log. I will post my other logs in adjacent posts. Any help would be appreciated.


DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.7.2
Run by Nick at 18:53:03 on 2012-11-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4032.2769 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\DeltaIITray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uProxyServer = hxxp=127.0.0.1:6092
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: DownloadHelper Class: {FF2573AE-E1ED-40e1-83BA-F544CB2EE135} - C:\Program Files (x86)\Common Files\Download Helper\DownloadHelper.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "C:\Program Files (x86)\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DEVICE~1.LNK - C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - <orphaned>
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 207.69.188.185 207.69.188.186 207.69.188.187
TCP: Interfaces\{72523E2C-63D2-4ACF-8F50-8B58F6B38C99} : DHCPNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: KuGoo - <Clsid value has no data>
Handler: KuGoo3 - <Clsid value has no data>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: DownloadHelper Class: {FF2573AE-E1ED-40e1-83BA-F544CB2EE135} - C:\Program Files\Common Files\Download Helper\DownloadHelperx64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: KuGoo - <Clsid value has no data>
x64-Handler: KuGoo3 - <Clsid value has no data>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-11-17 16:18; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-11-17 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-11-17 370288]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-11-17 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-11-17 71600]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys [2010-10-28 29288]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys [2010-10-28 29288]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys [2010-10-28 29288]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys [2010-10-28 29288]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys [2010-10-28 29288]
S2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-17 44808]
S2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files (x86)\iHome Mouse Driver\KMWDSrv.exe [2009-8-31 1821184]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2009-7-27 392712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-4-30 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-27 1255736]
.
=============== Created Last 30 ================
.
2012-11-17 23:40:45 -------- d-----w- C:\Windows\ERUNT
2012-11-17 23:40:37 -------- d-----w- C:\JRT
2012-11-17 23:40:33 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{360C22D5-3E2F-4E66-84D1-54DDB2624FC1}\offreg.dll
2012-11-17 23:30:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-17 23:30:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-17 22:06:37 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-17 22:06:36 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-17 22:06:36 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-17 22:06:36 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-17 21:26:58 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-17 21:24:02 4096000 ----a-w- C:\Program Files (x86)\GUT6FD3.tmp
2012-11-17 21:24:02 -------- d-----w- C:\Program Files (x86)\GUM6FD2.tmp
2012-11-17 21:19:35 -------- d-----w- C:\Users\Nick\AppData\Local\Google
2012-11-17 21:19:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-11-17 21:19:25 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-11-17 21:19:20 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-11-17 21:18:44 41224 ----a-w- C:\Windows\avastSS.scr
2012-11-17 21:18:30 -------- d-----w- C:\ProgramData\AVAST Software
2012-11-17 21:18:30 -------- d-----w- C:\Program Files\AVAST Software
2012-11-17 21:11:02 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-17 21:08:32 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-11-17 21:08:32 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-11-17 21:08:31 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-11-17 21:08:31 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-11-17 21:08:30 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-11-17 21:08:30 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-11-17 21:08:30 136704 ----a-w- C:\Windows\System32\browser.dll
2012-11-17 21:07:32 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-17 21:07:32 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-17 21:06:43 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-11-17 21:06:43 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-11-17 21:06:40 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-11-17 21:02:14 956928 ----a-w- C:\Windows\System32\localspl.dll
2012-11-17 21:02:12 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-11-17 21:02:12 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-11-17 21:02:11 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-11-17 21:02:11 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-11-17 21:02:11 67072 ----a-w- C:\Windows\splwow64.exe
2012-11-17 21:02:11 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-11-17 21:02:11 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-11-17 21:02:11 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-11-17 21:02:10 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-11-17 21:02:10 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-11-17 21:02:10 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-11-17 21:00:07 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-11-17 21:00:07 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-11-17 21:00:07 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-11-17 20:59:46 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-11-17 20:59:46 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2012-11-17 20:59:46 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-11-17 20:38:07 98816 ----a-w- C:\Windows\sed.exe
2012-11-17 20:38:07 256000 ----a-w- C:\Windows\PEV.exe
2012-11-17 20:38:07 208896 ----a-w- C:\Windows\MBR.exe
2012-11-17 20:09:53 -------- d-----w- C:\Users\Nick\AppData\Local\fontconfig
2012-11-17 20:09:48 -------- d-----w- C:\Users\Nick\AppData\Local\gegl-0.2
2012-11-17 20:09:48 -------- d-----w- C:\Users\Nick\.gimp-2.8
2012-11-17 19:56:57 2292176 ----a-w- C:\shlext64.dll
2012-11-17 19:47:12 -------- d-----w- C:\Program Files\GIMP 2
2012-11-17 19:42:56 -------- d-----w- C:\Program Files\M-Audio
2012-11-17 19:42:32 -------- d-----w- C:\ProgramData\AVID
2012-11-17 18:50:47 -------- d-----w- C:\Program Files\CCleaner
2012-11-17 18:26:27 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2012-11-17 15:04:20 -------- d-----w- C:\Users\Nick\AppData\Local\Canon Easy-PhotoPrint EX
2012-10-29 18:55:48 -------- d-----w- C:\Interviews
2012-10-29 12:14:29 11264 ----a-r- C:\Users\Nick\AppData\Roaming\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
2012-10-29 12:14:29 -------- d-----w- C:\Program Files (x86)\Seagate
2012-10-29 12:09:52 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
.
==================== Find3M ====================
.
2012-11-17 17:48:07 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-17 17:48:07 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-09-22 13:01:15 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-22 13:01:14 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-22 13:01:14 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-30 16:18:05 891240 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-08-30 16:18:05 63336 ----a-w- C:\Windows\System32\nvshext.dll
2012-08-30 16:18:05 118120 ----a-w- C:\Windows\System32\nvmctray.dll
2012-08-30 16:18:01 3266920 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-08-30 16:17:59 6198120 ----a-w- C:\Windows\System32\nvcpl.dll
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 18:53:23.85 ===============

JRT Log -

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.1.9 (11.17.2012)
OS: Windows 7 Home Premium x64
Ran by Nick on Sat 11/17/2012 at 18:40:47.84
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1130089019-1024638917-4293211654-1001\software\microsoft\internet explorer\main\\Start Page
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\conduit"
Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Nick\appdata\local\freecorder"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Folder] "C:\Program Files (x86)\freecorder"



~~~ FireFox

Successfully deleted: [File] C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\user.js
Successfully deleted: [Folder] C:\Users\Nick\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
Successfully deleted: [File] C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\searchplugins\askcom.xml
Successfully deleted: [npCouponPrinter.dll] from [FF plugins]
Successfully deleted: [npMozCouponPrinter.dll] from [FF plugins]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 11/17/2012 at 18:45:53.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JRT Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.1.9 (11.17.2012)
OS: Windows 7 Home Premium x64
Ran by Nick on Sat 11/17/2012 at 18:40:47.84
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1130089019-1024638917-4293211654-1001\software\microsoft\internet explorer\main\\Start Page
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\conduit"
Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Nick\appdata\local\freecorder"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Folder] "C:\Program Files (x86)\freecorder"



~~~ FireFox

Successfully deleted: [File] C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\user.js
Successfully deleted: [Folder] C:\Users\Nick\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
Successfully deleted: [File] C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\searchplugins\askcom.xml
Successfully deleted: [npCouponPrinter.dll] from [FF plugins]
Successfully deleted: [npMozCouponPrinter.dll] from [FF plugins]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 11/17/2012 at 18:45:53.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 18 November 2012 - 10:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Remove this proxy setting UNLESS YOU HAVE SET AND NEED IT.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:6092 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.

Search for AdWare, PUP (Potentially Unwanted Program) installed on your computer.
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Run ComboFix again and post a fresh Log.
You may be asked to update the tool. Please do.

Please post the logs and let me know what problems you are having with this computer.

Edited by nasdaq, 18 November 2012 - 10:40 AM.


#3 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 18 November 2012 - 11:16 AM

Right now, Avast will not run the graphic interface when I click on it. It runs in the Task Manager, but if I try to end the program, I get an access denied message. I got the same access denied message when I tried to update Avira (which I have removed).

Security Check Log -

Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.1
Java 7 Update 9
Adobe Flash Player 11.5.502.110
Mozilla Firefox 14.0.1 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 18 November 2012 - 11:22 AM

Did you remove the Proxy or is it something you need?

===


Run the AVAST Uninstall Utility

http://www.avast.com/uninstall-utility
===

Try to re install the application after.

#5 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 18 November 2012 - 11:37 AM

Neither Firefox nor IE was set to proxy. Both were set to Auto-Detect when I checked.

Here is my combofix log -

ComboFix 12-11-16.02 - Nick 11/18/2012 11:19:38.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4032.2607 [GMT -5:00]
Running from: c:\users\Nick\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-18 to 2012-11-18 )))))))))))))))))))))))))))))))
.
.
2012-11-18 16:26 . 2012-11-18 16:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-11-18 16:26 . 2012-11-18 16:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-18 16:26 . 2012-11-18 16:26 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-11-18 16:21 . 2012-11-18 16:21 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8B9B735C-D60C-4B9A-9E0D-AAC7B580FB78}\offreg.dll
2012-11-18 15:32 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8B9B735C-D60C-4B9A-9E0D-AAC7B580FB78}\mpengine.dll
2012-11-18 13:39 . 2012-11-18 13:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-11-18 13:39 . 2012-11-18 13:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-18 13:38 . 2012-11-18 13:38 -------- d-----w- c:\program files (x86)\Java
2012-11-18 13:36 . 2012-11-18 13:36 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-18 13:36 . 2012-11-18 13:36 289768 ----a-w- c:\windows\system32\javaws.exe
2012-11-18 13:36 . 2012-11-18 13:36 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-18 13:36 . 2012-11-18 13:36 189416 ----a-w- c:\windows\system32\javaw.exe
2012-11-18 13:36 . 2012-11-18 13:36 188904 ----a-w- c:\windows\system32\java.exe
2012-11-18 13:36 . 2012-11-18 13:36 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-11-18 13:36 . 2012-11-18 13:36 -------- d-----w- c:\program files\Java
2012-11-17 23:40 . 2012-11-17 23:40 -------- d-----w- c:\windows\ERUNT
2012-11-17 23:40 . 2012-11-17 23:40 -------- d-----w- C:\JRT
2012-11-17 23:30 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-17 23:30 . 2012-11-17 23:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-17 23:21 . 2012-11-17 23:21 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2012-11-17 22:06 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-17 22:06 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-17 22:06 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-17 22:06 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-17 21:24 . 2012-11-17 21:24 4096000 ----a-w- c:\program files (x86)\GUT6FD3.tmp
2012-11-17 21:24 . 2012-11-17 21:24 -------- d-----w- c:\program files (x86)\GUM6FD2.tmp
2012-11-17 21:19 . 2012-11-17 21:22 -------- d-----w- c:\users\Nick\AppData\Local\Google
2012-11-17 21:19 . 2012-11-17 23:24 -------- d-----w- c:\program files (x86)\Google
2012-11-17 21:19 . 2012-10-30 23:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-11-17 21:19 . 2012-10-30 23:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-11-17 21:19 . 2012-10-15 16:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-11-17 21:19 . 2012-10-30 23:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-11-17 21:19 . 2012-10-30 23:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-11-17 21:19 . 2012-10-30 23:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-11-17 21:19 . 2012-10-30 23:50 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-11-17 21:18 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2012-11-17 21:18 . 2012-10-30 23:50 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-11-17 21:18 . 2012-11-17 23:23 -------- d-----w- c:\programdata\AVAST Software
2012-11-17 21:18 . 2012-11-17 21:18 -------- d-----w- c:\program files\AVAST Software
2012-11-17 21:11 . 2012-10-18 18:25 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-17 21:08 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-11-17 21:08 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll
2012-11-17 21:08 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-11-17 21:08 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-11-17 21:08 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-11-17 21:08 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-11-17 21:08 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-11-17 21:08 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-11-17 21:07 . 2012-09-14 19:19 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-17 21:07 . 2012-09-14 18:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-17 21:06 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll
2012-11-17 21:06 . 2012-08-24 16:57 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-11-17 21:06 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-11-17 21:02 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-11-17 21:02 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-11-17 21:02 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-11-17 21:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-17 21:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-17 21:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-17 21:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-17 21:02 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-11-17 21:02 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-11-17 21:02 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-17 21:02 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-17 21:02 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-17 21:00 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-11-17 21:00 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-11-17 21:00 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-11-17 20:59 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-17 20:59 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-17 20:59 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\users\Nick\AppData\Local\fontconfig
2012-11-17 20:09 . 2012-11-18 15:51 -------- d-----w- c:\users\Nick\.gimp-2.8
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\users\Nick\AppData\Local\gegl-0.2
2012-11-17 19:56 . 2012-10-10 18:40 2292176 ----a-w- C:\shlext64.dll
2012-11-17 19:47 . 2012-11-17 19:47 -------- d-----w- c:\program files\GIMP 2
2012-11-17 19:42 . 2012-11-17 19:42 -------- d-----w- c:\program files\M-Audio
2012-11-17 19:42 . 2012-11-17 19:42 -------- d-----w- c:\programdata\AVID
2012-11-17 18:50 . 2012-11-17 18:50 -------- d-----w- c:\program files\CCleaner
2012-11-17 18:26 . 2012-11-17 18:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-11-17 18:08 . 2012-11-17 18:08 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-11-17 15:04 . 2012-11-17 15:05 -------- d-----w- c:\users\Nick\AppData\Local\Canon Easy-PhotoPrint EX
2012-11-17 15:02 . 2012-11-17 17:44 -------- d-----w- c:\users\Nick\AppData\Roaming\Audacity
2012-11-01 19:22 . 2012-11-01 19:22 -------- d-----w- c:\users\Admin\AppData\Local\Apple
2012-10-29 18:55 . 2012-10-31 14:43 -------- d-----w- C:\Interviews
2012-10-29 12:14 . 2012-10-29 12:14 11264 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
2012-10-29 12:14 . 2012-10-29 12:14 -------- d-----w- c:\program files (x86)\Seagate
2012-10-29 12:09 . 2012-10-29 12:09 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 13:38 . 2010-10-06 01:05 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-11-17 17:48 . 2012-09-22 12:50 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-17 17:48 . 2012-08-06 23:26 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-30 02:04 . 2009-11-11 21:11 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-09-22 13:01 . 2012-08-01 01:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-30 19:14 . 2012-09-22 18:40 7397736 ----a-w- c:\windows\system32\nvopencl.dll
2012-08-30 19:14 . 2012-09-22 18:40 6109032 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-08-30 19:14 . 2012-09-22 18:40 26228072 ----a-w- c:\windows\system32\nvoglv64.dll
2012-08-30 19:14 . 2012-09-22 18:40 19828584 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-08-30 19:14 . 2012-09-22 18:40 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-08-30 19:14 . 2012-09-22 18:40 13391720 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-08-30 19:14 . 2012-09-22 18:40 9066344 ----a-w- c:\windows\system32\nvcuda.dll
2012-08-30 19:14 . 2012-09-22 18:40 7626088 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-08-30 19:14 . 2012-09-22 18:40 2745192 ----a-w- c:\windows\system32\nvcuvid.dll
2012-08-30 19:14 . 2012-09-22 18:40 2573672 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-08-30 19:14 . 2012-09-22 18:40 25256296 ----a-w- c:\windows\system32\nvcompiler.dll
2012-08-30 19:14 . 2012-09-22 18:40 2422120 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-08-30 19:14 . 2012-09-22 18:40 2216808 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-08-30 19:14 . 2012-09-22 18:40 1866088 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-08-30 19:14 . 2012-09-22 18:40 17559912 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-08-30 19:14 . 2012-02-25 16:09 18229096 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-08-30 19:14 . 2012-02-25 16:09 1760104 ----a-w- c:\windows\system32\nvdispco64.dll
2012-08-30 19:14 . 2012-02-25 16:09 15291752 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-08-30 19:14 . 2012-02-25 16:09 2725224 ----a-w- c:\windows\system32\nvapi64.dll
2012-08-30 16:18 . 2012-02-25 16:11 891240 ----a-w- c:\windows\system32\nvvsvc.exe
2012-08-30 16:18 . 2012-02-25 16:11 63336 ----a-w- c:\windows\system32\nvshext.dll
2012-08-30 16:18 . 2012-02-25 16:11 118120 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-30 16:18 . 2012-02-25 16:11 3266920 ----a-w- c:\windows\system32\nvsvc64.dll
2012-08-30 16:17 . 2012-02-25 16:11 6198120 ----a-w- c:\windows\system32\nvcpl.dll
2012-08-20 17:38 . 2012-11-17 21:10 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\update\realsched.exe" [2012-05-19 296056]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"M-Audio Taskbar Icon"="c:\windows\system32\DeltaIITray.exe" [2012-01-25 237872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files (x86)\Olympus\DeviceDetector\DevDtct2.exe [2009-12-26 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files (x86)\iHome Mouse Driver\KMWDSrv.exe [2009-09-01 1821184]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [x]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys [2009-07-27 392712]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1255736]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-09-14 29288]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-16 23:02 114688 ----a-w- c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2012-11-17 16:18; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files (x86)\Coupons\uninstall.exe
AddRemove-Freecorder Toolbar - c:\progra~2\FREECO~2\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=hex:51,66,7a,6c,4c,1d,38,12,bc,bb,81,
17,37,12,f1,04,d7,e0,fa,b1,5f,07,22,06
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,fb,69,0a,c2,6a,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,71,ae,68,c2,19,82,49,97,d0,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,71,ae,68,c2,19,82,49,97,d0,64,\
.
[HKEY_USERS\S-1-5-21-1130089019-1024638917-4293211654-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74EBAC6D-418F-DC9A-6102-FB8C2FAA8C30}*]
"maopjgpnnnhlcdaombgnddlpai"=hex:6b,61,6e,6c,66,61,6d,62,61,6a,68,67,6b,69,6a,
6c,68,62,68,6f,6a,6b,00,00
"naibhenbcjhgjmdcaicbaokmcmmf"=hex:6b,61,6e,6c,66,61,6d,62,61,6a,68,67,6b,69,
6a,6c,68,62,68,6f,6a,6b,00,00
"fbpjddhknnbdcidbledfbfideiokmpfpmlfcfahmnejh"=hex:65,61,6a,6d,6d,64,65,62,6c,
6e,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74EBAC6D-418F-DC9A-6102-FB8C2FAA8C30}\InProcServer32*]
"gakaadgbcpcoja"=hex:65,61,6a,6d,6d,64,65,62,6c,6e,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-18 11:33:59
ComboFix-quarantined-files.txt 2012-11-18 16:33
ComboFix2.txt 2012-11-17 21:01
.
Pre-Run: 238,467,076,096 bytes free
Post-Run: 238,415,020,032 bytes free
.
- - End Of File - - AF5B8246C9AB8E726245FC23D209641C

#6 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 18 November 2012 - 11:57 AM

I did the clean un-install of Avast after running Combo Fix and I still do not get the GUI of Avast when I click on the program.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 18 November 2012 - 01:55 PM

Once you have remove Avast with the removal tool.

Execute this, and post the log. I will then suggest a fix to remove any remnant items left over from Avast.


Open notepad and copy/paste the text in the quote box below into it:


DDS::
uProxyServer = hxxp=127.0.0.1:6092



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

#8 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 18 November 2012 - 03:02 PM

ComboFix 12-11-16.02 - Nick 11/18/2012 14:47:14.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4032.2708 [GMT -5:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-18 to 2012-11-18 )))))))))))))))))))))))))))))))
.
.
2012-11-18 19:54 . 2012-11-18 19:54 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-11-18 19:54 . 2012-11-18 19:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-18 19:54 . 2012-11-18 19:54 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-11-18 19:43 . 2012-11-18 19:43 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-11-18 19:43 . 2012-11-18 19:43 96224 ----a-w- c:\program files (x86)\Mozilla Firefox\webapprt-stub.exe
2012-11-18 19:43 . 2012-11-18 19:43 157272 ----a-w- c:\program files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2012-11-18 18:16 . 2012-11-18 18:16 -------- d-----w- c:\program files\GIMP 2
2012-11-18 15:32 . 2012-08-11 00:56 715776 ----a-w- c:\windows\system32\kerberos.dll
2012-11-18 15:32 . 2012-08-10 23:56 542208 ----a-w- c:\windows\SysWow64\kerberos.dll
2012-11-18 15:32 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8B9B735C-D60C-4B9A-9E0D-AAC7B580FB78}\mpengine.dll
2012-11-18 13:39 . 2012-11-18 13:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-11-18 13:39 . 2012-11-18 13:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-18 13:38 . 2012-11-18 13:38 -------- d-----w- c:\program files (x86)\Java
2012-11-18 13:36 . 2012-11-18 13:36 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-18 13:36 . 2012-11-18 13:36 289768 ----a-w- c:\windows\system32\javaws.exe
2012-11-18 13:36 . 2012-11-18 13:36 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-18 13:36 . 2012-11-18 13:36 189416 ----a-w- c:\windows\system32\javaw.exe
2012-11-18 13:36 . 2012-11-18 13:36 188904 ----a-w- c:\windows\system32\java.exe
2012-11-18 13:36 . 2012-11-18 13:36 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-11-18 13:36 . 2012-11-18 13:36 -------- d-----w- c:\program files\Java
2012-11-17 23:40 . 2012-11-17 23:40 -------- d-----w- c:\windows\ERUNT
2012-11-17 23:40 . 2012-11-17 23:40 -------- d-----w- C:\JRT
2012-11-17 23:30 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-17 23:30 . 2012-11-17 23:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-17 23:21 . 2012-11-17 23:21 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2012-11-17 22:06 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-17 22:06 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-17 22:06 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-17 22:06 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-17 21:24 . 2012-11-17 21:24 4096000 ----a-w- c:\program files (x86)\GUT6FD3.tmp
2012-11-17 21:24 . 2012-11-17 21:24 -------- d-----w- c:\program files (x86)\GUM6FD2.tmp
2012-11-17 21:19 . 2012-11-17 21:22 -------- d-----w- c:\users\Nick\AppData\Local\Google
2012-11-17 21:19 . 2012-11-17 23:24 -------- d-----w- c:\program files (x86)\Google
2012-11-17 21:18 . 2012-07-03 17:21 41224 ----a-w- c:\windows\avastSS.scr
2012-11-17 21:18 . 2012-07-03 17:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-11-17 21:18 . 2012-11-18 19:16 -------- d-----w- c:\programdata\AVAST Software
2012-11-17 21:18 . 2012-11-18 19:16 -------- d-----w- c:\program files\AVAST Software
2012-11-17 21:11 . 2012-10-18 18:25 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-17 21:08 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-11-17 21:08 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll
2012-11-17 21:08 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-11-17 21:08 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-11-17 21:08 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-11-17 21:08 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-11-17 21:08 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-11-17 21:08 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-11-17 21:07 . 2012-09-14 19:19 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-17 21:07 . 2012-09-14 18:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-17 21:06 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll
2012-11-17 21:06 . 2012-08-24 16:57 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-11-17 21:06 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-11-17 21:02 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-11-17 21:02 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-11-17 21:02 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-11-17 21:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-17 21:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-17 21:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-17 21:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-17 21:02 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-11-17 21:02 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-11-17 21:02 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-17 21:02 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-17 21:02 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-17 21:00 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-11-17 21:00 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-11-17 21:00 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-11-17 20:59 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-17 20:59 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-17 20:59 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\users\Nick\AppData\Local\fontconfig
2012-11-17 20:09 . 2012-11-18 18:12 -------- d-----w- c:\users\Nick\.gimp-2.8
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\users\Nick\AppData\Local\gegl-0.2
2012-11-17 19:56 . 2012-10-10 18:40 2292176 ----a-w- C:\shlext64.dll
2012-11-17 19:42 . 2012-11-17 19:42 -------- d-----w- c:\program files\M-Audio
2012-11-17 19:42 . 2012-11-17 19:42 -------- d-----w- c:\programdata\AVID
2012-11-17 18:50 . 2012-11-17 18:50 -------- d-----w- c:\program files\CCleaner
2012-11-17 18:26 . 2012-11-17 18:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-11-17 18:08 . 2012-11-17 18:08 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-11-17 15:04 . 2012-11-17 15:05 -------- d-----w- c:\users\Nick\AppData\Local\Canon Easy-PhotoPrint EX
2012-11-17 15:02 . 2012-11-17 17:44 -------- d-----w- c:\users\Nick\AppData\Roaming\Audacity
2012-11-01 19:22 . 2012-11-01 19:22 -------- d-----w- c:\users\Admin\AppData\Local\Apple
2012-10-29 18:55 . 2012-10-31 14:43 -------- d-----w- C:\Interviews
2012-10-29 12:14 . 2012-10-29 12:14 11264 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
2012-10-29 12:14 . 2012-10-29 12:14 -------- d-----w- c:\program files (x86)\Seagate
2012-10-29 12:09 . 2012-10-29 12:09 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 13:38 . 2010-10-06 01:05 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-11-17 17:48 . 2012-09-22 12:50 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-17 17:48 . 2012-08-06 23:26 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-30 02:04 . 2009-11-11 21:11 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-09-22 13:01 . 2012-08-01 01:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-30 19:14 . 2012-09-22 18:40 7397736 ----a-w- c:\windows\system32\nvopencl.dll
2012-08-30 19:14 . 2012-09-22 18:40 6109032 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-08-30 19:14 . 2012-09-22 18:40 26228072 ----a-w- c:\windows\system32\nvoglv64.dll
2012-08-30 19:14 . 2012-09-22 18:40 19828584 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-08-30 19:14 . 2012-09-22 18:40 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-08-30 19:14 . 2012-09-22 18:40 13391720 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-08-30 19:14 . 2012-09-22 18:40 9066344 ----a-w- c:\windows\system32\nvcuda.dll
2012-08-30 19:14 . 2012-09-22 18:40 7626088 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-08-30 19:14 . 2012-09-22 18:40 2745192 ----a-w- c:\windows\system32\nvcuvid.dll
2012-08-30 19:14 . 2012-09-22 18:40 2573672 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-08-30 19:14 . 2012-09-22 18:40 25256296 ----a-w- c:\windows\system32\nvcompiler.dll
2012-08-30 19:14 . 2012-09-22 18:40 2422120 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-08-30 19:14 . 2012-09-22 18:40 2216808 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-08-30 19:14 . 2012-09-22 18:40 1866088 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-08-30 19:14 . 2012-09-22 18:40 17559912 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-08-30 19:14 . 2012-02-25 16:09 18229096 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-08-30 19:14 . 2012-02-25 16:09 1760104 ----a-w- c:\windows\system32\nvdispco64.dll
2012-08-30 19:14 . 2012-02-25 16:09 15291752 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-08-30 19:14 . 2012-02-25 16:09 2725224 ----a-w- c:\windows\system32\nvapi64.dll
2012-08-30 16:18 . 2012-02-25 16:11 891240 ----a-w- c:\windows\system32\nvvsvc.exe
2012-08-30 16:18 . 2012-02-25 16:11 63336 ----a-w- c:\windows\system32\nvshext.dll
2012-08-30 16:18 . 2012-02-25 16:11 118120 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-30 16:18 . 2012-02-25 16:11 3266920 ----a-w- c:\windows\system32\nvsvc64.dll
2012-08-30 16:17 . 2012-02-25 16:11 6198120 ----a-w- c:\windows\system32\nvcpl.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\update\realsched.exe" [2012-05-19 296056]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"M-Audio Taskbar Icon"="c:\windows\system32\DeltaIITray.exe" [2012-01-25 237872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files (x86)\Olympus\DeviceDetector\DevDtct2.exe [2009-12-26 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files (x86)\iHome Mouse Driver\KMWDSrv.exe [2009-09-01 1821184]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [x]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys [2009-07-27 392712]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1255736]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-09-14 29288]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-09-14 29288]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-16 23:02 114688 ----a-w- c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\w9w57ogt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=DCF1DF&PC=DCF1&q=
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files (x86)\Coupons\uninstall.exe
AddRemove-Freecorder Toolbar - c:\progra~2\FREECO~2\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=hex:51,66,7a,6c,4c,1d,38,12,bc,bb,81,
17,37,12,f1,04,d7,e0,fa,b1,5f,07,22,06
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,fb,69,0a,c2,6a,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,71,ae,68,c2,19,82,49,97,d0,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,71,ae,68,c2,19,82,49,97,d0,64,\
.
[HKEY_USERS\S-1-5-21-1130089019-1024638917-4293211654-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74EBAC6D-418F-DC9A-6102-FB8C2FAA8C30}*]
"maopjgpnnnhlcdaombgnddlpai"=hex:6b,61,6e,6c,66,61,6d,62,61,6a,68,67,6b,69,6a,
6c,68,62,68,6f,6a,6b,00,00
"naibhenbcjhgjmdcaicbaokmcmmf"=hex:6b,61,6e,6c,66,61,6d,62,61,6a,68,67,6b,69,
6a,6c,68,62,68,6f,6a,6b,00,00
"fbpjddhknnbdcidbledfbfideiokmpfpmlfcfahmnejh"=hex:65,61,6a,6d,6d,64,65,62,6c,
6e,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74EBAC6D-418F-DC9A-6102-FB8C2FAA8C30}\InProcServer32*]
"gakaadgbcpcoja"=hex:65,61,6a,6d,6d,64,65,62,6c,6e,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-18 15:01:03
ComboFix-quarantined-files.txt 2012-11-18 20:01
ComboFix2.txt 2012-11-18 19:32
ComboFix3.txt 2012-11-18 16:33
ComboFix4.txt 2012-11-17 21:01
.
Pre-Run: 239,605,583,872 bytes free
Post-Run: 239,291,662,336 bytes free
.
- - End Of File - - 60D3EB812155413E8187C7CE10471547

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 19 November 2012 - 07:49 AM

Are you still having difficulties with Avast?

#10 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 19 November 2012 - 09:05 PM

Yes, I did a clean uninstall of the program, reinstalled it, repaired it and still cannot get the program to load.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 20 November 2012 - 11:06 AM

Start a new topic in Avast's forum. They should be able to assist you in that matter.

http://forum.avast.com/
===

You may want to try this fee program from AVG
AVG.

#12 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 21 November 2012 - 08:34 PM

No luck with AVG either. Do you think it has anything to do with the malware potentially altering permissions or corrupting some other files. I tried reinstalling Avira, but it freezes if I try to turn on real time protection or do an update. I also cannot end avira from the Task Manager.

Edited by metrotheme, 21 November 2012 - 08:48 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 22 November 2012 - 08:43 AM

Please run this cleaner from Avira.

Avira RegistryCleaner
http://www.avira.com/en/download-start/product/avira-registrycleaner?x-origin=web

Keep me posted.

#14 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 November 2012 - 09:48 AM

Still no help with installing any of the AV programs.

#15 metrotheme

metrotheme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 November 2012 - 10:44 AM

I used TDSSKiller, it found a rootkit. When it removed the rookit, and I rebooted, the AV program loaded.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users