Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast constant detection message - Malware Blocked


  • This topic is locked This topic is locked
18 replies to this topic

#1 pistolpete29

pistolpete29

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 27 March 2013 - 04:08 PM

Avast constantly shows the following pop up detection messages

 

Malware blocked

 

infection : win32:malware-gen

 

and

 

infection : win32:trojan-gen

 

Threat was detected and blocked when file was created or modified

 

Have ran full system and boot time scan : infections were found and removed but message continues to pop up

 

Please help.

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.17.2
Run by owner at 20:41:56 on 2013-03-27
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.3999.2394 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hp\QuickPlay\QPService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: AOL Toolbar BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [Facebook Update] "C:\Users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-System: WallpaperStyle = 2
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: WallpaperStyle = 2
IE: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/v/ra3RgI_VSoCPalw7aL2ig_0fSS8.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731}\1333730216378626970227F61646 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731}\1333930216378626970227F6574756270213 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731}\34F6E6E6563647966697D2F416B60235C65747A723 : DHCPNameServer = 192.168.96.1
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731}\3756475707D277966696 : DHCPNameServer = 158.125.1.100 131.231.16.7 131.231.16.16
TCP: Interfaces\{304A834F-809C-4FDF-A34F-10ECCE648731}\96D61676F6 : DHCPNameServer = 194.168.4.123 194.168.8.123
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
x64-mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-1 65336]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-5-24 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-8-8 377920]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2010-8-4 89600]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-8-8 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-8-8 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2013-3-10 45248]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\System32\svchost.exe -k netsvcs [2009-7-13 27136]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-13 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-29 682344]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-25 228408]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-5-26 138752]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-7-29 24176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-8-4 215040]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-1 178624]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-8-4 216576]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-9 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-03-27 20:07:28 -------- d-----w- C:\Users\owner\AppData\Local\{C5DE56EB-FB2A-4232-A58F-D13BFD5716A4}
2013-03-26 19:04:58 -------- d-----w- C:\Users\owner\AppData\Local\{38DBAC7D-ECD4-4F66-8F42-9D0D05B77434}
2013-03-25 19:01:56 -------- d-----w- C:\Users\owner\AppData\Local\{8F303B46-869E-48B6-A757-6EC44E4FD1F3}
2013-03-23 16:34:08 -------- d-----w- C:\Users\owner\AppData\Local\{A35BFFF2-818C-4FF4-B3C9-B40D292128A9}
2013-03-19 09:59:15 -------- d-----w- C:\Users\owner\AppData\Local\{AB4473F9-6003-4C00-A6A8-A8BED8A2629F}
2013-03-18 21:17:46 -------- d-----w- C:\Users\owner\AppData\Local\{CB4EAED6-A30D-4EE0-892D-511F7AF2F280}
2013-03-17 20:17:22 -------- d-----w- C:\Users\owner\AppData\Local\{58B50E99-5B21-48B4-B6D4-F39DA6488017}
2013-03-16 08:30:37 -------- d-----w- C:\Users\owner\AppData\Local\{7DA5FD38-A266-41F3-AD4B-8B541BA02F4E}
2013-03-15 10:51:22 -------- d-----w- C:\Users\owner\AppData\Local\{F20E0FBC-FA53-41BF-BD9D-677A982327CF}
2013-03-14 10:50:58 -------- d-----w- C:\Users\owner\AppData\Local\{842FABB3-7A8C-4A52-BE96-A21C3528659B}
2013-03-13 12:22:50 -------- d-----w- C:\Users\owner\AppData\Local\{5F90FDD6-4BF8-4369-A714-CF7D77B6FC51}
2013-03-12 12:21:29 -------- d-----w- C:\Users\owner\AppData\Local\{8218FA97-4478-439C-A9FC-B78EE841FCA5}
2013-03-11 12:21:07 -------- d-----w- C:\Users\owner\AppData\Local\{AEFF6938-0FAB-4842-8E9B-7AE7B594B2BF}
2013-03-10 15:47:02 -------- d-----w- C:\Users\owner\AppData\Local\{9C848640-588B-48F5-9C75-57687D3B4F88}
2013-03-09 12:07:15 -------- d-----w- C:\Users\owner\AppData\Local\{5159A5C8-676F-4B4A-918F-67850AF30136}
2013-03-08 14:40:03 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-08 14:15:04 -------- d-----w- C:\Users\owner\AppData\Local\{FEAC95DE-5D16-4343-BB01-80C0B42278F3}
2013-03-07 13:08:01 -------- d-----w- C:\Users\owner\AppData\Local\{3A39028E-7CF7-41F5-AB5B-9577761A64A9}
2013-03-06 11:43:59 -------- d-----w- C:\Users\owner\AppData\Local\{0A7B4DCE-335C-4156-A00A-026894890965}
2013-03-05 15:17:57 -------- d-----w- C:\Users\owner\AppData\Local\{54E11B7B-4FEF-4C92-A858-4DDCA9EE3BAF}
2013-03-04 12:52:33 -------- d-----w- C:\Users\owner\AppData\Local\{B2CB67C9-6EB0-435C-B754-7CEF31992FAE}
2013-03-03 12:52:15 -------- d-----w- C:\Users\owner\AppData\Local\{53787CCF-123E-4EB9-998D-38EA941E666E}
2013-03-02 12:51:57 -------- d-----w- C:\Users\owner\AppData\Local\{E5ECDC5A-0261-4734-88C3-3D84E8EF8D5C}
2013-03-01 19:07:04 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-03-01 19:06:58 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-03-01 12:00:29 -------- d-----w- C:\Users\owner\AppData\Local\{AC4ADF6A-7C79-497D-8B58-0BB97FAD6559}
2013-02-28 11:16:24 -------- d-----w- C:\Users\owner\AppData\Local\{FC46F565-CF37-4C24-A79E-5D9609B8F0B3}
2013-02-27 11:16:05 -------- d-----w- C:\Users\owner\AppData\Local\{FE4F5D1D-8DB0-4BEA-8DCE-6E871E55EFF1}
2013-02-26 10:42:53 -------- d-----w- C:\Users\owner\AppData\Local\{3F6D1BCD-00F4-4F32-AA5D-B2A2AF575242}
.
==================== Find3M  ====================
.
2013-03-12 21:14:27 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-12 21:14:27 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-08 14:39:46 861088 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-03-08 14:39:46 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-06 23:33:21 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-03-06 23:33:21 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-03-06 23:33:20 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-03-06 23:32:51 41664 ----a-w- C:\Windows\avastSS.scr
.
============= FINISH: 20:42:21.15 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 27 March 2013 - 07:36 PM

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.


    Having said that.... vegeta_zps7f4345cf.gifLet's get going!!



    aswmbr-1-1.jpg
  • Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
  • [/list] aswmbrscan.jpg
  • Click the image to enlarge it

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 28 March 2013 - 12:43 PM

Hi Jeff 

 

Thanks for taking time to help me with this problem. Results from log file below

 

Pete

 

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-08 16:51:52
-----------------------------
16:51:52.300    OS Version: Windows x64 6.1.7600
16:51:52.300    Number of processors: 2 586 0x170A
16:51:52.302    ComputerName: HALLNET-OWNER-P  UserName: owner
16:51:53.281    Initialize success
16:51:56.153    AVAST engine defs: 12100800
16:52:02.341    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:52:02.345    Disk 0 Vendor: WDC_WD3200BEVT-60A23T0 01.01A01 Size: 305245MB BusType: 11
16:52:02.364    Disk 0 MBR read successfully
16:52:02.369    Disk 0 MBR scan
16:52:02.375    Disk 0 unknown MBR code
16:52:02.380    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
16:52:02.397    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       292147 MB offset 409600
16:52:02.427    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12897 MB offset 598726656
16:52:02.466    Disk 0 scanning C:\Windows\system32\drivers
16:52:15.512    Service scanning
16:52:43.158    Modules scanning
16:52:43.173    Disk 0 trace - called modules:
16:52:43.194    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
16:52:43.201    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c86630]
16:52:43.208    3 CLASSPNP.SYS[fffff880010ea43f] -> nt!IofCallDriver -> [0xfffffa8004790520]
16:52:43.213    5 ACPI.sys[fffff88000fae781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800478b1f0]
16:52:43.792    AVAST engine scan C:\Windows
16:52:45.715    AVAST engine scan C:\Windows\system32
16:54:06.334    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Patched-AKC [Trj]
16:56:04.305    AVAST engine scan C:\Windows\system32\drivers
16:56:54.161    AVAST engine scan C:\Users\owner
17:05:26.757    Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
17:05:26.759    The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-28 17:35:16
-----------------------------
17:35:16.769    OS Version: Windows x64 6.1.7600
17:35:16.769    Number of processors: 2 586 0x170A
17:35:16.770    ComputerName: HALLNET-OWNER-P  UserName: owner
17:35:17.725    Initialize success
17:35:20.620    AVAST engine defs: 13032800
17:35:36.942    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:35:36.946    Disk 0 Vendor: WDC_WD3200BEVT-60A23T0 01.01A01 Size: 305245MB BusType: 11
17:35:37.074    Disk 0 MBR read successfully
17:35:37.078    Disk 0 MBR scan
17:35:37.084    Disk 0 unknown MBR code
17:35:37.090    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:35:37.106    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       292147 MB offset 409600
17:35:37.137    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12897 MB offset 598726656
17:35:37.176    Disk 0 scanning C:\Windows\system32\drivers
17:35:45.447    Service scanning
17:36:09.592    Modules scanning
17:36:09.606    Disk 0 trace - called modules:
17:36:09.636    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
17:36:09.984    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048e6060]
17:36:09.993    3 CLASSPNP.SYS[fffff8800115843f] -> nt!IofCallDriver -> [0xfffffa800473d520]
17:36:10.003    5 ACPI.sys[fffff88000ebe781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004739680]
17:36:10.990    AVAST engine scan C:\Windows
17:36:12.857    AVAST engine scan C:\Windows\system32
17:37:03.403    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Patched-AKC [Trj]
17:37:54.023    AVAST engine scan C:\Windows\system32\drivers
17:38:04.465    AVAST engine scan C:\Users\owner
17:38:29.310    Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
17:38:29.347    The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"


 



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 28 March 2013 - 12:54 PM

ComboFix

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.



--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 29 March 2013 - 12:26 PM

Ran combofix, during initial load the following messages occured

 

error opening file for writing

c:\32788R22FWJFW\pev.3XE

 

pressed ignored to skip

 

 

also

 

Combofix detected Avast is not disabled, which when checked was incorrect.

 

Logs below

 

ComboFix 13-03-28.01 - owner 29/03/2013  14:57:35.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.3999.2434 [GMT 0:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ldsw_0paos.pad
c:\users\owner\AppData\Roaming\Gago
c:\users\owner\AppData\Roaming\Gago\mekob.diu
c:\users\owner\AppData\Roaming\Usah
c:\users\owner\AppData\Roaming\Usah\oxex.bop
c:\users\owner\Documents\~WRL1577.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\@
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\00000001.@
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz1121.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz1894.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz1C40.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz1D17.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz1DD6.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz2321.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz253E.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz279D.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz280B.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz2B79.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz33B2.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz344F.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz37B0.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz49.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz589F.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz58A0.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz624D.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz63A5.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz68DD.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz6F50.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7173.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7887.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7C31.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7C51.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7C86.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz7D13.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz8149.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz86A.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz87E3.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz88ED.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz93B1.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz93B3.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9460.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz955.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9B81.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9BC0.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9BF0.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9E54.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trz9EE1.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzA573.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzA6DC.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzA71B.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzA8CC.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzA8DC.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzAA38.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzAAEF.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzAD4E.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzB33A.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzB347.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzB3C5.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzB81C.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBA87.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBB43.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBB57.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBC7C.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBC8B.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzBCD9.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzC35D.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzCC59.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzCFAD.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzD24C.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzD3BF.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzD7.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzD9C2.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzDA7E.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzDC12.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzDD99.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzDFE3.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzEBBD.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzEC62.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzEC98.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzF5C.tmp
c:\windows\Installer\{e0ea017d-a32b-38dc-b6fa-687f94e085fa}\U\trzFB85.tmp
.
c:\windows\system32\Services.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-28 to 2013-03-29  )))))))))))))))))))))))))))))))
.
.
2013-03-29 15:26 . 2013-03-29 15:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-08 14:40 . 2013-03-08 14:40 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-08 14:40 . 2013-03-08 14:39 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-01 19:07 . 2013-03-06 23:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-01 19:06 . 2013-03-06 23:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 21:14 . 2012-06-22 21:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-12 21:14 . 2011-10-20 10:21 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-08 14:39 . 2012-11-26 13:17 861088 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-03-08 14:39 . 2010-08-09 17:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-06 23:33 . 2012-02-24 12:03 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33 . 2011-05-24 15:18 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33 . 2010-08-08 14:15 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-06 23:33 . 2010-08-08 14:15 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 23:33 . 2010-08-08 14:15 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 23:33 . 2010-08-08 14:15 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:32 . 2010-08-08 14:14 41664 ----a-w- c:\windows\avastSS.scr
2013-03-06 23:32 . 2011-01-14 21:08 287840 ----a-w- c:\windows\system32\aswBoot.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 7F0C323FE3DA28AA4AA1BDA3F575707F . 848384 . . [7.5.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_7f85b69413231233\qmgr.dll
.
[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
.
c:\windows\system32\qmgr.dll ... is missing !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-23 20:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-07-16 1668664]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-09 39408]
"Facebook Update"="c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-11-22 138096]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-06-24 468264]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-05-13 581480]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2009-06-22 60464]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-23 887976]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2013-03-06 4767304]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 aswVmm;aswVmm; [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-09 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 138752]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-22 215040]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ezSharedSvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-14 11:41 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 21:14]
.
2013-03-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-853189987-2326764177-4195925431-1000Core.job
- c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-11-22 15:02]
.
2013-03-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-853189987-2326764177-4195925431-1000UA.job
- c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-11-22 15:02]
.
2013-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 17:59]
.
2013-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-09 17:59]
.
2013-03-28 c:\windows\Tasks\HPCeeScheduleForowner.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32 133840 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-30 365080]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-25 171520]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/v/ra3RgI_VSoCPalw7aL2ig_0fSS8.cab
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-Free Window Registry Repair - c:\progra~2\FREEWI~1\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
.
**************************************************************************
.
Completion time: 2013-03-29  15:37:36 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-29 15:37
.
Pre-Run: 222,525,169,664 bytes free
Post-Run: 227,190,677,504 bytes free
.
- - End Of File - - 983976B537C1C15A257CED65E987B191
 



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 29 March 2013 - 01:40 PM

Hi,
 
Looks like we have had some problems on your system...
 
 
**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
 
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
 
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.   :)
----------
 

Please download SystemLook from one of the links below and save it to your Desktop.
Link 1
Link 2

  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content within the following box into the main textfield:

:filefind
*Services.exe
*qmgr.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 29 March 2013 - 06:49 PM

Jeff

 

 

Apologies for my ignorance but .........

 

Is it easier to re-install the operating system rather than try and clean?

Will you be able to tell whether it is 100% clean without a re-install?

how does the re-install clean the drives?

Is a re-install the only way to be 100% sure?

 

Would this have affected any portable drive I have used to back-up

 

 

Thanks again for your help with this.



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 30 March 2013 - 11:09 AM

Sorry for any delay...

 

Is it easier to re-install the operating system rather than try and clean?

Could very well be, but I really can't say.  Every system is different and the infection effects each computer differently.

 

Will you be able to tell whether it is 100% clean without a re-install?

how does the re-install clean the drives?

Is a re-install the only way to be 100% sure?

No...I would not be able to tell you that it's 100% clean due to the backdoor capabilities that the infection has.  With a reinstall of the operating system, the entire hard drive is deleted and new software is installed.  The good part about this infection is that you are able to go ahead and save all of your photos, music, personal files or videos for later without worry of reinfection.  

 

Would this have affected any portable drive I have used to back-up

It depends on what you were backing up....if it was a system image than yes the infection could be there.  If you were however only backing up photos, music, personal files or videos then you should be just fine.  This infection has not been seen to jump systems.  
 


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 31 March 2013 - 01:13 PM

Sounds like a system restore is the answer

 

 

A question on doing this

 

The infected computer is my daughters, who is overseas for the next week or so, and not sure if there are recovery discs but it does appear to a have a recovery partition. How will I know this is so. If it is will it be free from infection? 

 

How will the process work? Does it clean the hard drive as part of the operation or is this done separately beforehand.

 

Sorry for all the questions!

 

Thanks



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 31 March 2013 - 07:16 PM

No worries about questions.  :)

 

What type of a computer is this...Dell, HP....?

 

If she is going to be gone for only a week or so and you don't know if there are recovery disks you might be best served by waiting until her return to find out for sure.  

 

 


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 01 April 2013 - 02:30 PM

Hi

 

Its an HP laptop, windows 7. 

 

Checked on HP website it is appears that it should have a recovery partition. I presume if no disks are available its too late to create them now or does it create them from the recovery partition? Would this recovery partition be free from infection.



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 02 April 2013 - 06:56 AM

Yeah if there are no recovery disks it is too late...BUT...you can certainly copy all of your personal files, music, photos and videos to disk or USB drive without worry.  Once you get the system reinstalled you can download them back to the system.  The recovery partition....if it's there, should be just fine.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 02 April 2013 - 03:06 PM

Thanks....

Ok the plan.... is to wait for my daughter to return to back-up all of her files. Then try and to the recovery using the partition.

Questions...

Will the re-install put the partition back in and should I then create recovery discs.

After the re-install is there an easy way to get back all the windows/mircosoft updates.

#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 03 April 2013 - 06:52 AM

Sounds like a good plan...I agree with it whole-heartedly.  :)

 

After you have reinstalled using the partition and then after getting all the updates for Windows that you can and reinstalling your files and such, I would make the recovery disk at that point.  That way your starting point if you ever had problems again should be the way the system is at that point instead of having to do all of that work again.  :)  


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 pistolpete29

pistolpete29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 03 April 2013 - 04:23 PM

Apologies for repeating myself...is there an easy way to make sure I get all the updates....the machine is at least 3 years old. How will I know which ones I should get, will it automatically pull the old ones in on auto-update.

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users