Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TCPIP.Sys Found in Anti Rootkit Scan by AVG


  • This topic is locked This topic is locked
51 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:07:32 PM

Posted 27 April 2013 - 07:01 AM

As per instruction : Preparation Guide and 

Member advice ;

http://www.bleepingcomputer.com/forums/t/492820/avg-free-version-2013-dial-up-problem-with-update/?view=getnewpost


 

 

 

Attached Files


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 PM

Posted 27 April 2013 - 09:41 AM

Hi and Welcome!!
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
----------
 
 

aswmbr-1-1.jpg Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswmbrscan.jpg
Click the image to enlarge it
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:07:32 PM

Posted 27 April 2013 - 03:41 PM

I am downloading the Avast virus definitions database, it seems to be loading a lot faster than the
AVG, since it is loading since 12:45, . . I57 MB, . .  at this time 4:45.
Why that is so much faster than AVG, is unknown to me.

Edited by Jove, 27 April 2013 - 03:42 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:07:32 PM

Posted 27 April 2013 - 05:19 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-27 12:44:17
-----------------------------
12:44:17.984    OS Version: Windows 5.1.2600 Service Pack 3
12:44:17.984    Number of processors: 1 586 0xB01
12:44:18.000    ComputerName: CPQ80632953046  UserName: Jp
12:44:20.781    Initialize success
18:02:56.609    AVAST engine defs: 13042700
18:19:33.437    The log file has been saved successfully to "C:\Documents and Settings\Jp\Desktop\aswMBR.txt"

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#5 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:07:32 PM

Posted 27 April 2013 - 05:56 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-27 12:44:17
-----------------------------
12:44:17.984    OS Version: Windows 5.1.2600 Service Pack 3
12:44:17.984    Number of processors: 1 586 0xB01
12:44:18.000    ComputerName: CPQ80632953046  UserName: Jp
12:44:20.781    Initialize success
18:02:56.609    AVAST engine defs: 13042700
18:19:33.437    The log file has been saved successfully to "C:\Documents and Settings\Jp\Desktop\aswMBR.txt"
 
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-27 12:44:17
-----------------------------
12:44:17.984    OS Version: Windows 5.1.2600 Service Pack 3
12:44:17.984    Number of processors: 1 586 0xB01
12:44:18.000    ComputerName: CPQ80632953046  UserName: Jp
12:44:20.781    Initialize success
18:02:56.609    AVAST engine defs: 13042700
18:19:33.437    The log file has been saved successfully to "C:\Documents and Settings\Jp\Desktop\aswMBR.txt"
18:21:18.437    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:21:18.437    Disk 0 Vendor: MAXTOR_STM3160815A 3.AAD Size: 152627MB BusType: 3
18:21:18.703    Disk 0 MBR read successfully
18:21:18.703    Disk 0 MBR scan
18:21:19.828    Disk 0 unknown MBR code
18:21:19.843    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       152624 MB offset 63
18:21:21.046    Disk 0 scanning sectors +312575760
18:21:21.718    Disk 0 scanning C:\WINDOWS\system32\drivers
18:22:12.468    Service scanning
18:23:17.093    Modules scanning
18:23:37.218    Disk 0 trace - called modules:
18:23:37.234    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS 
18:23:37.671    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fa7ab8]
18:23:37.671    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x82fe32a0]
18:23:37.687    5 ACPI.sys[ba05f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f35940]
18:23:39.718    AVAST engine scan C:\WINDOWS
18:24:25.500    AVAST engine scan C:\WINDOWS\system32
18:32:35.875    AVAST engine scan C:\WINDOWS\system32\drivers
18:33:20.468    AVAST engine scan C:\Documents and Settings\Jp
18:48:13.968    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jp\Desktop\MBR.dat"
18:48:13.984    The log file has been saved successfully to "C:\Documents and Settings\Jp\Desktop\aswMBR.txt"

 

For some reason it seems when the scan finished a fire fox page was saved to my desktop, it contains 

an MBR.dat    Open with Firefox Run file ?

 

I am not sure if this is directly related to the Avast Scan , . . however the FF browser contains another BC

Forum topic I opened last month ;

http://www.bleepingcomputer.com/forums/t/488316/problem-loading-page/

 

 

In case that information is relative.


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 PM

Posted 27 April 2013 - 09:58 PM

Hi,

 

Good job!  I don't need the MBR.dat but don't get rid of it until we finish up.  :)

 

 

Please read through these instructions to familarize yourself with what to expect when this tool runs
 
Download ComboFix from one of these locations:
 
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop
 
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
 
  • Double click on ComboFix.exe & follow the prompts.
  •  
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  •  
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  •  
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     

    RCUpdate1.png

     
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
    RC2-1.png
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
     
    Notes:
     
    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
    ----------

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #7 Jove

    Jove
    • Topic Starter

    • Members
    • 2,739 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Very South Jersey
    • Local time:07:32 PM

    Posted 27 April 2013 - 11:20 PM

    I wasn't watching , . . all I can tell you is that the computer restarted ? ?

    When it restarted there was a message computer recovered from serious error.

    COMODO Is turned off and AVG is disabled

     

     

    Please advise.


    Edited by Jove, 27 April 2013 - 11:25 PM.

    When you don't have to worry about your computer anymore, you can start
    living again !

    vrwqzc.gif
    Success is a result, not a goal. . . . Flaubert


    #8 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:32 PM

    Posted 27 April 2013 - 11:24 PM

    Take a look in your C:\ folder and see if you can find ComboFix.txt   If not, please boot to Safe Mode and then run ComboFix again.  Post the log if one is created.  


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #9 Jove

    Jove
    • Topic Starter

    • Members
    • 2,739 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Very South Jersey
    • Local time:07:32 PM

    Posted 28 April 2013 - 12:39 AM

    The Scan completed in Safe Mode, but, . . when it rebooted my AVG became enabled and I clicked to allow the CoboFix that was started and message to wait, . . AVG did not allow it , . . . Combo fix went away,

     

     

    So if I do it again I guess you won't see anything in the txt file report ??????

     

    Sorry about this !!!!!!!!

     

    Please advise


    Edited by Jove, 28 April 2013 - 05:56 AM.

    When you don't have to worry about your computer anymore, you can start
    living again !

    vrwqzc.gif
    Success is a result, not a goal. . . . Flaubert


    #10 Jove

    Jove
    • Topic Starter

    • Members
    • 2,739 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Very South Jersey
    • Local time:07:32 PM

    Posted 28 April 2013 - 06:39 AM

    ComboFix 13-04-27.04 - Jp 04/28/2013   7:18.6.1 - x86

    Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.36 [GMT -4:00]
    Running from: c:\documents and settings\Jp\My Documents\Downloads\ComboFix.exe
    AV: AVG AntiVirus Free Edition 2013 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: COMODO Firewall Pro *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Documents
    C:\Logo.sys
    c:\windows\system32\Cache\1c7ce9dcae9ca2c8.fb
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
    c:\windows\system32\Cache\32c84fe32bb74d60.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\48fa8a300a590822.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\6d03dad1035885d3.fb
    c:\windows\system32\Cache\7a34b3c332e0295e.fb
    c:\windows\system32\Cache\a101f59c58bd4b46.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\c1fa887b03019701.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d478d933a8788eac.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\Cache\f998975c9cc711ee.fb
    c:\windows\system32\msssc.dll
    c:\windows\wininit.ini
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_Skype_C2C_Service
    -------\Service_Skype C2C Service
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-28  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-28 05:27 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2013-04-28 05:27 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
    2013-04-26 10:48 . 2013-04-26 10:48 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG8
    2013-04-20 23:02 . 2013-04-20 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2013-04-20 23:02 . 2013-04-26 01:53 -------- d-----w- c:\program files\McAfee Security Scan
    2013-04-20 22:57 . 2013-04-20 22:57 -------- d-----w- c:\program files\Common Files\Java
    2013-04-20 22:56 . 2013-04-04 09:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-04-18 12:50 . 2013-04-18 12:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2013-04-18 08:12 . 2013-03-02 02:06 522240 ------w- c:\windows\system32\dllcache\jsdbgui.dll
    2013-04-18 08:08 . 2013-03-02 02:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2013-04-18 07:45 . 2013-04-18 07:49 -------- dc-h--w- c:\windows\ie8
    2013-04-17 12:59 . 2013-04-17 12:59 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:41 . 2013-04-17 11:41 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG2013
    2013-04-17 11:39 . 2013-04-17 11:39 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\Sun
    2013-04-17 11:38 . 2013-04-17 11:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2013
    2013-04-17 11:38 . 2013-04-17 11:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Avg2013
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\Jp\Application Data\TuneUp Software
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:37 . 2013-04-17 11:37 31576 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\program files\AVG SafeGuard toolbar
    2013-04-17 11:35 . 2013-04-17 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
    2013-04-16 22:26 . 2013-04-18 21:18 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\Avg2013
    2013-04-16 22:26 . 2013-04-16 22:26 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\MFAData
    2013-04-06 13:22 . 2013-04-06 13:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2013-04-01 20:09 . 2013-04-01 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
    2013-04-01 19:35 . 2013-04-01 19:35 -------- d-----w- c:\program files\Driver Whiz
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-16 11:16 . 2012-05-19 11:16 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-04-16 11:16 . 2010-07-14 15:17 782240 ----a-w- c:\windows\system32\deployJava1.dll
    2013-03-08 08:36 . 2001-08-18 03:36 293376 ----a-w- c:\windows\system32\winsrv.dll
    2013-03-07 01:28 . 2011-02-10 03:01 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-03-07 00:50 . 2011-02-10 03:01 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-03-02 02:06 . 2001-08-18 03:36 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-03-02 02:06 . 2001-08-18 03:37 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2013-03-02 02:06 . 2001-08-18 03:36 43520 ------w- c:\windows\system32\licmgr10.dll
    2013-03-02 01:25 . 2009-06-17 12:14 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-03-02 01:08 . 2008-10-27 13:36 385024 ------w- c:\windows\system32\html.iec
    2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    2013-02-27 07:56 . 2001-08-18 03:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2013-02-12 00:32 . 2008-10-27 13:36 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
    2013-02-12 00:32 . 2001-08-17 18:54 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2012-12-02 04:31 . 2012-12-02 04:30 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" [2008-10-30 1115728]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
    "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032]
    "vProt"="c:\program files\AVG SafeGuard toolbar\vprot.exe" [2013-04-17 1101488]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.287\SSScheduler.exe [2012-9-11 271808]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ   autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Jp^Start Menu^Programs^Startup^Secunia PSI.lnk]
    path=c:\documents and settings\Jp\Start Menu\Programs\Startup\Secunia PSI.lnk
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2008-06-19 21:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2010-10-27 23:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
    2002-01-03 00:06 4608 ----a-w- c:\windows\system32\carpserv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2001-08-18 19:00 44032 -c--a-w- c:\windows\ime\imkr6_1\imekrmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 03:32 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 03:31 59392 -c--a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 03:32 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 03:32 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-12-30 19:58 18082304 -c--a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2007-11-20 23:15 1826816 -c--a-w- c:\windows\SkyTel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2009-07-21 03:57 1830128 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-04-22 21:13 198160 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
    2002-02-20 17:40 143360 ----a-w- c:\program files\COMPAQ\Coloreal\COLOREAL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SharedAccess"=2 (0x2)
    "wscsvc"=2 (0x2)
    "aawservice"=2 (0x2)
    "Pctspk"=2 (0x2)
    "CmdAgent"=2 (0x2)
    "BITS"=2 (0x2)
    "wuauserv"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "CPQEASYACC"=c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe
    "IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    "PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    "TkBellExe"=c:\program files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8080:TCP"= 8080:TCP:PORT1
    "1013:TCP"= 1013:TCP:BS
    "8081:TCP"= 8081:TCP:PORT2
    "1839:TCP"= 1839:TCP:FD
    "2873:TCP"= 2873:TCP:FD
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 4:37 AM 60216]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 4:37 AM 245048]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 4:37 AM 39224]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2/26/2013 11:40 PM 208184]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 10:32 AM 22328]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 4:37 AM 170808]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/14/2013 3:52 AM 182072]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [4/17/2013 7:37 AM 31576]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2/19/2013 4:02 AM 282624]
    R2 vToolbarUpdater14.0.1;vToolbarUpdater14.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [4/17/2013 7:37 AM 945328]
    R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/28/2006 11:20 AM 21920]
    R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2/27/2013 11:42 PM 4937264]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/1/2010 7:31 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/1/2010 7:31 AM 8456]
    S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\System32\Drivers\FBIKB_NT.Sys --> c:\windows\System32\Drivers\FBIKB_NT.Sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [9/11/2012 12:12 PM 234776]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/10/2008 10:17 AM 7808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]
    S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-04-11 13:01 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-01-05 04:09]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-01-05 04:09]
    .
    2008-11-01 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    2008-11-06 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    2008-11-11 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/webhp?hl=en&tab=iw&q=Internet%20Explorer
    TCP: Interfaces\{4C70B91E-BAE1-437E-B0D2-66871D3730F1}: NameServer = 216.178.92.98 216.178.92.114
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Jp\Application Data\Mozilla\Firefox\Profiles\163mqv8x.default-1351646108031\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-Babylon Client - c:\program files\Babylon\Babylon-Pro\Babylon.exe
    MSConfigStartUp-Facebook Update - c:\documents and settings\Jp\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
    MSConfigStartUp-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
    MSConfigStartUp-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
    AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-04-28 07:33
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...  
    .
    scanning hidden autostart entries ... 
    .
    scanning hidden files ...  
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2564294346-4179051517-1260927497-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(392)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2013-04-28  07:37:58
    ComboFix-quarantined-files.txt  2013-04-28 11:37
    ComboFix2.txt  2008-11-30 18:35
    ComboFix3.txt  2008-11-30 00:42
    .
    Pre-Run: 137,898,201,088 bytes free
    Post-Run: 137,852,411,904 bytes free
    .
    - - End Of File - - D01FDDBFEE18F72748D704033C4D1D1F

    When you don't have to worry about your computer anymore, you can start
    living again !

    vrwqzc.gif
    Success is a result, not a goal. . . . Flaubert


    #11 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:32 PM

    Posted 28 April 2013 - 12:40 PM

    Hi,

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      ClearJavaCache::
       
      Registry::
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "8080:TCP"=-
      "1013:TCP"=-
      "8081:TCP"=-
      "1839:TCP"=-
      "2873:TCP"=-

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
       
      CFScriptB-4.gif
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

     

    Post the new ComboFix log and let me know how your system is running now.  :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #12 Jove

    Jove
    • Topic Starter

    • Members
    • 2,739 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Very South Jersey
    • Local time:07:32 PM

    Posted 28 April 2013 - 04:25 PM

    ComboFix 13-04-28.01 - Jp 04/28/2013  17:04:27.7.1 - x86
    Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.284 [GMT -4:00]
    Running from: c:\documents and settings\Jp\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Jp\Desktop\CFScript.txt
    AV: AVG AntiVirus Free Edition 2013 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: COMODO Firewall Pro *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-28  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-28 05:27 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2013-04-28 05:27 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
    2013-04-26 10:48 . 2013-04-26 10:48 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG8
    2013-04-20 23:02 . 2013-04-20 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2013-04-20 23:02 . 2013-04-26 01:53 -------- d-----w- c:\program files\McAfee Security Scan
    2013-04-20 22:57 . 2013-04-20 22:57 -------- d-----w- c:\program files\Common Files\Java
    2013-04-20 22:56 . 2013-04-04 09:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-04-18 12:50 . 2013-04-18 12:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2013-04-18 08:12 . 2013-03-02 02:06 522240 ------w- c:\windows\system32\dllcache\jsdbgui.dll
    2013-04-18 08:08 . 2013-03-02 02:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2013-04-18 07:45 . 2013-04-18 07:49 -------- dc-h--w- c:\windows\ie8
    2013-04-17 12:59 . 2013-04-17 12:59 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:41 . 2013-04-17 11:41 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG2013
    2013-04-17 11:39 . 2013-04-17 11:39 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\Sun
    2013-04-17 11:38 . 2013-04-17 11:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2013
    2013-04-17 11:38 . 2013-04-17 11:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Avg2013
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\Jp\Application Data\TuneUp Software
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\documents and settings\Jp\Application Data\AVG SafeGuard toolbar
    2013-04-17 11:37 . 2013-04-17 11:37 31576 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2013-04-17 11:37 . 2013-04-17 11:37 -------- d-----w- c:\program files\AVG SafeGuard toolbar
    2013-04-17 11:35 . 2013-04-17 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
    2013-04-16 22:26 . 2013-04-18 21:18 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\Avg2013
    2013-04-16 22:26 . 2013-04-16 22:26 -------- d-----w- c:\documents and settings\Jp\Local Settings\Application Data\MFAData
    2013-04-06 13:22 . 2013-04-06 13:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2013-04-01 20:09 . 2013-04-01 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
    2013-04-01 19:35 . 2013-04-01 19:35 -------- d-----w- c:\program files\Driver Whiz
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-16 11:16 . 2012-05-19 11:16 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-04-16 11:16 . 2010-07-14 15:17 782240 ----a-w- c:\windows\system32\deployJava1.dll
    2013-03-08 08:36 . 2001-08-18 03:36 293376 ----a-w- c:\windows\system32\winsrv.dll
    2013-03-07 01:28 . 2011-02-10 03:01 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-03-07 00:50 . 2011-02-10 03:01 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-03-02 02:06 . 2001-08-18 03:36 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-03-02 02:06 . 2001-08-18 03:37 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2013-03-02 02:06 . 2001-08-18 03:36 43520 ------w- c:\windows\system32\licmgr10.dll
    2013-03-02 01:25 . 2009-06-17 12:14 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-03-02 01:08 . 2008-10-27 13:36 385024 ------w- c:\windows\system32\html.iec
    2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    2013-02-27 07:56 . 2001-08-18 03:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2013-02-12 00:32 . 2008-10-27 13:36 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
    2013-02-12 00:32 . 2001-08-17 18:54 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2012-12-02 04:31 . 2012-12-02 04:30 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" [2008-10-30 1115728]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
    "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032]
    "vProt"="c:\program files\AVG SafeGuard toolbar\vprot.exe" [2013-04-17 1101488]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ   autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Jp^Start Menu^Programs^Startup^Secunia PSI.lnk]
    path=c:\documents and settings\Jp\Start Menu\Programs\Startup\Secunia PSI.lnk
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2008-06-19 21:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2010-10-27 23:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
    2002-01-03 00:06 4608 ----a-w- c:\windows\system32\carpserv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2001-08-18 19:00 44032 -c--a-w- c:\windows\ime\imkr6_1\imekrmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 03:32 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 03:31 59392 -c--a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 03:32 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 03:32 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-12-30 19:58 18082304 -c--a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2007-11-20 23:15 1826816 -c--a-w- c:\windows\SkyTel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2009-07-21 03:57 1830128 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-04-22 21:13 198160 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
    2002-02-20 17:40 143360 ----a-w- c:\program files\COMPAQ\Coloreal\COLOREAL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SharedAccess"=2 (0x2)
    "wscsvc"=2 (0x2)
    "aawservice"=2 (0x2)
    "Pctspk"=2 (0x2)
    "CmdAgent"=2 (0x2)
    "BITS"=3 (0x3)
    "wuauserv"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "CPQEASYACC"=c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe
    "IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    "PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    "TkBellExe"=c:\program files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 4:37 AM 60216]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 4:37 AM 245048]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 4:37 AM 39224]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2/26/2013 11:40 PM 208184]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 10:32 AM 22328]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 4:37 AM 170808]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/14/2013 3:52 AM 182072]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [4/17/2013 7:37 AM 31576]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2/19/2013 4:02 AM 282624]
    R2 vToolbarUpdater14.0.1;vToolbarUpdater14.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [4/17/2013 7:37 AM 945328]
    R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/28/2006 11:20 AM 21920]
    R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2/27/2013 11:42 PM 4937264]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/1/2010 7:31 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/1/2010 7:31 AM 8456]
    S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\System32\Drivers\FBIKB_NT.Sys --> c:\windows\System32\Drivers\FBIKB_NT.Sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [9/11/2012 12:12 PM 234776]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/10/2008 10:17 AM 7808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]
    S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-04-11 13:01 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-01-05 04:09]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-01-05 04:09]
    .
    2008-11-01 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    2008-11-06 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    2008-11-11 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/webhp?hl=en&tab=iw&q=Internet%20Explorer
    TCP: Interfaces\{4C70B91E-BAE1-437E-B0D2-66871D3730F1}: NameServer = 216.178.92.98 216.178.92.114
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Jp\Application Data\Mozilla\Firefox\Profiles\163mqv8x.default-1351646108031\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-04-28 17:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...  
    .
    scanning hidden autostart entries ... 
    .
    scanning hidden files ...  
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2564294346-4179051517-1260927497-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1896)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2013-04-28  17:23:40
    ComboFix-quarantined-files.txt  2013-04-28 21:23
    ComboFix2.txt  2013-04-28 11:38
    ComboFix3.txt  2008-11-30 18:35
    ComboFix4.txt  2008-11-30 00:42
    .
    Pre-Run: 137,844,547,584 bytes free
    Post-Run: 137,834,311,680 bytes free
    .
    - - End Of File - - 6B2576485A428B6DECDA153D6B319F01

    When you don't have to worry about your computer anymore, you can start
    living again !

    vrwqzc.gif
    Success is a result, not a goal. . . . Flaubert


    #13 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:32 PM

    Posted 28 April 2013 - 07:29 PM

    How is your system running now?  :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #14 Jove

    Jove
    • Topic Starter

    • Members
    • 2,739 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Very South Jersey
    • Local time:07:32 PM

    Posted 29 April 2013 - 05:28 AM

    Seems good, haven't had much of a chance yet to find out, what do you think? was there a spyware infection , . . did I have a malicious intruder performing various shenanigans ?

     

    I am still in the process of up dating and will attempt to update AVG next to see if it goes any better.

     

     I'll let you know what transpires.. 

     

    Thanks for your kind and generous efforts, .


    When you don't have to worry about your computer anymore, you can start
    living again !

    vrwqzc.gif
    Success is a result, not a goal. . . . Flaubert


    #15 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:32 PM

    Posted 29 April 2013 - 06:49 AM

    Hi,

     

    Glad to hear that it seems better.  There were some shenanigans going on inside your system.   :)

     

     

    Adobe Reader
     
    You have an older version of Adobe Reader.  You can download the current version HERE
     
    You may want to consider Foxit Reader instead. It may be a bit lighter on resources.
     
    Visit their support forum
     
    In either case you should uninstall Adobe Reader 9.2 first. Be sure to move any PDF documents to another folder first though.
    ----------

     

     

    java-1.jpgJava
     
    Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:
     
    ----------
     
    java-1.jpg
    See this page for instructions on how to clear java's cache.
     
    Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
    • Under Temporary Internet Files, click the Delete Files button.

    • There are three options in the window to clear the cache - Leave ALL 3 Checked
      •  


    Downloaded Applets
    Downloaded Applications
    Installed Applications and Applets
    • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.

    •  

    ----------

     

     

    mbam-3.jpgMalwarebytes
     
    Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
    ----------

     

     

    ESET Online Scanner
     
    Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan

    • Tick the box next to YES, I accept the Terms of Use.

    • Click Start

    • When asked, allow the activex control to install

    • Click Start

    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.

    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

    • Click Scan

    • Wait for the scan to finish

    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."

    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

    • Close the ESET online scan, and let me know how things are now.


    ----------

     


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users