Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Generic29.AJGE


  • This topic is locked This topic is locked
12 replies to this topic

#1 sedg

sedg

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 01 May 2013 - 01:48 AM

Hello All,  I read the post between fastwithclass and Just Curious regarding Generic29.AJGE.  I have accomplished all the downloading but need a fixlist.txt file tailored to my computer before I can run the Farbar Scan Recovery Tool.  I am hoping Just Curious will read this and help me out. The DDS file is pasted below and attached.  This is a Asus G51J laptop first gen i7 running 64 bit Windows 7.  I think this trojan horse came aboard wth a stubborn appearance of Adobe flash player in April.  Not sure but the request for a flash player download would not go away when clicking cancel multiple times.  trojan horse was detected by AVG Free but would not allow itself to be removed by AVG. CCleaner and Malwarebyte are up to date.   Thanks!

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476
Run by Tom at 1:04:12 on 2013-05-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8125.6320 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\FBAgent.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe
C:\PROGRA~2\CONSER~2\bar\1.bin\4nbarsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.0.0\ToolbarUpdater.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://asus.msn.com
uURLSearchHooks: <No Name>: {752929fc-c897-4620-9fa8-0303247277e2} - C:\Program Files (x86)\ConservativeTalkNow_4n\bar\1.bin\4nSrcAs.dll
uURLSearchHooks: MixiDJ V4 Toolbar: {c846d9b8-4cc6-491e-893f-7ee1d979afa3} - C:\Program Files (x86)\MixiDJ_V4\prxtbMixi.dll
mURLSearchHooks: MixiDJ V4 Toolbar: {c846d9b8-4cc6-491e-893f-7ee1d979afa3} - C:\Program Files (x86)\MixiDJ_V4\prxtbMixi.dll
dURLSearchHooks: <No Name>: {752929fc-c897-4620-9fa8-0303247277e2} - C:\Program Files (x86)\ConservativeTalkNow_4n\bar\1.bin\4nSrcAs.dll
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Funmoods Helper Object: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\funmoods\1.5.12.2\bh\funmoods.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: ConservativeTalkNow: {533329C9-CA91-42A2-8792-7F91C7B4172A} - C:\Program Files (x86)\ConservativeTalkNow_4n\bar\1.bin\4nbar.dll
TB: MixiDJ V4 Toolbar: {C846D9B8-4CC6-491E-893F-7EE1D979AFA3} - C:\Program Files (x86)\MixiDJ_V4\prxtbMixi.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: Funmoods Toolbar: {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files (x86)\Funmoods\funmoods\1.5.12.2\funmoodsTlbr.dll
TB: ConservativeTalkNow: {533329c9-ca91-42a2-8792-7f91c7b4172a} - C:\Program Files (x86)\ConservativeTalkNow_4n\bar\1.bin\4nbar.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll
TB: MixiDJ V4 Toolbar: {c846d9b8-4cc6-491e-893f-7ee1d979afa3} - C:\Program Files (x86)\MixiDJ_V4\prxtbMixi.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
uPolicies-Explorer: NoDriveAutoRun = dword:0
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D}\2456C6B696E643935343 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D}\64F687F575962756C6563737 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D}\7516E646562796E6760275966496D223 : DHCPNameServer = 10.0.0.1
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D}\944577962756C6563737 : DHCPNameServer = 172.16.0.50 172.16.0.51
TCP: Interfaces\{D6B9435C-8B6C-469D-8F8E-763776F82D4D}\94E6475627E6564743 : DHCPNameServer = 97.64.209.36 97.64.168.13
TCP: Interfaces\{D96860AA-C4EE-424F-A30B-46CFBA8383BF} : DHCPNameServer = 208.201.224.11 208.201.224.33
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.0.0\ViProtocol.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-2-8 311096]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-2-26 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-2-14 239416]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-5 39768]
R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2010-6-18 359552]
R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2010-6-18 14904]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-2-27 4937264]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-2-19 282624]
R2 Belkin Local Backup Service;Belkin Local Backup Service;C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [2011-9-30 181760]
R2 Belkin Network USB Helper;Belkin Network USB Helper;C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [2011-9-30 55296]
R2 CltMngSvc;Search Protect by Conduit Updater;C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [2013-3-6 93984]
R2 ConservativeTalkNow_4nService;ConservativeTalkNowService;C:\PROGRA~2\CONSER~2\bar\1.bin\4nbarsvc.exe [2012-5-30 42504]
R2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [2010-5-11 362296]
R2 HPSIService;HP SI Service;C:\Windows\System32\HPSIsvc.exe [2011-11-2 127800]
R2 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2012-7-6 73216]
R2 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2010-11-28 80384]
R2 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2012-7-6 53760]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-29 383416]
R2 sxuptp;SXUPTP Driver;C:\Windows\System32\drivers\sxuptp.sys [2011-9-30 291352]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-6-18 2314240]
R2 vToolbarUpdater15.0.0;vToolbarUpdater15.0.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.0.0\ToolbarUpdater.exe [2013-3-25 990896]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-6-18 56344]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2010-11-28 58880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-6 13592]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2012-7-6 341032]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-7-6 39464]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2011-5-1 35840]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-6-18 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-6-18 79360]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-8-17 61792]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2010-11-28 15712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-23 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;WatAdminSvc;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-11 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== Created Last 30 ================
.
2013-04-23 22:20:01 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-20 16:57:37 -------- d-----w- C:\ProgramData\CheckPoint
2013-04-09 23:13:04 3717632 ----a-w- C:\Windows\System32\mstscax.dll
2013-04-09 23:13:03 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-04-09 23:13:02 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2013-04-09 23:13:02 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2013-04-09 23:13:02 158720 ----a-w- C:\Windows\System32\aaclient.dll
2013-04-09 23:13:02 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll
2013-04-09 23:12:56 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-04-09 23:12:55 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-04-09 23:12:53 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-04-09 23:12:52 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-04-09 23:12:52 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-04-09 23:12:51 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-04-09 23:12:51 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-04-09 23:12:51 112640 ----a-w- C:\Windows\System32\smss.exe
.
==================== Find3M  ====================
.
2013-03-26 04:28:49 15712 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys
2013-03-26 03:31:57 419840 ----a-w- C:\Windows\System32\systemcpl.dll
2013-03-26 03:31:57 14848 ----a-w- C:\Windows\System32\slwga.dll
2013-03-26 03:31:57 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
2013-03-26 03:31:55 833024 ----a-w- C:\Windows\SysWow64\user32.dll
2013-03-26 03:31:55 1008640 ----a-w- C:\Windows\System32\user32.dll
2013-03-25 23:59:42 39768 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-03-15 00:48:13 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 00:48:13 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-28 04:55:42 45056 ----a-w- C:\Windows\System32\acovcnt.exe
2013-02-27 04:40:46 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-02-22 06:27:49 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-22 06:20:51 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-22 06:19:37 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-22 06:15:48 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-22 06:15:23 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-22 06:12:41 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-22 03:46:00 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-02-14 08:52:46 239416 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-02-08 09:37:56 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2013-02-08 09:37:54 311096 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-02-08 09:37:50 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2013-02-08 09:37:42 206136 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-02-08 09:37:40 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
.
============= FINISH:  1:04:49.62 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 01 May 2013 - 08:17 AM

Hi sedg,

Welcome to the forum.

My name is Farbar and accidentally saw the topic. :)
 
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


#3 sedg

sedg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 01 May 2013 - 12:22 PM

Farbar,  Sorry I got your name wrong!  Looked at the wrong line at first.  Below is the paste and file.  Thanks!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-04-2013 01
Ran by Tom (administrator) on 01-05-2013 12:12:43
Running from C:\Users\Tom\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(ASUSTeK Computer Inc.) C:\Windows\system32\FBAgent.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
() C:\Program Files\ATKGFNEX\GFNEXSrv.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
() C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
() C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Conduit) C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe
(COMPANYVERS_NAME) C:\PROGRA~2\CONSER~2\bar\1.bin\4nbarsvc.exe
(HP) C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
(HP) C:\Windows\system32\HPSIsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.0.0\ToolbarUpdater.exe
(ATK) C:\Program Files\P4G\BatteryLife.exe
() C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
() C:\Program Files (x86)\AVG Secure Search\vprot.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(Belkin International, Inc.) C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\dlnaPlugin.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE
(Farbar) C:\Users\Tom\Desktop\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$6baa8318ed940bfbf294bdae71898e87\n. ATTENTION! ====> ZeroAccess
HKCU\...\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1475584 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1770400 2011-04-29] (Affinegy, Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1219248 2013-03-25] ()
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
URLSearchHook: (No Name) - {752929fc-c897-4620-9fa8-0303247277e2} -  No File
URLSearchHook: (No Name) - {c846d9b8-4cc6-491e-893f-7ee1d979afa3} -  No File
HKLM-x32 SearchScopes: DefaultScope {A4FA3DC2-9874-4726-872A-9AA13D8EA459} URL =
SearchScopes: HKLM-x32 - {461fc775-35b6-4d0b-9ff3-af280bfaba83} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YTxdm003YYus&ptnrS=YTxdm003YYus&si=CNCN_9G-qbACFaVdTAodqGIRTw&ptb=9F77B30E-9299-42A5-A195-A570687CF194&ind=2012120914&n=77ee8752&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S00828^us&si=CIe779i_pq8CFWvktgodiTC9Yg&ptb=F42CDDC2-F1B8-47BB-9423-83AD44CC374F&psa=&ind=2012040820&st=sb&n=77ed4e74&searchfor={searchTerms}
HKCU SearchScopes: DefaultScope {A4FA3DC2-9874-4726-872A-9AA13D8EA459} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287768&CUI=UN51504790917729431&UM=2
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={8C129195-29F8-4FEA-81E5-F4F714D62F29}&mid=b39159572ca647d69557d16c9557403c-b982afc7779a6d35a437dac341f39a7eaa4e0ec8&lang=en&ds=AVG&pr=fr&d=2013-03-25 18:59:56&v=15.0.0.2&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {A4FA3DC2-9874-4726-872A-9AA13D8EA459} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287768&CUI=UN51504790917729431&UM=2
SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL =
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO: Windows Live Family Safety Browser Helper Class - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Funmoods Helper Object - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\funmoods\1.5.12.2\bh\funmoods.dll (Funmoods BHO)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll ()
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Funmoods Toolbar - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files (x86)\Funmoods\funmoods\1.5.12.2\funmoodsTlbr.dll (Funmoods)
Toolbar: HKLM-x32 - ConservativeTalkNow - {533329c9-ca91-42a2-8792-7f91c7b4172a} - C:\Program Files (x86)\ConservativeTalkNow_4n\bar\1.bin\4nbar.dll (MindSpark)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll ()
Toolbar: HKLM-x32 - MixiDJ V4 Toolbar - {c846d9b8-4cc6-491e-893f-7ee1d979afa3} - C:\Program Files (x86)\MixiDJ_V4\prxtbMixi.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKCU - No Name - {533329C9-CA91-42A2-8792-7F91C7B4172A} -  No File
Toolbar: HKCU - No Name - {C846D9B8-4CC6-491E-893F-7EE1D979AFA3} -  No File
PDF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
PDF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.0.0\ViProtocol.dll ()
Handler-x32: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
Winsock: Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
Winsock: Catalog5-x64 08 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Chrome:
=======
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3287768&SearchSource=48&CUI=UN12215735652646320&UM=2
CHR RestoreOnStartup: "hxxp://search.conduit.com/?ctid=CT3287768&SearchSource=48&CUI=UN12215735652646320&UM=2"]},"spdy":{"servers":["checkout.google.com:443","ssl.gstatic.com:443","plusone.google.com:443","googleads.g.doubleclick.net:443","ssl.google-analytics.com:443","clients2.google.com:443","plus.google.com:443","apis.google.com:443","ajax.googleapis.com:443","jqueryjs.googlecode.com:443"]},"sync":{"suppress_start":true},"tabs":{"use_compact_navigation_bar":false,"use_vertical_tabs"
CHR Extension: (Funmoods) - C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.5.1_0
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0
CHR Extension: (AVG Safe Search) - C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0
CHR Extension: (Click to call with Skype) - C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0
CHR Extension: (AVG Do Not Track) - C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\12.0.0.2166_0

==================== Services (Whitelisted) =================

R2 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-04-29] (Affinegy, Inc.)
R2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-08] ()
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [282624 2013-02-19] (AVG Technologies CZ, s.r.o.)
R2 Belkin Local Backup Service; C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [181760 2010-02-17] ()
R2 Belkin Network USB Helper; C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [55296 2010-02-09] ()
R2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-03-06] (Conduit)
R2 ConservativeTalkNow_4nService; C:\PROGRA~2\CONSER~2\bar\1.bin\4nbarsvc.exe [42504 2012-05-30] (COMPANYVERS_NAME)
R2 HPM1210RcvFaxSrvc; C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [362296 2010-05-11] (HP)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 vToolbarUpdater15.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.0.0\ToolbarUpdater.exe [990896 2013-03-25] ()
S3 WatAdminSvc; C:\Windows\system32\Wat\WatAdminSvc.exe [1255736 2010-09-11] ()

==================== Drivers (Whitelisted) ====================

R2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-02-26] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [239416 2013-02-14] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-03-25] (AVG Technologies)
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1806400 2009-06-05] ()
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15712 2013-03-25] ()
R2 sxuptp; C:\Windows\System32\DRIVERS\sxuptp.sys [291352 2009-06-22] (silex technology, Inc.)
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [x]
U3 tmlwf;
U3 tmwfp;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-01 12:11 - 2013-05-01 12:11 - 01711910 ____A (Farbar) C:\Users\Tom\Desktop\FRST64.exe
2013-05-01 01:43 - 2013-05-01 01:43 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Tom\Downloads\mbam-setup-1.75.0.1300.exe
2013-05-01 01:43 - 2013-05-01 01:43 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-01 01:43 - 2013-05-01 01:43 - 00000000 ____D C:\Users\Tom\AppData\Roaming\Malwarebytes
2013-05-01 01:43 - 2013-05-01 01:43 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-01 01:43 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-01 01:14 - 2013-05-01 01:14 - 00000550 ____A C:\Users\Tom\Desktop\fixlist.txt
2013-05-01 01:08 - 2013-05-01 01:08 - 00000000 ____D C:\FRST
2013-05-01 01:04 - 2013-05-01 01:04 - 00022123 ____A C:\Users\Tom\Desktop\dds.txt
2013-05-01 01:04 - 2013-05-01 01:04 - 00009623 ____A C:\Users\Tom\Desktop\attach.txt
2013-05-01 01:01 - 2013-05-01 01:01 - 00688992 ____R (Swearware) C:\Users\Tom\Desktop\dds.com
2013-04-30 23:41 - 2013-04-30 23:41 - 00354299 ____A (Farbar) C:\Users\Tom\Desktop\FSS.exe
2013-04-30 21:04 - 2013-04-30 21:04 - 02496204 ____A C:\Users\Tom\Desktop\AutoRuns.arn
2013-04-30 20:35 - 2013-04-30 20:35 - 02026144 ____A ( ) C:\Users\Tom\Desktop\AVG_Autoruns_en.exe
2013-04-30 19:51 - 2013-04-30 19:51 - 00005828 ____A C:\Users\Tom\Desktop\test result.csv
2013-04-23 17:20 - 2013-04-12 09:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 21:35 - 2013-02-22 01:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-10 21:35 - 2013-02-22 01:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-10 21:35 - 2013-02-22 01:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-10 21:35 - 2013-02-22 01:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-10 21:35 - 2013-02-22 01:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-10 21:35 - 2013-02-22 01:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-10 21:35 - 2013-02-22 01:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-10 21:35 - 2013-02-22 01:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-10 21:35 - 2013-02-22 01:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-10 21:35 - 2013-02-22 01:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-10 21:35 - 2013-02-22 01:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-10 21:35 - 2013-02-22 01:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-10 21:35 - 2013-02-22 01:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-10 21:35 - 2013-02-22 01:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-10 21:35 - 2013-02-22 01:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-10 21:35 - 2013-02-22 01:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-10 21:35 - 2013-02-21 23:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-10 21:35 - 2013-02-21 22:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-10 21:35 - 2013-02-21 22:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-10 21:35 - 2013-02-21 22:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-10 21:35 - 2013-02-21 22:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-10 21:35 - 2013-02-21 22:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-10 21:35 - 2013-02-21 22:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-10 21:35 - 2013-02-21 22:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-10 21:35 - 2013-02-21 22:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-10 21:35 - 2013-02-21 22:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-10 21:35 - 2013-02-21 22:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-10 21:35 - 2013-02-21 22:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-10 21:35 - 2013-02-21 22:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-10 21:35 - 2013-02-21 22:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-10 21:35 - 2013-02-21 22:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-10 21:35 - 2013-02-21 22:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-09 18:13 - 2013-02-15 01:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-09 18:13 - 2013-02-15 01:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-09 18:13 - 2013-02-15 01:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-09 18:13 - 2013-02-14 23:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-09 18:13 - 2013-02-14 23:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-09 18:13 - 2013-02-14 22:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-09 18:12 - 2013-03-19 01:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-09 18:12 - 2013-03-19 00:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-09 18:12 - 2013-03-19 00:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-09 18:12 - 2013-03-19 00:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-09 18:12 - 2013-03-18 23:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-09 18:12 - 2013-03-18 22:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-09 18:12 - 2013-02-28 22:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-09 18:12 - 2013-01-24 01:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

==================== One Month Modified Files and Folders =======

2013-05-01 12:11 - 2013-05-01 12:11 - 01711910 ____A (Farbar) C:\Users\Tom\Desktop\FRST64.exe
2013-05-01 11:22 - 2009-07-14 00:13 - 00783310 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-01 01:52 - 2013-03-25 23:46 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-05-01 01:52 - 2013-03-25 23:46 - 00000000 ____D C:\Program Files\CCleaner
2013-05-01 01:43 - 2013-05-01 01:43 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Tom\Downloads\mbam-setup-1.75.0.1300.exe
2013-05-01 01:43 - 2013-05-01 01:43 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-01 01:43 - 2013-05-01 01:43 - 00000000 ____D C:\Users\Tom\AppData\Roaming\Malwarebytes
2013-05-01 01:43 - 2013-05-01 01:43 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-01 01:14 - 2013-05-01 01:14 - 00000550 ____A C:\Users\Tom\Desktop\fixlist.txt
2013-05-01 01:08 - 2013-05-01 01:08 - 00000000 ____D C:\FRST
2013-05-01 01:04 - 2013-05-01 01:04 - 00022123 ____A C:\Users\Tom\Desktop\dds.txt
2013-05-01 01:04 - 2013-05-01 01:04 - 00009623 ____A C:\Users\Tom\Desktop\attach.txt
2013-05-01 01:01 - 2013-05-01 01:01 - 00688992 ____R (Swearware) C:\Users\Tom\Desktop\dds.com
2013-05-01 00:51 - 2010-06-18 18:40 - 01391500 ____A C:\Windows\WindowsUpdate.log
2013-05-01 00:45 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-01 00:40 - 2013-03-26 00:00 - 00000448 ____A C:\Windows\setupact.log
2013-04-30 23:41 - 2013-04-30 23:41 - 00354299 ____A (Farbar) C:\Users\Tom\Desktop\FSS.exe
2013-04-30 21:04 - 2013-04-30 21:04 - 02496204 ____A C:\Users\Tom\Desktop\AutoRuns.arn
2013-04-30 20:35 - 2013-04-30 20:35 - 02026144 ____A ( ) C:\Users\Tom\Desktop\AVG_Autoruns_en.exe
2013-04-30 20:16 - 2010-06-18 18:59 - 00000000 ____D C:\Program Files (x86)\ASUS
2013-04-30 19:51 - 2013-04-30 19:51 - 00005828 ____A C:\Users\Tom\Desktop\test result.csv
2013-04-30 18:36 - 2009-07-13 23:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-30 18:36 - 2009-07-13 23:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-12 09:45 - 2013-04-23 17:20 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 22:05 - 2009-07-13 23:45 - 00416688 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-10 21:57 - 2013-03-26 00:00 - 00003954 ____A C:\Windows\PFRO.log
2013-04-10 21:37 - 2010-10-23 18:31 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-05 11:29 - 2012-12-11 15:09 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-04-04 14:50 - 2013-05-01 01:43 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$6baa8318ed940bfbf294bdae71898e87

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-242417448-847075929-2495561732-1000\$6baa8318ed940bfbf294bdae71898e87

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$6baa8318ed940bfbf294bdae71898e87

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Last Boot: 2013-05-01 00:09

==================== End Of Log ============================

 

Attached Files


Edited by sedg, 01 May 2013 - 12:25 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 01 May 2013 - 01:11 PM

  • Please go to start => Control Panel => Programs and Features and uninstall the following adware programs:
     
    ConservativeTalkNow Toolbar

    Funmoods on IE and Chrome

    MixiDJ V4 Toolbar

  • Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files



#5 sedg

sedg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 01 May 2013 - 04:16 PM

Farbar,  Removed the 3 requested programs.  Ran FRST, fixlog.txt posted below, performed a reboot:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-04-2013 01
Ran by Tom at 2013-05-01 16:13:12 Run:2
Running from C:\Users\Tom\Desktop
Boot Mode: Normal
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\\{752929fc-c897-4620-9fa8-0303247277e2} => Value not found.
HKCR\CLSID\{752929fc-c897-4620-9fa8-0303247277e2} => Not found.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\\{c846d9b8-4cc6-491e-893f-7ee1d979afa3} => Value not found.
HKCR\CLSID\{c846d9b8-4cc6-491e-893f-7ee1d979afa3} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{461fc775-35b6-4d0b-9ff3-af280bfaba83} => Deleted successfully.
HKCR\Wow6432Node\CLSID\{461fc775-35b6-4d0b-9ff3-af280bfaba83} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Deleted successfully.
HKCR\Wow6432Node\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Deleted successfully.
HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A4FA3DC2-9874-4726-872A-9AA13D8EA459} => Deleted successfully.
HKCR\CLSID\{A4FA3DC2-9874-4726-872A-9AA13D8EA459} => Not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Deleted successfully.
HKCR\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} => Not found.
HKCR\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} => Value not found.
HKCR\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{533329c9-ca91-42a2-8792-7f91c7b4172a} => Value not found.
HKCR\Wow6432Node\CLSID\{533329c9-ca91-42a2-8792-7f91c7b4172a} => Not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{c846d9b8-4cc6-491e-893f-7ee1d979afa3} => Value not found.
HKCR\Wow6432Node\CLSID\{c846d9b8-4cc6-491e-893f-7ee1d979afa3} => Not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{533329C9-CA91-42A2-8792-7F91C7B4172A} => Value not found.
HKCR\CLSID\{533329C9-CA91-42A2-8792-7F91C7B4172A} => Not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C846D9B8-4CC6-491E-893F-7EE1D979AFA3} => Value not found.
HKCR\CLSID\{C846D9B8-4CC6-491E-893F-7EE1D979AFA3} => Not found.
C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki => Moved successfully.
CltMngSvc => Service deleted successfully.
ConservativeTalkNow_4nService => Service not found.
C:\$Recycle.Bin\S-1-5-18\$6baa8318ed940bfbf294bdae71898e87 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-242417448-847075929-2495561732-1000\$6baa8318ed940bfbf294bdae71898e87 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-242417448-847075929-2495561732-1000 => Moved successfully.
C:\Program Files (x86)\Funmoods => File not found.
C:\Program Files (x86)\ConservativeTalkNow_4n => File not found.
C:\Program Files (x86)\MixiDJ_V4 => File not found.

The system needs a manual reboot.

==== End of Fixlog ====



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 01 May 2013 - 04:55 PM

Well done.
  • Restart the computer once if you have not already restarted it after the fix.
  • Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • Please download AdwCleaner and save it to your desktop.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Delete and confirm the prompt.
    • After it is finished the computer will be restarted. A text file will open after the restart.
    • Please post the content of that log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[S1].txt.

Attached Files



#7 sedg

sedg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 01 May 2013 - 08:52 PM

Farbar, when I ran AdwCleaner, AVG Free popped up and wanted to delete it.  I ignored AVG Free and ran AdwCleaner anyway.  Below are the files with the results.   Sending this to you even though it is early in the morning for you.  At least AVG is not popping up with Trojan warning message when rebooting so you must be getting closer to resolution.  Got to like that!

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-04-2013 01
Ran by Tom at 2013-05-01 19:31:57 Run:3
Running from C:\Users\Tom\Desktop
Boot Mode: Normal
==============================================

C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe => Moved successfully.

=========  rd /q/s c:\frst\quarantine =========

c:\frst\quarantine\$6BAA8~1 - The directory is not empty.

========= End of CMD: =========

========================= Folder: c:\frst\quarantine ========================

====== End of Folder: ======

==== End of Fixlog ====

 

 

 

 

 

 

# AdwCleaner v2.300 - Logfile created 05/01/2013 at 19:35:57
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Tom - SPRINT
# Boot Mode : Normal
# Running from : C:\Users\Tom\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search
File Deleted : C:\END
File Deleted : C:\user.js
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\Program Files\DomaIQ Uninstaller
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Tom\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Tom\AppData\Local\Conduit
Folder Deleted : C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\Tom\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Tom\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Tom\AppData\LocalLow\Funmoods
Folder Deleted : C:\Users\Tom\AppData\Roaming\SearchProtect

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3287768
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65BCD620-07DD-012F-819F-073CF1B8F7C6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DomaIQ Uninstaller
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1] : icon_url ={"apps_promo_counter":11,"autofill":{"enabled":false},"bookmark_bar":{"show_on_all_tabs":true},"brow[...]

*************************

AdwCleaner[S1].txt - [7378 octets] - [01/05/2013 19:35:57]

########## EOF - C:\AdwCleaner[S1].txt - [7438 octets] ##########



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 02 May 2013 - 04:55 AM

The infection is taken care of. We are doing some additional cleaning and checking.
  • Please download Attached File  fixlist.txt   121bytes   10 downloads

    Run FRST and press the Fix button just once and wait.
    The tool will make a log Fixlog.txt) please post it to your reply.
  • Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked except for saved passwords. Under System check Empty Recycle Bin and Temporary Files.
    Under Application tab all the boxes should be checked except any option to remove saved passwords.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Full Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.


#9 sedg

sedg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 02 May 2013 - 10:14 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-04-2013 01
Ran by Tom at 2013-05-02 09:03:38 Run:4
Running from C:\Users\Tom\Desktop
Boot Mode: Normal
==============================================

========================= Folder: c:\frst\quarantine ========================

====== End of Folder: ======

=========  dir /a/s c:\frst\quarantine =========

 Volume in drive C is OS
 Volume Serial Number is 5EB0-2B91

 Directory of c:\frst\quarantine

05/01/2013  07:31 PM    <DIR>          .
05/01/2013  07:31 PM    <DIR>          ..
05/01/2013  04:13 PM    <DIR>          $6baa8318ed940bfbf294bdae71898e87
               0 File(s)              0 bytes

     Total Files Listed:
               0 File(s)              0 bytes
               3 Dir(s)  25,017,757,696 bytes free

========= End of CMD: =========

=========  rd /q/s c:\frst\quarantine =========

c:\frst\quarantine\$6BAA8~1 - The directory is not empty.

========= End of CMD: =========

========================= Folder: c:\frst\quarantine ========================

====== End of Folder: ======

==== End of Fixlog ====

 

 

Results of CCleaner

 

CLEANING COMPLETE - (56.975 secs)
------------------------------------------------------------------------------------------
790 MB removed.
------------------------------------------------------------------------------------------

 

NOTE:  While running Malwarebytes, AVG popped up and detected two Trojan Horse under C:/FRST.  I assume this is to be expected so I just closed AVG without isolating threat.

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.02.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tom :: SPRINT [administrator]

Protection: Enabled

5/2/2013 9:14:47 AM
mbam-log-2013-05-02 (09-14-47).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 355073
Time elapsed: 48 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Funmoods (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Funmoods\Funmoods (PUP.FunMoods) -> Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 02 May 2013 - 12:04 PM

Thanks for the detailed feedback.  I'm not sure if AVG preventing the fix by blocking the malware folder that we moved to Quarantine folder.  Let's try this once more.

 

Please download Attached File  fixlist.txt   149bytes   8 downloads

Run the fix with FRST once more and post the log.

 



#11 sedg

sedg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pensacola, FL
  • Local time:03:32 PM

Posted 02 May 2013 - 05:27 PM

Farbar,  conflicting action seen on desktop while running FRST.  I tried to attach a MSWord screen shot file of what I saw while running FRST program but upload was denied to me.  The log says C:/FRST/quarantine directory was removed.  Upon checking C:/FRST I find that the quarantine directory has been removed.  The log file pasted below seems to prove removal has been accomplished.

 

I am going to close AVG with no action taken.  We are close to being done.  I want to thank you again for your attention to this matter.  It seems you are a great help to many on bleepingcomputer.com.  Thanks for all that you do!

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-04-2013 01
Ran by Tom at 2013-05-02 17:13:10 Run:5
Running from C:\Users\Tom\Desktop
Boot Mode: Normal
==============================================

permissions for c:\frst\quarantine\$6baa8318ed940bfbf294bdae71898e87 restored successfully

========================= Folder: c:\frst\quarantine ========================

2013-04-21 00:20 - 2013-04-21 00:20 - 0002048 __ASH () c:\frst\quarantine\$6baa8318ed940bfbf294bdae71898e87\@
2013-04-21 00:20 - 2013-04-21 00:20 - 0042496 __ASH () c:\frst\quarantine\$6baa8318ed940bfbf294bdae71898e87\n
2013-04-20 11:25 - 2013-04-20 11:25 - 0002048 __ASH () c:\frst\quarantine\$6baa8318ed940bfbf294bdae71898e87\$6baa8318ed940bfbf294bdae71898e87\@
2013-04-20 11:25 - 2013-04-20 11:25 - 0042496 __ASH () c:\frst\quarantine\$6baa8318ed940bfbf294bdae71898e87\$6baa8318ed940bfbf294bdae71898e87\n

====== End of Folder: ======

=========  rd /q/s c:\frst\quarantine =========

========= End of CMD: =========

========================= Folder: c:\frst\quarantine ========================

Directory Not Found

====== End of Folder: ======

==== End of Fixlog ====

 

 

 

 



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 03 May 2013 - 02:06 AM

Thanks for the feeedback and your kind words.
 
Indeed the malware folder was locked and we removed it by unlocking it. From now on let AVG does its things as we are done.
  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
      
  • You may delete any tool or log we used from your computer.
      
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed.
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".
Take care sedg. :)

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:32 PM

Posted 06 May 2013 - 05:07 AM

 
This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users