Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detected 2x Trojan Horse Generic29.AJGE


  • This topic is locked This topic is locked
9 replies to this topic

#1 Jalexander

Jalexander

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 06 May 2013 - 07:39 AM

Last night my AVG free piped up claiming that 2 Trojan Horse Generic29.AJGE viruses had been detected, and could not be removed by the software. Since then I have tried many different solutions that people have posted on the internet but to no avail, this thing will just not go away!

 

EDIT:   This is what AVG is saying about them:

 

Detection name: Trojan horse Generic29.AJGE

Description: c:\$Recycle.Bin\S-1-5-18\$35d59ab0ddcae84948f3b4dc0bfd8615\n

Severity: High

State: Infected

Source: Resident Shield

Date: 06/05/2013, 13:46:30

 

Extended element information:

Process name: C\Program Files (x86)\Malwarebytes' Anti-MAlware/mbam.exe

Process ID: 4292

Created: 06/05/2013, 13:46:30

Username:

Session ID: 4292

 

I downloaded Malawarebytes (I was surprised that I didn't have it installed already but hey ho) and performed a quick scan, it did find something but it clearly wasn't anything to do with the trojans as they are still here!

 

I can see that there are other threads concerning this same problem, but thought it would be wise to begin my own concerning my problem specifically, as it seems possible to me that I might not be having the EXACT same problem as somebody else and my problem will be resolved more efficiently if I can get some one-on-one advice concerning my specific issues. 

 

Since the Trojans appeared, my genuine version of Windows 7 is now claiming that it is not genuine after a restart. Great... 

 

I have read the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" thread and have begun a backup of my most important directories (music, pictures, video, emails, important word docs) over the network onto our Home Theatre PC in the other room (I don't own an external HDD or a CD with enough space) using Cobian Backup 11 (Gravity). I will be buying a sufficient external HDD after this episode, however...

 

When I go to check out my firewall it is telling me that "Windows firewall is not using the recommended settings to protect your computer", but when I click to "use recommended settings" I get the error message "Windows firewall can't change some of your settings. Error code 0x80070424". I can only assume the trojan is causing this (I have never seen this happen before).

 

 

DDS.txt log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537 BrowserJavaVersion: 1.6.0_31
Run by James at 13:22:50 on 2013-05-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.8169.5003 [GMT 1:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\iPhone Simulator\pnSvc.exe
C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\EC Simulator.exe
C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Opera\opera.exe
C:\Windows\SysWOW64\notepad.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
C:\Program Files (x86)\Cobian Backup 11\Cobian.exe
C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&CUI=UN40548647925103805&ctid=CT3272810
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
mRun: [Conime] C:\Windows\System32\conime.exe
mRun: [EKStatusMonitor] C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
dRunOnce: [KodakHomeCenter] "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4642D0FF-A2FF-41BB-B24E-A800E17CD033} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{53F8B202-347C-49BE-B6D9-A067D8DFEB55} : DHCPNameServer = 192.168.42.129
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AiChargerPlus;ASUS Charger Plus Driver;C:\Windows\System32\drivers\AiChargerPlus.sys [2011-10-28 14464]
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-2-8 311096]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
R0 DSFKSVCS;Kernel Services for DSF;C:\Windows\System32\drivers\dsfksvcs.sys [2010-2-8 676232]
R0 dsfroot;root enumerated bus driver;C:\Windows\System32\drivers\dsfroot.sys [2010-2-8 35832]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-2-26 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-2-14 239416]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-1-20 39768]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-3 918144]
R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2010-12-2 915584]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2011-10-28 586880]
R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2010-10-27 52896]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-2-27 4937264]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-2-19 282624]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [2013-5-6 67584]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2011-10-27 133800]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2012-10-19 395200]
R2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [2012-10-15 779200]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-6 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-6 701512]
R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-2-18 968880]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2012-2-21 130536]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2012-2-21 396776]
R3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2010-10-27 38248]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2010-10-27 301680]
R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2010-10-27 31080]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2010-10-27 203624]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2010-10-27 58992]
R3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2010-10-27 156520]
R3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2010-10-27 279152]
R3 HRMCFGSPC;DSF General Configuration Space Redirection Module;C:\Windows\System32\drivers\hrmcfgspc.sys [2010-2-8 133512]
R3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);C:\Windows\System32\drivers\ICCWDT.sys [2010-8-17 26136]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-6 25928]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-12-13 36720]
R3 softehci;Microsoft USB 2.0 Enhanced Host Controller Interface (EHCI) Simulator Driver";C:\Windows\System32\drivers\softehci.sys [2010-2-8 366592]
R3 usbehci_dsf;Microsoft DSF-enabled USB 2.0 Enhanced Host Controller Interface (EHCI) Miniport Driver;C:\Windows\System32\drivers\usbehci_dsf.sys [2010-2-8 52736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 ATHDFU;Atheros Valkyrie USB BootROM;C:\Windows\System32\drivers\AthDfu.sys [2010-10-27 55336]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2012-4-4 13352]
S3 HRMINTS;DSF Interrupt Redirection Module;C:\Windows\System32\drivers\hrmints.sys [2010-2-8 128504]
S3 HRMPORTS;DSF IO Port Redirection Module;C:\Windows\System32\drivers\hrmports.sys [2010-2-8 148360]
S3 SOFTHIDUSBK;USB HID Layer;C:\Windows\System32\drivers\softhidusbk.sys [2010-2-8 206848]
S3 SOFTUSBK;Generic USB device;C:\Windows\System32\drivers\softusbk.sys [2010-2-8 675328]
S3 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-4-4 155320]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-10-29 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\WAT\WatAdminSvc.exe [2011-10-29 1255736]
.
=============== Created Last 30 ================
.
2013-05-06 11:36:18 -------- d-----w- C:\Program Files (x86)\Cobian Backup 11
2013-05-06 10:38:42 -------- d-----w- C:\Users\James\AppData\Roaming\Malwarebytes
2013-05-06 10:38:35 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-05-06 10:38:35 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-06 10:38:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-06 10:38:26 -------- d-----w- C:\Users\James\AppData\Local\Programs
2013-04-29 17:02:22 -------- d-----w- C:\Automation
2013-04-26 15:59:58 163504 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-24 16:17:50 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-11 16:08:18 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2013-04-11 16:08:18 3717632 ----a-w- C:\Windows\System32\mstscax.dll
2013-04-11 16:08:18 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2013-04-11 16:08:18 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-04-11 16:08:18 158720 ----a-w- C:\Windows\System32\aaclient.dll
2013-04-11 16:08:18 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll
2013-04-11 16:08:14 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-04-11 16:07:40 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-04-11 16:07:37 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-04-11 16:07:37 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-04-11 16:07:36 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-04-11 16:07:36 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-04-11 16:07:36 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-04-11 16:07:36 112640 ----a-w- C:\Windows\System32\smss.exe
.
==================== Find3M ====================
.
2013-04-22 18:11:50 282296 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-04-22 18:11:50 282296 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-04-22 18:10:20 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-04-06 10:21:49 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-04-06 09:32:07 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
2013-03-06 20:42:54 49152 ----a-r- C:\Windows\SysWow64\inetwh32.dll
2013-03-06 20:42:54 1044480 ----a-r- C:\Windows\SysWow64\roboex32.dll
2013-02-26 22:40:46 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-02-21 10:30:16 1766912 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-21 10:29:39 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-21 10:29:37 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-02-21 10:29:37 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-02-21 10:15:07 2240512 ----a-w- C:\Windows\System32\wininet.dll
2013-02-21 10:14:09 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-21 10:14:05 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-02-21 10:14:05 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-02-19 18:22:12 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-19 18:22:12 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-19 12:01:03 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-02-19 11:42:14 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-19 11:10:53 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-02-19 10:51:18 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-02-18 19:17:31 39768 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-02-14 02:52:46 239416 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:06 19968 ----a-w- C:\Windows\System32\drivers\usb8023x.sys
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-02-08 03:37:56 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2013-02-08 03:37:54 311096 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-02-08 03:37:50 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2013-02-08 03:37:42 206136 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-02-08 03:37:40 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
.
============= FINISH: 13:23:24.63 ===============

 

 

 

I hope that I have given you enough information here to make this as easy as possible to solve, and I honestly can't thank whoever takes this on enough as I am close to just reformatting/cleaning everything and (hopefully) be done with it! However, for now I shall request the help of those who know much more about these things than I do!

 

Many thanks in advance,

 

James

Attached Files


Edited by Jalexander, 06 May 2013 - 07:56 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 AM

Posted 07 May 2013 - 05:15 AM

Hi James,

 

Welcome to the forum.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 



#3 Jalexander

Jalexander
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 07 May 2013 - 12:31 PM

Many thanks!

 

Just to note: I have just got back from work and the computer has been left backing up my important directories, and I haven't had another warning from AVG about the trojans. I don't know if this suggests anything, but knowing these things they are probably still lurking around somewhere.

 

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2013

Ran by James (administrator) on 07-05-2013 18:28:48
Running from C:\Users\James\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
() C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\iPhone Simulator\pnSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\EC Simulator.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\system32\IProsetMonitor.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\Cobian.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(Opera Software) C:\Program Files (x86)\Opera\opera.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
(Farbar) C:\Users\James\Downloads\FRST64.exe
(Farbar) C:\Users\James\Desktop\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$35d59ab0ddcae84948f3b4dc0bfd8615\n. ATTENTION! ====> ZeroAccess
HKCU\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2011-01-26] (AMD)
HKCU\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_Plugin.exe -update plugin [699400 2013-02-14] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation)
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1531145322-4030894322-884009875-1000\$35d59ab0ddcae84948f3b4dc0bfd8615\n. ATTENTION! ====> ZeroAccess
MountPoints2: {b0fc65c0-5b3d-11e2-a44a-806e6f6e6963} - E:\Launch.exe
HKLM-x32\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM-x32\...\Run: [EKStatusMonitor] C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe [2844608 2012-10-15] (Eastman Kodak Company)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN40548647925103805&ctid=CT3272810
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKLM-x32 SearchScopes: DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3272810&CUI=UN40548647925103805
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3272810&CUI=UN40548647925103805
HKCU SearchScopes: DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={59E8968D-527C-4E19-973E-76ACE2BFB05D}&mid=a199eb2e370647d183aad16fc5c9e262-4083eb0d7c7b2c28e25054fc2ebc8ff03ab6d7b8&lang=en&ds=AVG&pr=fr&d=2013-01-20 18:23:11&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={59E8968D-527C-4E19-973E-76ACE2BFB05D}&mid=a199eb2e370647d183aad16fc5c9e262-4083eb0d7c7b2c28e25054fc2ebc8ff03ab6d7b8&lang=en&ds=AVG&pr=fr&d=2013-01-20 18:23:11&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3272810&CUI=UN40548647925103805
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll No File
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll ()
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll ()
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll ()
Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
Winsock: Catalog5-x64 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) =================

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [918144 2010-11-03] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [915584 2010-12-02] ()
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [282624 2013-02-19] (AVG Technologies CZ, s.r.o.)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2013-04-06] ()
R2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()

==================== Drivers (Whitelisted) ====================

R0 AiChargerPlus; C:\Windows\System32\DRIVERS\AiChargerPlus.sys [14464 2010-11-08] (ASUSTek Computer Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-02-26] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [239416 2013-02-14] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-10] (Duplex Secure Ltd.)
S3 FLASHSYS; \??\C:\Program Files (x86)\MSI\Live Update 4\LU4\FLASHSYS64.sys [x]
S3 HRMACPI; SYSTEM32\DRIVERS\HRMACPI.SYS [x]
S3 MSICDSetup; \??\D:\CDriver64.sys [x]
S3 NTIOLib_1_0_4; \??\C:\Program Files (x86)\MSI\Live Update 4\LU4\NTIOLib_X64.sys [x]
S3 papycpu; No ImagePath
S0x01000000 papycpu2; \SystemRoot\system32\drivers\papycpu2.sys [x]
S3 SOFTUSBTESTHUB; SYSTEM32\DRIVERS\SOFTUSBTESTHUB.SYS [x]
S3 SOFTWADP; SYSTEM32\DRIVERS\SOFTWADP.SYS [x]
S3 WSOFTUSBK; SYSTEM32\DRIVERS\WSOFTUSBK.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-07 18:28 - 2013-05-07 18:28 - 01874784 ____A (Farbar) C:\Users\James\Desktop\FRST64.exe
2013-05-07 18:27 - 2013-05-07 18:27 - 00018174 ____A C:\Users\James\Desktop\Addition.txt
2013-05-07 18:25 - 2013-05-07 18:27 - 00028322 ____A C:\Users\James\Downloads\FRST.txt
2013-05-07 18:25 - 2013-05-07 18:25 - 00018174 ____A C:\Users\James\Downloads\Addition.txt
2013-05-07 18:24 - 2013-05-07 18:24 - 00000000 ____D C:\FRST
2013-05-07 18:23 - 2013-05-07 18:23 - 01874784 ____A (Farbar) C:\Users\James\Downloads\FRST64.exe
2013-05-06 22:36 - 2013-05-06 22:36 - 00006183 ____A C:\Users\James\Desktop\College Email.adr
2013-05-06 18:34 - 2013-05-06 18:42 - 25539335 ____A C:\Users\James\Downloads\Star Wars Episode I - Racer.zip
2013-05-06 18:31 - 2013-05-06 18:46 - 00000000 ____D C:\Program Files (x86)\Project64 1.6
2013-05-06 18:30 - 2013-05-06 18:31 - 02080797 ____A (Project64 ) C:\Users\James\Downloads\project64_1.6.exe
2013-05-06 13:23 - 2013-05-06 13:25 - 00014826 ____A C:\Users\James\Desktop\attach.txt
2013-05-06 13:23 - 2013-05-06 13:24 - 00019586 ____A C:\Users\James\Desktop\dds.txt
2013-05-06 13:21 - 2013-05-06 13:21 - 00688992 ____R (Swearware) C:\Users\James\Desktop\dds.com
2013-05-06 12:48 - 2013-05-06 12:52 - 00000000 ____D C:\Users\James\Documents\Important Docs
2013-05-06 12:36 - 2013-05-06 12:36 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2013-05-06 12:32 - 2013-05-06 12:34 - 19709440 ____A (Luis Cobian, CobianSoft) C:\Users\James\Downloads\cbSetup.exe
2013-05-06 12:16 - 2013-05-06 12:16 - 00890825 ____A C:\Users\James\Desktop\SecurityCheck.exe
2013-05-06 12:15 - 2013-05-06 12:15 - 00890825 ____A C:\Users\James\Downloads\SecurityCheck.exe
2013-05-06 12:11 - 2013-05-06 12:11 - 00050477 ____A C:\Users\James\Downloads\Defogger.exe
2013-05-06 12:11 - 2013-05-06 12:11 - 00000020 ____A C:\Users\James\defogger_reenable
2013-05-06 12:05 - 2013-05-07 18:14 - 00001392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-06 12:05 - 2013-05-07 18:14 - 00001392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-06 12:05 - 2013-05-06 12:05 - 00000552 ____A C:\Windows\System32\spsys.log
2013-05-06 11:38 - 2013-05-06 11:38 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\Users\James\AppData\Roaming\Malwarebytes
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-06 11:38 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-06 11:36 - 2013-05-06 11:37 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\James\Downloads\mbam-setup-1.75.0.1300.exe
2013-05-06 00:47 - 2013-05-06 00:47 - 00000012 ____A C:\Windows\sruna.log
2013-04-29 18:02 - 2013-04-30 17:46 - 00000000 ____D C:\Users\James\Documents\Automation
2013-04-29 18:02 - 2013-04-29 18:59 - 00000000 ____D C:\Automation
2013-04-29 18:02 - 2013-04-29 18:02 - 00000675 ____A C:\Users\Public\Desktop\Automation.lnk
2013-04-29 18:01 - 2013-04-29 18:01 - 03981807 ____A () C:\Users\James\Downloads\Launcher_Setup.exe
2013-04-26 16:47 - 2013-04-26 21:27 - 00000000 ____D C:\Users\James\Downloads\Cloud Atlas (2012) [1080p]
2013-04-24 17:17 - 2013-04-12 15:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-15 19:45 - 2013-04-15 19:45 - 00006648 ____A C:\Users\James\Documents\Fixit50388.reg
2013-04-15 19:44 - 2013-04-15 19:44 - 00694272 ____A C:\Users\James\Downloads\MicrosoftFixit50388.msi
2013-04-11 20:30 - 2013-02-21 11:30 - 01766912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-11 20:30 - 2013-02-21 11:30 - 01129984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 14323200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 13761024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 02046464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-11 20:30 - 2013-02-21 11:29 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-04-11 20:30 - 2013-02-21 11:15 - 02240512 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-11 20:30 - 2013-02-21 11:15 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-11 20:30 - 2013-02-21 11:14 - 19230208 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 02647040 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-11 20:30 - 2013-02-21 11:14 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-11 20:30 - 2013-02-19 13:01 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-11 20:30 - 2013-02-19 12:42 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-11 20:30 - 2013-02-19 12:10 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-04-11 20:30 - 2013-02-19 11:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-11 17:08 - 2013-03-01 04:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-11 17:08 - 2013-02-15 07:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-11 17:08 - 2013-02-15 07:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-11 17:08 - 2013-02-15 07:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-11 17:08 - 2013-02-15 05:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-11 17:08 - 2013-02-15 05:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-11 17:08 - 2013-02-15 04:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-11 17:07 - 2013-03-19 07:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-11 17:07 - 2013-03-19 06:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-11 17:07 - 2013-03-19 06:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-11 17:07 - 2013-03-19 06:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-11 17:07 - 2013-03-19 05:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-11 17:07 - 2013-03-19 04:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-11 17:07 - 2013-01-24 07:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

==================== One Month Modified Files and Folders =======

2013-05-07 18:28 - 2013-05-07 18:28 - 01874784 ____A (Farbar) C:\Users\James\Desktop\FRST64.exe
2013-05-07 18:27 - 2013-05-07 18:27 - 00018174 ____A C:\Users\James\Desktop\Addition.txt
2013-05-07 18:27 - 2013-05-07 18:25 - 00028322 ____A C:\Users\James\Downloads\FRST.txt
2013-05-07 18:25 - 2013-05-07 18:25 - 00018174 ____A C:\Users\James\Downloads\Addition.txt
2013-05-07 18:24 - 2013-05-07 18:24 - 00000000 ____D C:\FRST
2013-05-07 18:23 - 2013-05-07 18:23 - 01874784 ____A (Farbar) C:\Users\James\Downloads\FRST64.exe
2013-05-07 18:14 - 2013-05-06 12:05 - 00001392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-07 18:14 - 2013-05-06 12:05 - 00001392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-07 08:33 - 2011-10-27 23:47 - 01483153 ____A C:\Windows\WindowsUpdate.log
2013-05-07 08:04 - 2011-10-28 01:05 - 00000000 ____D C:\ProgramData\MFAData
2013-05-06 22:49 - 2011-12-17 14:26 - 00000000 ____D C:\ProgramData\Kodak
2013-05-06 22:36 - 2013-05-06 22:36 - 00006183 ____A C:\Users\James\Desktop\College Email.adr
2013-05-06 19:52 - 2011-10-28 18:20 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-06 18:46 - 2013-05-06 18:31 - 00000000 ____D C:\Program Files (x86)\Project64 1.6
2013-05-06 18:42 - 2013-05-06 18:34 - 25539335 ____A C:\Users\James\Downloads\Star Wars Episode I - Racer.zip
2013-05-06 18:31 - 2013-05-06 18:30 - 02080797 ____A (Project64 ) C:\Users\James\Downloads\project64_1.6.exe
2013-05-06 13:25 - 2013-05-06 13:23 - 00014826 ____A C:\Users\James\Desktop\attach.txt
2013-05-06 13:24 - 2013-05-06 13:23 - 00019586 ____A C:\Users\James\Desktop\dds.txt
2013-05-06 13:21 - 2013-05-06 13:21 - 00688992 ____R (Swearware) C:\Users\James\Desktop\dds.com
2013-05-06 12:52 - 2013-05-06 12:48 - 00000000 ____D C:\Users\James\Documents\Important Docs
2013-05-06 12:36 - 2013-05-06 12:36 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2013-05-06 12:34 - 2013-05-06 12:32 - 19709440 ____A (Luis Cobian, CobianSoft) C:\Users\James\Downloads\cbSetup.exe
2013-05-06 12:20 - 2009-07-14 06:13 - 00796206 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-06 12:16 - 2013-05-06 12:16 - 00890825 ____A C:\Users\James\Desktop\SecurityCheck.exe
2013-05-06 12:15 - 2013-05-06 12:15 - 00890825 ____A C:\Users\James\Downloads\SecurityCheck.exe
2013-05-06 12:13 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-06 12:13 - 2009-07-14 05:51 - 00070350 ____A C:\Windows\setupact.log
2013-05-06 12:11 - 2013-05-06 12:11 - 00050477 ____A C:\Users\James\Downloads\Defogger.exe
2013-05-06 12:11 - 2013-05-06 12:11 - 00000020 ____A C:\Users\James\defogger_reenable
2013-05-06 12:11 - 2011-11-09 19:48 - 00000000 ____D C:\Program Files (x86)\Opera
2013-05-06 12:11 - 2011-10-27 23:47 - 00000000 ____D C:\users\James
2013-05-06 12:05 - 2013-05-06 12:05 - 00000552 ____A C:\Windows\System32\spsys.log
2013-05-06 11:46 - 2011-10-31 18:12 - 00039978 ____A C:\Windows\PFRO.log
2013-05-06 11:38 - 2013-05-06 11:38 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\Users\James\AppData\Roaming\Malwarebytes
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-06 11:38 - 2013-05-06 11:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-06 11:37 - 2013-05-06 11:36 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\James\Downloads\mbam-setup-1.75.0.1300.exe
2013-05-06 00:47 - 2013-05-06 00:47 - 00000012 ____A C:\Windows\sruna.log
2013-05-05 22:03 - 2011-10-28 16:59 - 00000000 ____D C:\Users\James\Documents\My Games
2013-05-05 21:18 - 2011-10-28 01:37 - 00384155 ____A C:\Windows\DirectX.log
2013-05-05 21:15 - 2012-05-26 14:55 - 00000000 ____D C:\Program Files (x86)\Ubisoft
2013-05-05 21:15 - 2011-10-27 23:52 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-04-30 17:46 - 2013-04-29 18:02 - 00000000 ____D C:\Users\James\Documents\Automation
2013-04-29 18:59 - 2013-04-29 18:02 - 00000000 ____D C:\Automation
2013-04-29 18:02 - 2013-04-29 18:02 - 00000675 ____A C:\Users\Public\Desktop\Automation.lnk
2013-04-29 18:02 - 2011-10-28 01:07 - 00000000 ___HD C:\Windows\msdownld.tmp
2013-04-29 18:02 - 2011-10-28 01:07 - 00000000 ____D C:\Windows\SysWOW64\directx
2013-04-29 18:01 - 2013-04-29 18:01 - 03981807 ____A () C:\Users\James\Downloads\Launcher_Setup.exe
2013-04-27 00:24 - 2012-06-18 17:26 - 00000000 ____D C:\Users\James\AppData\Roaming\vlc
2013-04-27 00:24 - 2012-06-17 19:31 - 00000000 ____D C:\Users\James\AppData\Roaming\Azureus
2013-04-27 00:24 - 2012-06-17 19:29 - 00000000 ____D C:\Program Files (x86)\Vuze
2013-04-26 21:27 - 2013-04-26 16:47 - 00000000 ____D C:\Users\James\Downloads\Cloud Atlas (2012) [1080p]
2013-04-26 21:21 - 2011-11-10 21:23 - 00000000 ____D C:\Users\James\AppData\Roaming\Skype
2013-04-22 19:11 - 2011-12-10 22:46 - 00282296 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-04-22 19:11 - 2011-10-28 16:56 - 00282296 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-04-22 19:10 - 2011-10-28 16:56 - 00215128 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-04-15 19:45 - 2013-04-15 19:45 - 00006648 ____A C:\Users\James\Documents\Fixit50388.reg
2013-04-15 19:44 - 2013-04-15 19:44 - 00694272 ____A C:\Users\James\Downloads\MicrosoftFixit50388.msi
2013-04-12 15:45 - 2013-04-24 17:17 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-12 14:31 - 2009-07-14 05:45 - 00422352 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-11 20:31 - 2011-11-04 19:31 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-11 20:30 - 2011-10-30 17:59 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-11 18:51 - 2013-04-06 10:32 - 00000000 ____D C:\Users\James\Documents\BFBC2
2013-04-10 10:47 - 2013-02-03 14:11 - 00000000 ___RD C:\Users\James\Dropbox
2013-04-10 10:47 - 2013-02-03 14:05 - 00000000 ____D C:\Users\James\AppData\Roaming\Dropbox

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$35d59ab0ddcae84948f3b4dc0bfd8615

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1531145322-4030894322-884009875-1000\$35d59ab0ddcae84948f3b4dc0bfd8615

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$35d59ab0ddcae84948f3b4dc0bfd8615

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


Last Boot: 2013-05-06 23:06

==================== End Of Log ============================

 

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 AM

Posted 07 May 2013 - 12:57 PM

The ZeroAccess rootkit infection is still there.

 

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files



#5 Jalexander

Jalexander
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 07 May 2013 - 02:07 PM

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2013
Ran by James at 2013-05-07 20:06:20 Run:1
Running from C:\Users\James\Desktop
Boot Mode: Normal
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware (cleanup) => Value deleted successfully.
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\\Default => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully.
HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
C:\$Recycle.Bin\S-1-5-18\$35d59ab0ddcae84948f3b4dc0bfd8615 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1531145322-4030894322-884009875-1000\$35d59ab0ddcae84948f3b4dc0bfd8615 => Moved successfully.

==== End of Fixlog ====



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 AM

Posted 07 May 2013 - 02:17 PM

The main infection is taken care of. :thumbup2:
  • Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • Please download AdwCleaner and save it to your desktop.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Delete and confirm the prompt.
    • After it is finished the computer will be restarted. A text file will open after the restart.
    • Please post the content of that log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[S1].txt.

Attached Files



#7 Jalexander

Jalexander
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 07 May 2013 - 02:39 PM

This is starting to sound promising!

 

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2013
Ran by James at 2013-05-07 20:29:25 Run:2
Running from C:\Users\James\Desktop
Boot Mode: Normal
==============================================

C:\FRST\Quarantine => Deleted successfully.
==== End of Fixlog ====

 

 

 

 

 

AdwCleaner log:

 

 

# AdwCleaner v2.300 - Logfile created 05/07/2013 at 20:32:37
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : James - JAMES-PC
# Boot Mode : Normal
# Running from : C:\Users\James\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Optimizer Pro
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\Browse2save
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\James\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\James\AppData\Local\Conduit
Folder Deleted : C:\Users\James\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\James\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\James\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\James\AppData\LocalLow\PriceGong

***** [Registry] *****

Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3272810
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Opera v12.15.1748.0

File : C:\Users\James\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [361 octets] - [07/05/2013 20:31:56]
AdwCleaner[S2].txt - [7230 octets] - [07/05/2013 20:32:37]

########## EOF - C:\AdwCleaner[S2].txt - [7290 octets] ##########



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 AM

Posted 07 May 2013 - 02:47 PM

It looks good. :thumbup2:
  • This small application you may want to keep and use to keep the computer clean.
    • Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar or any other program uncheck the box next to it.
    • Run CCleaner. Under Application tab all the boxes should be checked except any option to remove saved passwords.
    • Click Run Cleaner.
    • Close CCleaner.
  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed.
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".
Take care. :)

#9 Jalexander

Jalexander
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 07 May 2013 - 03:36 PM

All done! Wow, is that everything done then? Am I Trojan free? :D 

 

I honestly can't even thank you enough for taking the time out of your day to assist me get around this, I would have never got anywhere on my own and probably would have given up in the end. The fact that you have volunteered to help me fix this whilst also helping others with different problems is amazing, you have restored my faith in the human race for the day. Thank you :)

 

Carry on being awesome, Farbar.

 

James


Edited by Jalexander, 07 May 2013 - 03:37 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 AM

Posted 08 May 2013 - 03:11 PM

You are most welcome and thanks for your kind words James. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users