Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

50 AVG anti-rootkit threats detected (including multiple IRP Hooks)


  • This topic is locked This topic is locked
24 replies to this topic

#1 Cannendrum

Cannendrum

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 September 2013 - 12:39 AM

Hello.

 

Last month, I posted a topic here about AVG detecting two medium severity infections. Unfortunately, the problem seems to have increased as now AVG has detected 50 of them, and they all seem to be related to anti-rootkit. Please help :)

 

Here is the link to my earlier topic if interested:-

 

http://www.bleepingcomputer.com/forums/t/505611/atapisys-and-i8042prtsys-detected-by-avg-and-return-after-reboot/

 

==

 

And this is the AVG Scan result:

 

"";"atapi.sys, hooked import HAL.dll READ_PORT_UCHAR -> spzu.sys +0x2042, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"atapi.sys, hooked import HAL.dll READ_PORT_BUFFER_USHORT -> spzu.sys +0x213E, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spzu.sys +0x11B90, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CREATE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CLOSE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_READ -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_WRITE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_EA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_EA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_FLUSH_BUFFERS -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_VOLUME_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_VOLUME_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_DIRECTORY_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_FILE_SYSTEM_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_DEVICE_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SHUTDOWN -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_LOCK_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CLEANUP -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_PNP -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLOSE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_READ -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_WRITE -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_EA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_EA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_FLUSH_BUFFERS -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_VOLUME_INFORMATION -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_DIRECTORY_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_FILE_SYSTEM_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_DEVICE_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SHUTDOWN -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_LOCK_CONTROL -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLEANUP -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_SECURITY -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_SECURITY -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_QUOTA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_QUOTA -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_PNP -> spzu.sys +0x11D40, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtCreateKey hook -> spzu.sys +0x10E0, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtEnumerateKey hook -> spzu.sys +0x19DA4, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtEnumerateValueKey hook -> spzu.sys +0x1A132, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtOpenKey hook -> spzu.sys +0x10C0, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtQueryKey hook -> spzu.sys +0x1A20A, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtQueryValueKey hook -> spzu.sys +0x1A08A, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
"";"Service function NtSetValueKey hook -> spzu.sys +0x1A29C, C:\WINDOWS\system32\drivers\spzu.sys";"Infected"
 

==

 

The DDS text log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Acer at 8:18:13 on 2013-09-17
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.1014.184 [GMT 3:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\DOCUME~1\Acer\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uProxyServer = 127.0.0.1:9666
uProxyOverride = 127.0.0.1;*.local
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - <orphaned>
BHO: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: IplexToALLPlayer: {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} - c:\program files\opensubtitlesplayer\iplex\IplexToALLPlayer.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AVG-Secure-Search-Update_0913a] c:\documents and settings\acer\application data\avg 0913a campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 69076905662363f81558dcfa8070ce7f-0f31de5384fed4e9220d18670d00ffdbf080532c --CMPID 0913a
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [AcerOrbicamRibbon] "c:\program files\acer\orbicam10\OrbiCam.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{47BD1830-F211-499A-A0DC-800695E1249E} : DHCPNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\acer\application data\mozilla\firefox\profiles\poigmfio.default-1378220192328\
FF - plugin: c:\documents and settings\acer\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\acer\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1203133.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\Npindeo.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-09-03 18:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\acer\application data\mozilla\firefox\profiles\poigmfio.default-1378220192328\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-09-03 18:08; {bee6eb20-01e0-ebd1-da83-080329fb9a3a}; c:\documents and settings\acer\application data\mozilla\firefox\profiles\poigmfio.default-1378220192328\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
FF - ExtSQL: 2013-09-03 18:08; donottrackplus@abine.com; c:\documents and settings\acer\application data\mozilla\firefox\profiles\poigmfio.default-1378220192328\extensions\donottrackplus@abine.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 246072]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 182072]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-7-4 4939312]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-7-23 283136]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2013-4-25 33792]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2012-10-20 847392]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2013-2-17 6609920]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 Neo_First;VPN Client Device Driver - First;c:\windows\system32\drivers\Neo_0031.sys [2011-12-22 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2013-09-14 05:48:49    4751752    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-02 19:54:56    --------    d-----w-    c:\windows\DESKTOP
2013-09-02 19:54:56    --------    d-----w-    C:\TLCWIN
2013-08-30 14:28:51    --------    d-----w-    c:\program files\DoISO
2013-08-25 14:12:43    --------    d-sha-r-    C:\cmdcons
2013-08-25 14:10:27    98816    ----a-w-    c:\windows\sed.exe
2013-08-25 14:10:27    256000    ----a-w-    c:\windows\PEV.exe
2013-08-25 14:10:27    208896    ----a-w-    c:\windows\MBR.exe
2013-08-24 06:58:09    --------    d-----w-    c:\documents and settings\acer\application data\Malwarebytes
2013-08-24 06:57:37    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-08-22 22:16:19    --------    d-----w-    c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-09-14 05:49:14    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-14 05:49:12    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 22:34:48    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-04 22:43:42    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-08-09 01:56:45    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 01:27:48    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-05 13:30:32    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-07-31 19:52:44    901808    ----a-w-    c:\windows\system32\wmvdmod.dll
2013-07-26 02:47:17    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47:13    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59    385024    ------w-    c:\windows\system32\html.iec
2013-07-19 22:51:00    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-19 22:50:56    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-19 22:50:56    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 22:50:50    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-23 23:11:16    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-23 23:11:12    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 23:11:11    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-23 23:11:11    789416    ----a-w-    c:\windows\system32\deployJava1.dll
.
============= FINISH:  8:19:29.03 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 17 September 2013 - 01:47 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 September 2013 - 09:11 AM

Thank you for helping me. I have followed your instructions and here is Combofix's log:

 

 

ComboFix 13-09-17.01 - Acer 09/17/2013  16:49:44.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.1014.506 [GMT 3:00]
Running from: c:\documents and settings\Acer\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-17 to 2013-09-17  )))))))))))))))))))))))))))))))
.
.
2013-09-14 05:48 . 2013-09-14 05:48    4751752    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-02 19:54 . 2013-09-02 19:54    --------    d-----w-    C:\TLCWIN
2013-08-30 14:28 . 2013-08-30 15:06    --------    d-----w-    c:\program files\DoISO
2013-08-25 17:42 . 2013-08-25 17:43    --------    d-----w-    c:\program files\Common Files\Adobe
2013-08-24 06:58 . 2013-08-24 06:58    --------    d-----w-    c:\documents and settings\Acer\Application Data\Malwarebytes
2013-08-24 06:57 . 2013-08-24 06:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-08-22 22:16 . 2013-09-14 09:46    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-14 05:49 . 2012-04-02 10:53    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-14 05:49 . 2011-05-15 20:28    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 22:34 . 2011-12-23 10:32    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-04 22:43 . 2010-09-07 00:48    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-08-09 01:56 . 2004-08-04 04:56    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 01:27 . 2004-08-04 03:17    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-05 13:30 . 2004-08-04 04:56    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-07-31 19:52 . 2004-08-04 04:56    901808    ----a-w-    c:\windows\system32\wmvdmod.dll
2013-07-26 02:47 . 2004-08-04 04:56    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 04:56    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 04:56    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 02:59    385024    ------w-    c:\windows\system32\html.iec
2013-07-19 22:51 . 2012-09-21 00:46    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-19 22:50 . 2012-04-19 01:50    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-19 22:50 . 2011-12-23 10:32    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 22:50 . 2010-09-07 00:48    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 10:37 . 2004-08-04 04:56    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-04 03:18    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-30 22:45 . 2010-09-07 00:48    96568    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-06-23 23:11 . 2013-06-23 23:11    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-23 23:11 . 2013-06-23 23:12    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 23:11 . 2012-05-09 07:46    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-23 23:11 . 2010-05-23 01:42    789416    ----a-w-    c:\windows\system32\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54    175912    ----a-w-    c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 14:54    175912    ----a-w-    c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-30 304664]
"AcerOrbicamRibbon"="c:\program files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-28 754712]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-28 244512]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"d:\\Vampire\\Well Of Souls\\Souls.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Vampire\\Well Of Souls\\MIX\\Mix.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Acer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:WoS 8000 UDP
"8000:TCP"= 8000:TCP:WoS 8000 TCP
"8001:UDP"= 8001:UDP:WoS 8001 UDP
"8001:TCP"= 8001:TCP:WoS 8001 TCP
"8888:UDP"= 8888:UDP:MIX 8888 UDP
"8888:TCP"= 8888:TCP:MIX 8888 TCP
"56880:TCP"= 56880:TCP:Pando Media Booster
"56880:UDP"= 56880:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 182072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [7/23/2013 7:09 PM 283136]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [4/25/2013 4:49 PM 33792]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [10/20/2012 12:16 AM 847392]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2/17/2013 12:10 PM 6609920]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [7/4/2013 3:53 PM 4939312]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 6:03 AM 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 Neo_First;VPN Client Device Driver - First;c:\windows\system32\drivers\Neo_0031.sys [12/22/2011 1:46 AM 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/14/2010 1:43 AM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:49]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003Core.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003UA.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2012-09-10 19:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 127.0.0.1:9666
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\
FF - ExtSQL: 2013-09-03 18:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-09-03 18:08; {bee6eb20-01e0-ebd1-da83-080329fb9a3a}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
FF - ExtSQL: 2013-09-03 18:08; donottrackplus@abine.com; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\donottrackplus@abine.com
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AVG-Secure-Search-Update_0913a - c:\documents and settings\Acer\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-17 16:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-362288127-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58B395D3-2146-02F7-7D8F-1508C5DBC64A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialebcegicaffemjkh"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
"haffpdkfonchnnpe"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Completion time: 2013-09-17  17:03:21
ComboFix-quarantined-files.txt  2013-09-17 14:03
.
Pre-Run: 1,705,246,720 bytes free
Post-Run: 1,732,366,336 bytes free
.
- - End Of File - - 8C976648747CCCF2B49BF2421F640BA4
99852D5C3A78447C3D6D82B6155FE848
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 17 September 2013 - 09:57 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 September 2013 - 01:20 PM

Here is the Combofix log:

 

ComboFix 13-09-17.01 - Acer 09/17/2013  18:45:38.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.1014.474 [GMT 3:00]
Running from: c:\documents and settings\Acer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Acer\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\ConduitEngine
c:\program files\ConduitEngine\appContextMenu.xml
c:\program files\ConduitEngine\ConduitEngine.dll
c:\program files\ConduitEngine\ConduitEngineHelper.exe
c:\program files\ConduitEngine\engineContextMenu.xml
c:\program files\ConduitEngine\EngineSettings.json
c:\program files\ConduitEngine\prxConduitEngine.dll
c:\program files\ConduitEngine\toolbar.cfg
c:\program files\Vuze_Remote
c:\program files\Vuze_Remote\INSTALL.LOG
c:\program files\Vuze_Remote\prxtbVuz0.dll
c:\program files\Vuze_Remote\tbVuz0.dll
c:\program files\Vuze_Remote\tbVuz1.dll
c:\program files\Vuze_Remote\tbVuze.dll
c:\program files\Vuze_Remote\toolbar.cfg
c:\program files\Vuze_Remote\uninstall.exe
c:\program files\Vuze_Remote\UNWISE.EXE
c:\program files\Vuze_Remote\Vuze_RemoteToolbarHelper.exe
c:\program files\Vuze_Remote\Vuze_RemoteToolbarHelper1.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-17 to 2013-09-17  )))))))))))))))))))))))))))))))
.
.
2013-09-14 05:48 . 2013-09-14 05:48    4751752    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-02 19:54 . 2013-09-02 19:54    --------    d-----w-    C:\TLCWIN
2013-08-30 14:28 . 2013-08-30 15:06    --------    d-----w-    c:\program files\DoISO
2013-08-25 17:42 . 2013-08-25 17:43    --------    d-----w-    c:\program files\Common Files\Adobe
2013-08-24 06:58 . 2013-08-24 06:58    --------    d-----w-    c:\documents and settings\Acer\Application Data\Malwarebytes
2013-08-24 06:57 . 2013-08-24 06:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-08-22 22:16 . 2013-09-14 09:46    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-14 05:49 . 2012-04-02 10:53    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-14 05:49 . 2011-05-15 20:28    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 22:34 . 2011-12-23 10:32    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-04 22:43 . 2010-09-07 00:48    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-08-09 01:56 . 2004-08-04 04:56    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 01:27 . 2004-08-04 03:17    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-05 13:30 . 2004-08-04 04:56    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-07-31 19:52 . 2004-08-04 04:56    901808    ----a-w-    c:\windows\system32\wmvdmod.dll
2013-07-26 02:47 . 2004-08-04 04:56    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 04:56    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 04:56    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 02:59    385024    ------w-    c:\windows\system32\html.iec
2013-07-19 22:51 . 2012-09-21 00:46    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-19 22:50 . 2012-04-19 01:50    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-19 22:50 . 2011-12-23 10:32    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 22:50 . 2010-09-07 00:48    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 10:37 . 2004-08-04 04:56    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-04 03:18    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-30 22:45 . 2010-09-07 00:48    96568    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-06-23 23:11 . 2013-06-23 23:11    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-23 23:11 . 2013-06-23 23:12    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 23:11 . 2012-05-09 07:46    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-23 23:11 . 2010-05-23 01:42    789416    ----a-w-    c:\windows\system32\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-30 304664]
"AcerOrbicamRibbon"="c:\program files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-28 754712]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-28 244512]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"d:\\Vampire\\Well Of Souls\\Souls.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Vampire\\Well Of Souls\\MIX\\Mix.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Acer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:WoS 8000 UDP
"8000:TCP"= 8000:TCP:WoS 8000 TCP
"8001:UDP"= 8001:UDP:WoS 8001 UDP
"8001:TCP"= 8001:TCP:WoS 8001 TCP
"8888:UDP"= 8888:UDP:MIX 8888 UDP
"8888:TCP"= 8888:TCP:MIX 8888 TCP
"56880:TCP"= 56880:TCP:Pando Media Booster
"56880:UDP"= 56880:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 182072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [7/23/2013 7:09 PM 283136]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [4/25/2013 4:49 PM 33792]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [10/20/2012 12:16 AM 847392]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2/17/2013 12:10 PM 6609920]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [7/4/2013 3:53 PM 4939312]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 6:03 AM 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 Neo_First;VPN Client Device Driver - First;c:\windows\system32\drivers\Neo_0031.sys [12/22/2011 1:46 AM 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/14/2010 1:43 AM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:49]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003Core.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003UA.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2012-09-10 19:18]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\
FF - ExtSQL: 2013-09-03 18:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-09-03 18:08; {bee6eb20-01e0-ebd1-da83-080329fb9a3a}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
FF - ExtSQL: 2013-09-03 18:08; donottrackplus@abine.com; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\donottrackplus@abine.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Vuze_Remote Toolbar - c:\program files\Vuze_Remote\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-17 18:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-362288127-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58B395D3-2146-02F7-7D8F-1508C5DBC64A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialebcegicaffemjkh"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
"haffpdkfonchnnpe"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Completion time: 2013-09-17  19:00:08
ComboFix-quarantined-files.txt  2013-09-17 16:00
ComboFix2.txt  2013-09-17 14:03
.
Pre-Run: 1,740,431,360 bytes free
Post-Run: 1,758,576,640 bytes free
.
- - End Of File - - EC5D44B14D97A7BDFBBD14BF266C57B0
99852D5C3A78447C3D6D82B6155FE848
 

===

 

Malwarebytes did not detect anything, though. Here is its log:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Acer :: ACER-E0DEB58D0C [administrator]

9/17/2013 7:11:05 PM
mbam-log-2013-09-17 (19-11-05).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 357378
Time elapsed: 1 hour(s), 22 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 18 September 2013 - 12:29 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 18 September 2013 - 08:40 AM

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip    Win32/Bagle.gen.zip worm
C:\Program Files\Cheat Engine 6.2\cheatengine-i386.exe    a variant of Win32/HackTool.CheatEngine.AB application
C:\Program Files\Cheat Engine 6.2\standalonephase1.dat    a variant of Win32/HackTool.CheatEngine.AF application
C:\Program Files\Vuze\.install4j\i4j_extf_27_5p83tu.dll    a variant of Win32/Bunndle application
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll    a variant of Win32/Bunndle application
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 19 September 2013 - 02:46 AM

C:\Program Files\Vuze\.install4j\i4j_extf_27_5p83tu.dll    a variant of Win32/Bunndle application
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll    a variant of Win32/Bunndle application

 

These files aren´t malware but contain security risks. I would delete them immediately - your choice!

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Delete
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 September 2013 - 09:53 AM

 

C:\Program Files\Vuze\.install4j\i4j_extf_27_5p83tu.dll    a variant of Win32/Bunndle application
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll    a variant of Win32/Bunndle application

 

These files aren´t malware but contain security risks. I would delete them immediately - your choice!

 

I would love to remove them and have my laptop as clean as possible. How do I delete them?

 

And as for the second point in your reply, on using adwCleaner, I have downloaded it and scanned, but there is no button that says "Delete".  Did you mean "Clean"?

 

w5x0z.jpg



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 19 September 2013 - 09:58 AM

OK, the software has been changed. Yes, I mean clean!

 

 

Download the attached CFScript.txt and drag it into Combofix (as you did before) - it contains commands that allow Combofix to remove the two files.

 

Post up the log Combofix creates.

 

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 September 2013 - 10:11 AM

Alright, I just want to be sure of what order to do these in. First, I use Combofix with your recently attached CFScript, then AdwCleaner and finally I use SecurityCheck?



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 20 September 2013 - 12:08 AM

Yes, that´s right.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 20 September 2013 - 05:58 AM

ComboFix 13-09-17.01 - Acer 09/20/2013  13:20:06.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.1014.609 [GMT 3:00]
Running from: c:\documents and settings\Acer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Acer\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.
FILE ::
"c:\program files\Vuze\.install4j\i4j_extf_27_5p83tu.dll"
"c:\program files\Vuze\.install4j\i4j_extf_32_5p83tu.dll"
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-20 to 2013-09-20  )))))))))))))))))))))))))))))))
.
.
2013-09-19 14:37 . 2013-09-19 14:47    --------    d-----w-    C:\AdwCleaner
2013-09-18 12:14 . 2013-09-18 12:14    --------    d-----w-    c:\program files\ESET
2013-09-17 16:06 . 2013-09-17 16:06    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-09-17 16:06 . 2013-04-04 11:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-09-14 05:48 . 2013-09-14 05:48    4751752    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-02 19:54 . 2013-09-02 19:54    --------    d-----w-    C:\TLCWIN
2013-08-30 14:28 . 2013-08-30 15:06    --------    d-----w-    c:\program files\DoISO
2013-08-25 17:42 . 2013-08-25 17:43    --------    d-----w-    c:\program files\Common Files\Adobe
2013-08-24 06:58 . 2013-08-24 06:58    --------    d-----w-    c:\documents and settings\Acer\Application Data\Malwarebytes
2013-08-24 06:57 . 2013-08-24 06:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-08-22 22:16 . 2013-09-14 09:46    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-14 05:49 . 2012-04-02 10:53    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-14 05:49 . 2011-05-15 20:28    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 22:34 . 2011-12-23 10:32    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-04 22:43 . 2010-09-07 00:48    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-08-09 01:56 . 2004-08-04 04:56    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 01:27 . 2004-08-04 03:17    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-05 13:30 . 2004-08-04 04:56    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-07-31 19:52 . 2004-08-04 04:56    901808    ----a-w-    c:\windows\system32\wmvdmod.dll
2013-07-26 02:47 . 2004-08-04 04:56    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 04:56    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 04:56    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 02:59    385024    ------w-    c:\windows\system32\html.iec
2013-07-19 22:51 . 2012-09-21 00:46    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-19 22:50 . 2012-04-19 01:50    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-19 22:50 . 2011-12-23 10:32    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 22:50 . 2010-09-07 00:48    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 10:37 . 2004-08-04 04:56    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-04 03:18    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-30 22:45 . 2010-09-07 00:48    96568    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-06-23 23:11 . 2013-06-23 23:11    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-23 23:11 . 2013-06-23 23:12    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 23:11 . 2012-05-09 07:46    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-23 23:11 . 2010-05-23 01:42    789416    ----a-w-    c:\windows\system32\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 07:20    64792    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-30 304664]
"AcerOrbicamRibbon"="c:\program files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-28 754712]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-28 244512]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"d:\\Vampire\\Well Of Souls\\Souls.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Vampire\\Well Of Souls\\MIX\\Mix.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Acer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:WoS 8000 UDP
"8000:TCP"= 8000:TCP:WoS 8000 TCP
"8001:UDP"= 8001:UDP:WoS 8001 UDP
"8001:TCP"= 8001:TCP:WoS 8001 TCP
"8888:UDP"= 8888:UDP:MIX 8888 UDP
"8888:TCP"= 8888:TCP:MIX 8888 TCP
"56880:TCP"= 56880:TCP:Pando Media Booster
"56880:UDP"= 56880:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 182072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [7/23/2013 7:09 PM 283136]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [4/25/2013 4:49 PM 33792]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [10/20/2012 12:16 AM 847392]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2/17/2013 12:10 PM 6609920]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [7/4/2013 3:53 PM 4939312]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 6:03 AM 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 Neo_First;VPN Client Device Driver - First;c:\windows\system32\drivers\Neo_0031.sys [12/22/2011 1:46 AM 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/14/2010 1:43 AM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:49]
.
2013-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003Core.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-362288127-682003330-1003UA.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 14:06]
.
2013-09-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2012-09-10 19:18]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\
FF - ExtSQL: 2013-09-03 18:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-09-03 18:08; {bee6eb20-01e0-ebd1-da83-080329fb9a3a}; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
FF - ExtSQL: 2013-09-03 18:08; donottrackplus@abine.com; c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\extensions\donottrackplus@abine.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-20 13:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-362288127-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58B395D3-2146-02F7-7D8F-1508C5DBC64A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialebcegicaffemjkh"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
"haffpdkfonchnnpe"=hex:69,61,63,62,69,70,63,68,66,63,61,6a,67,70,65,65,6f,65,
   00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub32.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN32.dll
c:\program files\TortoiseSVN\bin\libsvn_tsvn32.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn32.dll
c:\program files\TortoiseSVN\bin\libsasl32.dll
c:\documents and settings\Acer\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\xpsp3res.dll
.
Completion time: 2013-09-20  13:34:36
ComboFix-quarantined-files.txt  2013-09-20 10:34
ComboFix2.txt  2013-09-17 16:00
ComboFix3.txt  2013-09-17 14:03
.
Pre-Run: 2,019,045,376 bytes free
Post-Run: 2,009,223,168 bytes free
.
- - End Of File - - DD6D9B3E3104D6655D6672C511D44B35
99852D5C3A78447C3D6D82B6155FE848


===========


# AdwCleaner v3.004 - Report created 20/09/2013 at 13:38:46
# Updated 15/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Acer - ACER-E0DEB58D0C
# Running from : C:\Documents and Settings\Acer\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AlawarWrapper
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Documents and Settings\Acer\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\Acer\Local Settings\Application Data\Vuze_Remote
File Deleted : C:\WINDOWS\system32\conduitEngine.tmp

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18A9D54-1D88-4EDD-9DA0-8F522484C0D2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD31F969-67B2-4FC5-B18E-42F152BCA1D6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A6B05B88-63D1-4624-846F-FE71B5D40C81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A6B05B88-63D1-4624-846F-FE71B5D40C81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF63101D-227A-4471-9E67-C5114D7C0B6F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0CC2019E-610E-43E5-A0F7-E7AE99A233B6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AEE842-9DA3-4C70-8AB4-B95DA1BD9BE2}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C99FDC39-A1AE-4B24-8D71-E5274F8D7C54}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Vuze_Remote
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\conduitEngine
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\Software\Vuze_Remote
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Vuze_Remote Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Acer\Application Data\Mozilla\Firefox\Profiles\poigmfio.default-1378220192328\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\Acer\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [4860 octets] - [19/09/2013 17:37:56]
AdwCleaner[R1].txt - [4920 octets] - [19/09/2013 17:46:48]
AdwCleaner[R2].txt - [4020 octets] - [20/09/2013 13:36:44]
AdwCleaner[S0].txt - [3854 octets] - [20/09/2013 13:38:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3914 octets] ##########
 

 

===========

 

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition 2013   
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Adobe Flash Player     11.8.800.168  
 Adobe Reader XI  
 Mozilla Firefox (24.0)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 AVG avgwdsvc.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 34% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 20 September 2013 - 06:02 AM

Your system is clean now! :)

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 20 September 2013 - 12:20 PM

I'm grateful for your help and advice, but I scanned with AVG and it says there are 48 detections, so only 2 were healed/removed. Should I be worried about them? Will they keep increasing?

 

Also, now when I try to empty my Recycle Bin a message pops up and says, "Are you sure you want to delete "WINDOWS"?" even though the image of the Recycle Bin appears to be empty. I sent an empty text file to the Bin and when I tried to empty it, it said that there were 2 items but I could only see the text file. Is this a result of the infections?

 

Sorry if I'm giving you a hard time. I'm just worried.

 

This is what AVG found:

 

"";"atapi.sys, hooked import HAL.dll READ_PORT_UCHAR -> spzq.sys +0x2042, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"atapi.sys, hooked import HAL.dll READ_PORT_USHORT -> spzq.sys +0x20C0, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spzq.sys +0x11B90, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CREATE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CLOSE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_READ -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_WRITE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_EA -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_EA -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_FLUSH_BUFFERS -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_QUERY_VOLUME_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SET_VOLUME_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_DIRECTORY_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_FILE_SYSTEM_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_DEVICE_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_SHUTDOWN -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_LOCK_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Fastfat IRP_MJ_CLEANUP -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLOSE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_READ -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_WRITE -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_EA -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_FLUSH_BUFFERS -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_VOLUME_INFORMATION -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_DIRECTORY_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_FILE_SYSTEM_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_DEVICE_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SHUTDOWN -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_LOCK_CONTROL -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLEANUP -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_SECURITY -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_SECURITY -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_QUOTA -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_QUOTA -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"IRP hook, \FileSystem\Ntfs IRP_MJ_PNP -> spzq.sys +0x11D40, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtCreateKey hook -> spzq.sys +0x10E0, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtEnumerateKey hook -> spzq.sys +0x19DA4, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtEnumerateValueKey hook -> spzq.sys +0x1A132, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtOpenKey hook -> spzq.sys +0x10C0, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtQueryKey hook -> spzq.sys +0x1A20A, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtQueryValueKey hook -> spzq.sys +0x1A08A, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
"";"Service function NtSetValueKey hook -> spzq.sys +0x1A29C, C:\WINDOWS\system32\drivers\spzq.sys";"Infected"
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users