WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Infected with Trojan horse Hider.mpr [Solved]

Started by kingofsnake , Mar 03 2012 10:54 AM

This topic is locked

42 replies to this topic

#1 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 03 March 2012 - 10:54 AM

Hi My virus scanner AVG recently detected 25 infections of win32/Heur and removed them to the vault it is now also detecting Trojan horse Hider.mpr but cannot remove this as it reports the location is not available. Using firefox access to many anti-virus sites are being denied, chrome will not open at all. Using google I found your site and am now seeking your help.

Here is my HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:39:35, on 03/03/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\VyprVPN\VPNClient.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Brian\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsea...KKpFxqSWWcqVePA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start [url="http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjkxMDMwODAwLUJBKzEtS1YzKzctVDQtRlA5Mis2LUJBUjlHKzEtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSs0LVgyMDEwKzItVklQMTArMS1GMTBNMTBDKzItRjEwTTEwRCsxLUxJQys3Ny1TUDErMS1GTDEwKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMC1MU0QrMi1GT0krMQ"&"prod=90"&"ver=10.0.1411"]http://www.avg.com/ww.special-uninstallati...t;ver=10.0.1411[/url]
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EPSON Stylus Photo R285 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICKE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6D39.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AE43EAC771ADEE2FEEB86AD6759833F2448FAA11._service_run] "C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service
O4 - HKCU\..\Run: [EPSON SX440 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6DC5.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Epson Stylus SX440(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6CCC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [GrdTbynj] C:\Users\Brian\AppData\Local\xolhqyev\grdtbynj.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-833728864-3627221017-1489760476-1002\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - Startup: grdtbynj.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - http://downloads.vir...tainstaller.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: SAMSUNG AllShare Service (AllShare) - Unknown owner - C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11752 bytes

Thank You

Advertisements

Register to Remove

#2 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 03 March 2012 - 08:36 PM

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view
Choose to "show hidden files and folders,"
Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
Close the window with OK

Download CKScanner by askey127 from Here & save it to your Desktop.

Right-click and Run as Administrator CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

----------

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

Disable any script blocking protection
Right-click and Run as Administrator dds to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

Please download aswMBR to your desktop.

Right click and Run as Administrator the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

In your next reply please post the logs made by ckscanner, DDS and aswMBR.

#3 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 04 March 2012 - 06:34 AM

Thank You for your prompt reply to my post, here are the log files you requested.

CKScanner Log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\ambient design\artrage studio pro\resources\stickers\brush heads\crackle & swirl.stk
c:\users\brian\desktop\kris2far new downloads\rhys\pivot\objetos para pivot\new pack\stick figures\wu folder\crackling wu.stk
c:\users\brian\desktop\kris2far new downloads\rhys\pivot\objetos para pivot\new pack\stick figures 2\background accessories\crack2_piv2.stk
c:\users\brian\desktop\kris2far new downloads\rhys\pivot\objetos para pivot\new pack\stick figures 2\background accessories\crack_sidewaysbox.stk
c:\users\brian\desktop\kris2far new downloads\rhys\pivot\objetos para pivot\new pack\stick figures 2\background accessories\buildings\crack.stk
c:\users\brian\documents\covers\dvd covers\inthecrack.com - e471 - betty saint.nzb
c:\users\brian\documents\covers\dvd covers\safecracker (2008).nzb
c:\users\brian\documents\google earth\crack.exe
c:\users\brian\documents\wii label design\safecracker.ec3
scanner sequence 3.ED.11.NONAIC
----- EOF -----

DDS text

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_29
Run by Brian at 12:25:40 on 2012-03-04
Rockers International Team® Windows Vista Eternity™ 2009 x64 6.0.6001.1.1252.44.1033.18.3069.1396 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\VyprVPN\VPNClient.exe
C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\SysWOW64\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATICKE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE
C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [EPSON Stylus Photo R285 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICKE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6D39.tmp" /EF "HKCU"
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "C:\Users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [NokiaOviSuite2] C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRun: [AE43EAC771ADEE2FEEB86AD6759833F2448FAA11._service_run] "C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service
uRun: [EPSON SX440 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6DC5.tmp" /EF "HKCU"
uRun: [Epson Stylus SX440(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBE.EXE /FU "C:\Users\Brian\AppData\Local\Temp\E_S6CCC.tmp" /EF "HKCU"
uRun: [GrdTbynj] C:\Users\Brian\AppData\Local\xolhqyev\grdtbynj.exe
mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Ulead AutoDetector] C:\Program Files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start [url="http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjkxMDMwODAwLUJBKzEtS1YzKzctVDQtRlA5Mis2LUJBUjlHKzEtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSs0LVgyMDEwKzItVklQMTArMS1GMTBNMTBDKzItRjEwTTEwRCsxLUxJQys3Ny1TUDErMS1GTDEwKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMC1MU0QrMi1GT0krMQ"&"prod=90"&"ver=10.0.1411"]http://www.avg.com/ww.special-uninstallati...t;ver=10.0.1411[/url]
StartupFolder: C:\Users\Brian\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ROCKET~1.LNK - C:\Program Files (x86)\RocketDock\RocketDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/vistainstaller.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{21A89A18-502F-4B15-9993-B4F8C68F6695} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Ulead AutoDetector] C:\Program Files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start [url="http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjkxMDMwODAwLUJBKzEtS1YzKzctVDQtRlA5Mis2LUJBUjlHKzEtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSs0LVgyMDEwKzItVklQMTArMS1GMTBNMTBDKzItRjEwTTEwRCsxLUxJQys3Ny1TUDErMS1GTDEwKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMC1MU0QrMi1GT0krMQ"&"prod=90"&"ver=10.0.1411"]http://www.avg.com/ww.special-uninstallati...t;ver=10.0.1411[/url]
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm407AXGB&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA&ind=2012020315&n=77ecfe5b&psa=&st=kwd&searchfor=
FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox\components\avgssff.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.71\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.50524.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\Brian\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Users\Brian\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Brian\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-9-2 2255464]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-9-15 88576]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-3 379496]
R2 vToolbarUpdater;vToolbarUpdater;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [2012-1-15 909152]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-12 136176]
S3 AllShare;SAMSUNG AllShare Service;C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2010-7-16 6638080]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-12 136176]
S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
S3 nmwcdcx64;Nokia USB Generic;C:\Windows\system32\drivers\ccdcmbox64.sys --> C:\Windows\system32\drivers\ccdcmbox64.sys [?]
S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\system32\drivers\ccdcmbx64.sys --> C:\Windows\system32\drivers\ccdcmbx64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-10-24 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-4-15 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-03-03 15:25:15 -------- d-----w- C:\Program Files (x86)\PC Tools Registry Tool
2012-03-03 15:23:02 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-03-03 15:21:12 453896 ----a-w- C:\Windows\System32\drivers\pctDS64.sys
2012-03-03 15:21:12 1096688 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys
2012-03-03 15:21:07 367912 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
2012-03-03 15:21:04 230952 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-03-03 15:21:04 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-03-03 15:20:34 -------- d-----w- C:\Users\Brian\AppData\Roaming\TestApp
2012-03-03 15:20:34 -------- d-----w- C:\ProgramData\PC Tools
2012-03-02 20:35:43 -------- d-----w- C:\Users\Brian\AppData\Local\xolhqyev
2012-02-22 17:14:51 77824 ----a-w- C:\Windows\SysWow64\EBAPI.dll
2012-02-22 17:14:51 65536 ----a-w- C:\Windows\SysWow64\EEBUtil.dll
2012-02-22 17:14:51 55808 ----a-w- C:\Windows\SysWow64\EEBSDKIF.dll
2012-02-22 17:14:51 135168 ----a-w- C:\Windows\SysWow64\EEBAPI.dll
2012-02-22 17:14:51 110592 ----a-w- C:\Windows\SysWow64\EEBDSCVR.dll
2012-02-22 17:12:16 -------- d-----w- C:\Program Files\Common Files\EPSON
2012-02-22 17:01:07 -------- d-----w- C:\Users\Brian\AppData\Local\ABBYY
2012-02-22 16:55:11 -------- d-----w- C:\Program Files (x86)\ABBYY FineReader 9.0 Sprint
2012-02-22 16:55:10 -------- d-----w- C:\ProgramData\ABBYY
2012-02-22 16:55:10 -------- d-----w- C:\Program Files (x86)\Common Files\ABBYY
2012-02-22 16:49:35 558592 ----a-w- C:\Windows\System32\ensppmon.dll
2012-02-22 16:49:35 558592 ----a-w- C:\Windows\System32\enppmon.dll
2012-02-22 16:49:35 538112 ----a-w- C:\Windows\System32\ensppui.dll
2012-02-22 16:49:35 538112 ----a-w- C:\Windows\System32\enppui.dll
2012-02-22 16:49:35 250880 ----a-w- C:\Windows\System32\enspres.dll
2012-02-22 16:49:35 250880 ----a-w- C:\Windows\System32\enpres.dll
2012-02-22 16:49:35 -------- d-----w- C:\Program Files\EpsonNet
2012-02-22 16:49:12 -------- d-----w- C:\Program Files (x86)\Common Files\EPSON
2012-02-22 16:49:03 -------- d-----w- C:\Program Files (x86)\EPSON Software
2012-02-22 16:47:48 10752 ----a-w- C:\Windows\System32\E_GCINST.DLL
2012-02-22 16:47:46 88064 ----a-w- C:\Windows\System32\E_IBCBHBE.DLL
2012-02-22 16:47:46 118784 ----a-w- C:\Windows\System32\E_ILMHBE.DLL
2012-02-22 16:47:00 464384 ----a-w- C:\Windows\System32\esxw2ud.dll
2012-02-22 16:47:00 13824 ----a-w- C:\Windows\System32\esxcdev.dll
2012-02-22 16:47:00 132560 ----a-w- C:\Windows\System32\esdevapp.exe
2012-02-16 14:05:01 -------- d-----w- C:\Users\Brian\AppData\Roaming\NVIDIA
2012-02-16 14:04:36 -------- d-----w- C:\Users\Brian\AppData\Roaming\.minecraft
2012-02-09 12:38:47 -------- d-----w- C:\Users\Brian\AppData\Local\MediaShow
2012-02-06 20:43:56 -------- d-----w- C:\Users\Brian\AppData\Local\MediaServer
2012-02-06 20:43:50 -------- d-----w- C:\ProgramData\PDVD
2012-02-06 20:42:51 -------- d-----w- C:\Users\Brian\AppData\Local\CyberLink
2012-02-06 20:39:41 -------- d-----w- C:\ProgramData\install_clap
2012-02-03 21:50:35 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-02-03 21:44:21 -------- d-----w- C:\ProgramData\Symantec
2012-02-03 21:43:09 -------- d-----w- C:\ProgramData\Norton
2012-02-03 21:43:06 -------- d-----w- C:\ProgramData\NortonInstaller
2012-02-03 20:42:49 -------- d-----w- C:\Program Files (x86)\MyWebSearch
.
==================== Find3M ====================
.
2012-02-26 10:41:54 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:26:08.51 ===============

Attatch text

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Rockers International Team® Windows Vista Eternity™ 2009 x64
Boot Device: \Device\HarddiskVolume1
Install Date: 15/04/2009 18:44:18
System Uptime: 04/03/2012 11:50:38 (1 hours ago)
.
Motherboard: DIXONSXP | | G33M05
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 226 GiB total, 16.967 GiB free.
D: is FIXED (NTFS) - 5 GiB total, 1.091 GiB free.
E: is FIXED (NTFS) - 1 GiB total, 1.378 GiB free.
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is FIXED (NTFS) - 373 GiB total, 18.904 GiB free.
L: is FIXED (NTFS) - 932 GiB total, 83.218 GiB free.
O: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_0CEC105B&REV_02\3&2411E6FE&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_0CEC105B&REV_02\3&2411E6FE&0&FB
Service:
.
==== System Restore Points ===================
.
RP1298: 24/02/2012 12:32:04 - Scheduled Checkpoint
RP1299: 26/02/2012 00:00:01 - Scheduled Checkpoint
RP1300: 27/02/2012 00:00:01 - Scheduled Checkpoint
RP1301: 27/02/2012 13:31:59 - Scheduled Checkpoint
RP1302: 28/02/2012 12:24:45 - Scheduled Checkpoint
RP1303: 29/02/2012 12:02:21 - Scheduled Checkpoint
RP1304: 01/03/2012 12:51:26 - Scheduled Checkpoint
RP1305: 02/03/2012 11:37:54 - Scheduled Checkpoint
.
==== Installed Programs ======================
.
ABBYY FineReader 9.0 Sprint
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Adobe Shockwave Player 11.5
AppInventor Setup
ArtRage Studio Pro
AviSynth 2.5
Basic Operation Guide EPSON SX440 Series
CertificateInstaller
Client Settings Tool
ConvertXtoDVD 4.0.12.327
coverXP (remove only)
DAEMON Tools Toolbar
Digital Camera Driver
Download Navigator
DVD Shrink 3.2
DVDFab 8.0.5.0 (18/11/2010)
Epson Connect Printer Setup
EPSON Easy Photo Print
Epson Easy Photo Print 2
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser)
Epson Event Manager
EPSON Print CD
EPSON Scan
EPSON Stylus Photo R285_290 Manual
EpsonNet Print
Google Chrome
Google Earth
Google Earth Pro
Google Talk Plugin
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HTC BMP USB Driver
HTC Driver Installer
HTC Sync
ImgBurn
Java Auto Updater
Java™ 6 Update 29
Java™ 6 Update 7
K-Lite Mega Codec Pack 8.0.0
LightScribe System Software 1.12.33.2
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKVtoolnix 4.3.0
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Thunderbird 10.0.2 (x86 en-GB)
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
Nero 8 Essentials
neroxml
Network Guide EPSON SX440 Series
NewsLeecher v5.0 Beta 5
Newzbin2 Newzbin2 Client 1.0.0.200
NINTENDO DS GAME BROWSER
Nokia Connectivity Cable Driver
Notepad App
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenOffice.org 3.0
OpenVPN 2.2.1
PC Tools Registry Tool
Picasa 3
QuickPar 0.9
Realtek High Definition Audio Driver
SAMSUNG PC Share Manager
SD Formatter
SDFormatter
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
SSC Service Utility v4.30
System Requirements Lab
Ubuntu
Ulead Photo Explorer 8.0 SE Basic
UltraISO Premium V9.35
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guide EPSON SX440 Series
VCRedistSetup
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
VLC media player 1.1.0
VyprVPN for Giganews
WBFS Manager 3.0
.
==== Event Viewer Messages From Past Week ========
.
27/02/2012 23:06:23, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{AC45B538-231A-4D91-8C25-532B21FDC829} because another computer on the network has the same name. The server could not start.
02/03/2012 20:47:23, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
01/03/2012 10:50:45, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{97F6CCFF-FEA0-41B1-9CCC-375ECD826EFB} because another computer on the network has the same name. The server could not start.
.
==== End Of File ===========================

aswMBR text

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-04 12:16:31
-----------------------------
12:16:31.809 OS Version: Windows x64 6.0.6001 Service Pack 1
12:16:31.809 Number of processors: 4 586 0xF0B
12:16:31.810 ComputerName: BRIAN-PC UserName: Brian
12:16:33.130 Initialize success
12:17:05.108 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-7
12:17:05.109 Disk 0 Vendor: Hitachi_HDT725025VLA380 V5DOA7EA Size: 238475MB BusType: 3
12:17:05.140 Disk 0 MBR read successfully
12:17:05.141 Disk 0 MBR scan
12:17:05.142 Disk 0 Windows VISTA default MBR code
12:17:05.146 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 5500 MB offset 2048
12:17:05.157 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1500 MB offset 11266048
12:17:05.166 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 231473 MB offset 14338048
12:17:05.182 Disk 0 scanning C:\Windows\system32\drivers
12:17:10.021 Service scanning
12:17:22.201 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
12:17:26.910 Modules scanning
12:17:26.916 Disk 0 trace - called modules:
12:17:26.926 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore64.sys acpi.sys >>UNKNOWN [0xfffffa80032f62c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:17:26.930 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ae2060]
12:17:26.935 3 CLASSPNP.SYS[fffffa6000f34b3a] -> nt!IofCallDriver -> [0xfffffa80036f0b00]
12:17:26.940 5 PCTCore64.sys[fffffa6000c8bf38] -> nt!IofCallDriver -> [0xfffffa8003459720]
12:17:26.946 7 acpi.sys[fffffa60008f8ff6] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-7[0xfffffa800344a810]
12:17:26.951 \Driver\atapi[0xfffffa80028d2490] -> IRP_MJ_CREATE -> 0xfffffa80032f62c0
12:17:26.956 Scan finished successfully
12:21:12.370 Disk 0 MBR has been saved successfully to "C:\Users\Brian\Desktop\MBR.dat"
12:21:12.375 The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"

#4 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 04 March 2012 - 10:19 AM

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

#5 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 04 March 2012 - 11:11 AM

OK I disabled AVG and ran Combofix, however the version of AVG I have only lets me disable for 15 mins and it came back on before Combofix had finished hope this did no cause a problem.

here is the Log file.

ComboFix 12-03-04.01 - Brian 04/03/2012 16:26:23.1.4 - x64
Rockers International Team® Windows Vista Eternity™ 2009 x64 6.0.6001.1.1252.44.1033.18.3069.1580 [GMT 0:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\FunWebProducts
c:\program files (x86)\MyWebSearch
c:\program files (x86)\MyWebSearch\bar\gen1\COMMON.F3S
c:\program files (x86)\MyWebSearch\bar\Settings\s_pid.dat
c:\program files (x86)\MyWebSearch\bar\wbnotify\COMMON.F3S
C:\sooi832.bin
c:\users\Brian\AppData\Local\asnckyfa.log
c:\users\Brian\AppData\Local\hvdocbsi.log
c:\users\Brian\AppData\Local\imkcuxai.log
c:\users\Brian\AppData\Local\jjarsfdy.log
c:\users\Brian\AppData\Local\mcxjetjd.log
c:\users\Brian\AppData\Local\tlepvqev.log
c:\users\Brian\AppData\Local\veumipic.log
c:\users\Brian\AppData\Local\xolhqyev\grdtbynj.exe
c:\users\Brian\AppData\Roaming\inst.exe
c:\users\Brian\AppData\Roaming\vso_ts_preview.xml
L:\Autorun.inf
L:\setup.exe
.
c:\windows\SysWow64\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-04 to 2012-03-04 )))))))))))))))))))))))))))))))
.
.
2012-03-04 16:45 . 2012-03-04 16:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-04 16:45 . 2012-03-04 16:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-03 15:25 . 2012-03-03 15:25 -------- d-----w- c:\program files (x86)\PC Tools Registry Tool
2012-03-03 15:23 . 2012-03-03 15:23 -------- d-----w- c:\program files (x86)\PC Tools
2012-03-03 15:21 . 2011-12-01 16:07 1096688 ----a-w- c:\windows\system32\drivers\pctEFA64.sys
2012-03-03 15:21 . 2011-12-01 16:07 453896 ----a-w- c:\windows\system32\drivers\pctDS64.sys
2012-03-03 15:21 . 2011-11-14 15:12 367912 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2012-03-03 15:21 . 2012-03-03 15:23 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-03-03 15:21 . 2012-01-11 16:19 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-03-03 15:20 . 2012-03-03 15:23 -------- d-----w- c:\programdata\PC Tools
2012-03-03 15:20 . 2012-03-03 15:20 -------- d-----w- c:\users\Brian\AppData\Roaming\TestApp
2012-03-02 20:35 . 2012-03-04 16:44 -------- d-----w- c:\users\Brian\AppData\Local\xolhqyev
2012-02-23 16:44 . 2012-03-04 15:39 -------- d-----w- c:\users\Brian\AppData\Roaming\EPSON
2012-02-22 17:14 . 2007-09-07 17:33 135168 ----a-w- c:\windows\SysWow64\EEBAPI.dll
2012-02-22 17:14 . 2007-03-28 18:26 65536 ----a-w- c:\windows\SysWow64\EEBUtil.dll
2012-02-22 17:14 . 2006-12-19 18:31 110592 ----a-w- c:\windows\SysWow64\EEBDSCVR.dll
2012-02-22 17:14 . 2006-12-19 18:20 77824 ----a-w- c:\windows\SysWow64\EBAPI.dll
2012-02-22 17:14 . 2003-12-17 01:01 55808 ----a-w- c:\windows\SysWow64\EEBSDKIF.dll
2012-02-22 17:12 . 2012-02-22 17:12 -------- d-----w- c:\program files\Common Files\EPSON
2012-02-22 17:01 . 2012-02-22 17:01 -------- d-----w- c:\users\Brian\AppData\Local\ABBYY
2012-02-22 16:55 . 2012-02-22 17:01 -------- d-----w- c:\program files (x86)\ABBYY FineReader 9.0 Sprint
2012-02-22 16:55 . 2012-02-22 16:55 -------- d-----w- c:\programdata\ABBYY
2012-02-22 16:55 . 2012-02-22 16:55 -------- d-----w- c:\program files (x86)\Common Files\ABBYY
2012-02-22 16:49 . 2012-02-22 16:49 -------- d-----w- c:\program files\EpsonNet
2012-02-22 16:49 . 2010-09-13 15:01 538112 ----a-w- c:\windows\system32\ensppui.dll
2012-02-22 16:49 . 2010-09-13 15:01 538112 ----a-w- c:\windows\system32\enppui.dll
2012-02-22 16:49 . 2010-09-13 15:00 558592 ----a-w- c:\windows\system32\ensppmon.dll
2012-02-22 16:49 . 2010-09-13 15:00 558592 ----a-w- c:\windows\system32\enppmon.dll
2012-02-22 16:49 . 2008-06-18 11:49 250880 ----a-w- c:\windows\system32\enspres.dll
2012-02-22 16:49 . 2008-06-18 11:49 250880 ----a-w- c:\windows\system32\enpres.dll
2012-02-22 16:49 . 2012-02-22 17:14 -------- d-----w- c:\program files (x86)\Common Files\EPSON
2012-02-22 16:49 . 2012-02-22 17:29 -------- d-----w- c:\program files (x86)\EPSON Software
2012-02-22 16:47 . 2012-02-22 16:46 10752 ----a-w- c:\windows\system32\E_GCINST.DLL
2012-02-22 16:47 . 2012-02-22 16:46 88064 ----a-w- c:\windows\system32\E_IBCBHBE.DLL
2012-02-22 16:47 . 2012-02-22 16:46 118784 ----a-w- c:\windows\system32\E_ILMHBE.DLL
2012-02-22 16:47 . 2011-08-10 00:00 464384 ----a-w- c:\windows\system32\esxw2ud.dll
2012-02-22 16:47 . 2009-10-16 00:00 13824 ----a-w- c:\windows\system32\esxcdev.dll
2012-02-22 16:47 . 2009-10-16 00:00 132560 ----a-w- c:\windows\system32\esdevapp.exe
2012-02-16 14:05 . 2012-02-16 14:05 -------- d-----w- c:\users\Brian\AppData\Roaming\NVIDIA
2012-02-16 14:04 . 2012-02-16 14:05 -------- d-----w- c:\users\Brian\AppData\Roaming\.minecraft
2012-02-09 12:38 . 2012-02-09 12:38 -------- d-----w- c:\users\Brian\AppData\Local\MediaShow
2012-02-06 20:43 . 2012-02-06 20:43 -------- d-----w- c:\users\Brian\AppData\Local\MediaServer
2012-02-06 20:43 . 2012-02-06 20:43 -------- d-----w- c:\programdata\PDVD
2012-02-06 20:43 . 2012-02-07 14:59 -------- d-----w- c:\users\Brian\AppData\Roaming\CyberLink
2012-02-06 20:42 . 2012-02-11 17:14 -------- d-----w- c:\programdata\CyberLink
2012-02-06 20:42 . 2012-02-07 14:58 -------- d-----w- c:\users\Public\CyberLink
2012-02-06 20:42 . 2012-02-11 17:14 -------- d-----w- c:\users\Brian\AppData\Local\CyberLink
2012-02-06 20:39 . 2012-02-06 20:39 -------- d-----w- c:\programdata\install_clap
2012-02-03 21:50 . 2012-02-03 21:50 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-02-03 21:44 . 2012-02-04 12:23 -------- d-----w- c:\programdata\Symantec
2012-02-03 21:43 . 2012-02-04 12:23 -------- d-----w- c:\programdata\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 10:41 . 2011-05-14 12:53 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-14 21:24 . 2011-12-14 21:24 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-15 12:16 1811296 ----a-w- c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-15 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-10-24 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-10-24 138240]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2009-03-25 1840424]
"AE43EAC771ADEE2FEEB86AD6759833F2448FAA11._service_run"="c:\users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-02-15 1049072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Ulead AutoDetector"="c:\program files (x86)\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-01-15 939872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-15 928096]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [url="http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjkxMDMwODAwLUJBKzEtS1YzKzctVDQtRlA5Mis2LUJBUjlHKzEtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSs0LVgyMDEwKzItVklQMTArMS1GMTBNMTBDKzItRjEwTTEwRCsxLUxJQys3Ny1TUDErMS1GTDEwKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMC1MU0QrMi1GT0krMQ&prod=90&ver=10.0.1411""]http://www.avg.com/ww.special-uninstallati...10.0.1411"[/url] [?]
.
c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
RocketDock.lnk - c:\program files (x86)\RocketDock\RocketDock.exe [2008-10-24 495616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 13:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 12:29]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 12:29]
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-833728864-3627221017-1489760476-1000Core.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-10 23:19]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-833728864-3627221017-1489760476-1000UA.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-10 23:19]
.
2012-03-04 c:\windows\Tasks\User_Feed_Synchronization-{174F0C7C-14AA-4B36-8AFD-11ADD84E9578}.job
- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-09-19 5426688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm407AXGB&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA&ind=2012020315&n=77ecfe5b&psa=&st=kwd&searchfor=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-NokiaOviSuite2 - c:\program files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKCU-Run-GrdTbynj - c:\users\Brian\AppData\Local\xolhqyev\grdtbynj.exe
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-DAEMON Tools Toolbar - c:\program files (x86)\DAEMON Tools Toolbar\uninst.exe
AddRemove-Notepad App - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files (x86)\VyprVPN\VPNClient.exe
c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
c:\windows\SysWOW64\IoctlSvc.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
.
**************************************************************************
.
Completion time: 2012-03-04 16:56:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-04 16:56
.
Pre-Run: 21,406,552,064 bytes free
Post-Run: 24,878,804,992 bytes free
.
- - End Of File - - 9160C8D75D33CEF34272A6449679AECA

#6 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 04 March 2012 - 01:37 PM

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind *userinit.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled [b]SystemLook.txt

#7 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 04 March 2012 - 07:45 PM

Sorry for the delay had to go to work, here is the log from SystemLook Some extra info, after a restart AVG has dissapeared, firefox starts but hangs after start and chrome is working again, which I am using to write this. SystemLook 27.08.10 by jpshortstuff Log created at 01:37 on 05/03/2012 by Brian Administrator - Elevation successful ========== filefind ========== Searching for "*userinit.exe" C:\Windows\ERDNT\cache64\userinit.exe --a---- 28160 bytes [16:55 04/03/2012] [06:45 24/10/2008] A0AB2BB9A92293D9CE66E252719AB5FE C:\Windows\ERDNT\cache86\userinit.exe --a---- 25088 bytes [16:55 04/03/2012] [06:48 24/10/2008] 0E135526E9785D085BCD9AEDE6FBCBF9 C:\Windows\System32\userinit.exe --a---- 28160 bytes [06:45 24/10/2008] [06:45 24/10/2008] A0AB2BB9A92293D9CE66E252719AB5FE C:\Windows\SysWOW64\userinit.exe --a---- 25088 bytes [06:48 24/10/2008] [06:48 24/10/2008] 0E135526E9785D085BCD9AEDE6FBCBF9 C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_3610939d8d22586d\userinit.exe --a---- 28160 bytes [09:25 02/11/2006] [11:16 02/11/2006] 46D5B6B80E4A5997F508F938F96B7628 C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe --a---- 28160 bytes [06:45 24/10/2008] [06:45 24/10/2008] A0AB2BB9A92293D9CE66E252719AB5FE C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe --a---- 24576 bytes [12:24 02/11/2006] [09:45 02/11/2006] 22027835939F86C3E47AD8E3FBDE3D11 C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [06:48 24/10/2008] [06:48 24/10/2008] 0E135526E9785D085BCD9AEDE6FBCBF9 -= EOF =-

#8 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 05 March 2012 - 06:56 AM

Hi kingofsnake,

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_3610939d8d22586d\userinit.exe | c:\windows\SysWow64\userinit.exe

DDS::
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA
uURLSearchHooks: H - No File
uRun: [GrdTbynj] C:\Users\Brian\AppData\Local\xolhqyev\grdtbynj.exe

Firefox::
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm407AXGB&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA&ind=2012020315&n=77ecfe5b&psa=&st=kwd&searchfor=
FF - user.js: yahoo.homepage.dontask - true

Folder::
c:\users\Brian\AppData\Local\xolhqyev

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

#9 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 05 March 2012 - 07:32 AM

Ok I started the scan everything was running, I went out the room and when I came back it looked like the computer had restarted but no log file was open like the last time I ran it. I can't find a text file in the root c:\ComboFix.txt like you said in a previous post, any idea where the log file will be. There is a file in C:\ComboFix\ComboFix.txt but this only contains the header ComboFix 12-03-04.01 - Brian 05/03/2012 13:08:05.2.4 - x64 Rockers International Team® Windows Vista Eternity™ 2009 x64 6.0.6001.1.1252.44.1033.18.3069.1621 [GMT 0:00] Running from: C:\Users\Brian\Desktop\ComboFix.exe Command switches used :: C:\Users\Brian\Desktop\CFScript.txt AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Edited by kingofsnake, 05 March 2012 - 07:37 AM.

#10 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 05 March 2012 - 07:58 AM

Hi, Looks like ComboFix only partially ran. Try to run it again using the same instructions that I provided earlier. Post the log when it is created.

Advertisements

Register to Remove

#11 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 05 March 2012 - 09:11 AM

Tried 3 times now to run ComboFix using the above fix including after completely removing AVG each time the PC restarts without creating a log file.

#12 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 05 March 2012 - 11:16 AM

Hi,

Sorry you are having problems running ComboFix. Please try to use the following fix with ComboFix and see if that helps...

DDS::
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA
uURLSearchHooks: H - No File
uRun: [GrdTbynj] C:\Users\Brian\AppData\Local\xolhqyev\grdtbynj.exe

Firefox::
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\jf5b4onz.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm407AXGB&ptnrS=GRxdm407AXGB&ptb=2LKNkvFKKpFxqSWWcqVePA&ind=2012020315&n=77ecfe5b&psa=&st=kwd&searchfor=
FF - user.js: yahoo.homepage.dontask - true

Folder::
c:\users\Brian\AppData\Local\xolhqyev

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

#13 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 05 March 2012 - 11:54 AM

OK I ran ComboFix with the new script above with much the same result, it ran untill completed Stage50 stopped then rebooted without creating a log txt. I've got to go to work soon and will try any further advice you can give me when I get home later.

#14 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 05 March 2012 - 12:01 PM

Hi,

Ok lets make sure that the log is not accidentally being deleted.

Go to C:\Qoobox\ComboFix-quarantined-files.txt and check to see if they are in there.

Open the ComboFix-quarantined-files.txt file and then copy/paste what is inside of it into your next reply.

#15 kingofsnake

Authentic Member

Authentic Member
21 posts

Posted 05 March 2012 - 07:49 PM

Here are the contents of the text file you requested. 2012-03-04 16:55:53 . 2012-03-04 16:55:53 1,372 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Notepad App.reg.dat 2012-03-04 16:55:53 . 2012-03-04 16:55:53 862 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-DAEMON Tools Toolbar.reg.dat 2012-03-04 16:55:53 . 2012-03-04 16:55:53 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat 2012-03-04 16:55:41 . 2012-03-04 16:55:41 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Windows Defender.reg.dat 2012-03-04 16:55:41 . 2012-03-04 16:55:41 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat 2012-03-04 16:55:41 . 2012-03-04 16:55:41 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat 2012-03-04 16:55:17 . 2012-03-04 16:55:17 150 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-GrdTbynj.reg.dat 2012-03-04 16:55:16 . 2012-03-04 16:55:16 153 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-WMPNSCFG.reg.dat 2012-03-04 16:55:16 . 2012-03-04 16:55:16 172 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-NokiaOviSuite2.reg.dat 2012-03-04 16:55:15 . 2012-03-04 16:55:16 144 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat 2012-03-04 16:55:14 . 2012-03-04 16:55:14 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C}.reg.dat 2012-03-04 16:49:13 . 2008-04-01 15:05:20 417,792 ----a-w- C:\Qoobox\Quarantine\L\setup.exe.vir 2012-03-04 16:49:13 . 2008-04-01 13:53:24 71 ----a-w- C:\Qoobox\Quarantine\L\Autorun.inf.vir 2012-03-04 16:31:42 . 2012-03-04 16:31:42 10,440 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2012-03-04 16:22:52 . 2012-03-04 16:23:57 102 ----a-w- C:\Qoobox\Quarantine\catchme.log 2012-03-02 20:47:36 . 2012-03-04 16:22:23 1,081,081 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\jjarsfdy.log.vir 2012-03-02 20:45:14 . 2012-03-02 20:45:14 1,572 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\tlepvqev.log.vir 2012-03-02 20:45:14 . 2012-03-02 20:45:14 112,483 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\veumipic.log.vir 2012-03-02 20:45:12 . 2012-03-02 20:45:12 3,265 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\asnckyfa.log.vir 2012-03-02 20:35:48 . 2012-03-02 20:35:48 4,011 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\mcxjetjd.log.vir 2012-03-02 20:35:43 . 2012-03-02 20:35:42 97,018 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\xolhqyev\grdtbynj.exe.vir 2012-03-02 20:35:43 . 2012-03-04 16:22:20 24 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\hvdocbsi.log.vir 2012-03-02 20:35:43 . 2012-03-02 20:35:52 428,736 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Local\imkcuxai.log.vir 2012-02-03 20:42:56 . 2012-02-03 20:42:56 24 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\MyWebSearch\bar\Settings\s_pid.dat.vir 2012-02-03 20:42:56 . 2012-02-03 20:42:56 27,352 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\MyWebSearch\bar\wbnotify\COMMON.F3S.vir 2012-02-03 20:42:56 . 2012-02-03 20:42:56 1,547 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\MyWebSearch\bar\gen1\COMMON.F3S.vir 2009-04-23 19:15:49 . 2012-02-22 01:16:46 1,057 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Roaming\vso_ts_preview.xml.vir 2009-04-23 19:14:37 . 2010-11-23 19:32:28 99,384 ----a-w- C:\Qoobox\Quarantine\C\Users\Brian\AppData\Roaming\inst.exe.vir

Body Background

skin color theme