Win 7 Antivirus 2012 Remnants

View previous topic View next topic Go down

Win 7 Antivirus 2012 Remnants

Post by roadran322 on Thu Dec 22, 2011 3:57 pm

I have tried to remove this virus, but I haven't been able. I had to do a system restore twice, and a mbr error.

Log files to big to post, also ASWMBR froze but I took a screen shot of it.



AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Thu Dec 22, 2011 3:59 pm

Here are the log attachments


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Fri Dec 23, 2011 12:16 am

Hello.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Fri Dec 23, 2011 12:52 am

Thanks Belahzur, I couldn't get on to the internet in any of the browsers for some odd reason, though I could connect from my laptop over by teamviewer....


Also, after the combofix I can't open any .exe files? It says "Illegal operation attempted on a registry key that has been marked for deletion."

Here is the log:

ComboFix 11-12-22.04 - Kenny Diep 12/22/2011 19:23:55.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3831.1849 [GMT -5]
Running from: c:\users\Kenny Diep\Desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 192 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\program files (x86)\Security Defender
c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender
c:\users\Kenny Diep\AppData\Roaming\Bitcoin
c:\users\Kenny Diep\AppData\Roaming\GmailHackerPro_Installer
c:\users\Kenny Diep\AppData\Roaming\Local
c:\windows\system32\consrv.dll
c:\windows\System64
c:\cflog\CrashLog_20110402.txt
c:\cflog\CrashLog_20110712.txt
c:\cflog\CrashLog_20110910.txt
c:\cflog\CrashLog_20110916.txt
c:\cflog\CrashLog_20111004.txt
c:\cflog\CrashLog_20111016.txt
c:\cflog\CrashLog_20111026.txt
c:\cflog\CrashLog_20111029.txt
c:\cflog\CrashLog_20111207.txt
c:\program files (x86)\Security Defender\Security Defender.ico
c:\programdata\68C99590-AF86-B6DD-DB7A-D874F37B2C09.ico
c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender\Security Defender.lnk
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\.lock
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.001
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.002
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.003
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.004
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.005
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\__db.006
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\addr.dat
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\blk0001.dat
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\blkindex.dat
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000042
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000043
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000044
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000045
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000046
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000047
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000048
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000049
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000050
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000051
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000052
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000053
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000054
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000055
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000056
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000057
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000058
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000059
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000060
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000061
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000062
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000063
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000064
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000065
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000066
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000067
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000068
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000069
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000070
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000071
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000072
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\database\log.0000000073
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\db.log
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\debug.log
c:\users\Kenny Diep\AppData\Roaming\Bitcoin\wallet.dat
c:\users\Kenny Diep\AppData\Roaming\chrtmp
c:\users\Kenny Diep\AppData\Roaming\GmailHackerPro_Installer\Gmail Hacker Pro Installer\1.0.0.0\Update-152599.exe
c:\users\Kenny Diep\AppData\Roaming\GmailHackerPro_Installer\Gmail Hacker Pro Installer\1.0.0.0\Update-442516.exe
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\1.ddi
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\bsigjc5ky29n1.avi(2).ddr
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\bsigjc5ky29n1.avi.ddr
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\bsigjc5ky29n1.avi(2).ddp
c:\users\Kenny Diep\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\bsigjc5ky29n1.avi.ddp
c:\windows\jestertb.dll
c:\windows\system\actualspy.lnk
c:\windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll
c:\windows\system32\fxsst.dll . . . . Failed to delete
c:\windows\system32\java.exe
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\srrstr.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
c:\windows\system32\termsrv.dll
c:\windows\SysWow64\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi
F:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 00:31 . 2011-12-23 00:31 -------- d-----w- c:\users\f\AppData\Local\temp
2011-12-23 00:31 . 2011-12-23 00:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-21 17:38 . 2011-12-21 17:38 -------- d-----w- c:\program files (x86)\ESET
2011-12-21 16:30 . 2011-12-21 16:30 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- C:\Cache
2011-12-20 19:03 . 2011-12-20 19:03 -------- d-----w- C:\Temp
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-16 14:06 . 2011-12-16 14:06 36352 ----a-w- c:\windows\SysWow64\JgAbkOoX.com
2011-12-13 22:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 22:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 22:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 22:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-13 22:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 22:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 00:02 . 2011-12-11 00:02 -------- d-----w- c:\windows\system32\Macromed
2011-12-10 21:04 . 2011-12-20 18:24 -------- d-----w- c:\users\Kenny Diep\AppData\Roaming\SUPERAntiSpyware.com
2011-12-07 19:48 . 2011-12-07 19:48 -------- d-----w- c:\program files (x86)\WhiteSmoke_Bar
2011-12-07 19:48 . 2011-12-20 18:45 -------- d-----w- c:\users\Kenny Diep\AppData\Local\RavenBleuSA
2011-12-07 12:16 . 2011-12-07 12:16 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Tracing
2011-12-04 14:00 . 2011-12-04 14:00 -------- d-----w- c:\programdata\Media Center Programs
2011-12-04 13:51 . 2011-12-04 13:51 -------- d-----w- c:\program files (x86)\UBISOFT
2011-12-02 13:30 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FA25C06-85AF-46A0-8767-2DF90ADC8015}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 00:02 . 2011-03-03 12:14 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-11 00:02 . 2011-05-19 10:38 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-29 16:29 . 2011-11-09 13:10 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-01 13:12 . 2011-03-01 13:09 12067528 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-16 137536]
"RavenBleuSA"="c:\users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe" [2011-11-28 782848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-19 5486464]
"uTorrent"="c:\users\Kenny Diep\Downloads\utorrent.exe" [2011-08-09 639864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"68C99590-AF86-B6DD-DB7A-D874F37B2C09"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"lrsykvie"="c:\windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll" [2011-12-14 60416]
"68C99590-AF86-B6DD-DB7A-D874F37B2C09"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10r_ActiveX.exe" [2011-06-02 240288]
.
c:\users\f\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-3-1 12067528]
.
c:\users\Kenny Diep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
UniKeyNT - Shortcut.lnk - c:\users\Kenny Diep\Downloads\UniKeyNT.exe [2009-11-2 316928]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
68C99590-AF86-B6DD-DB7A-D874F37B2C09.lnk - c:\windows\System32\rundll32.exe [2009-7-13 45568]
Virtual Router Manager.lnk - c:\windows\Installer\{8DB05F7E-1F7A-4CC0-882F-375B97F04CD4}\_E6D9769DD20AF384865041.exe [2011-7-18 22486]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
R1 nxupirpo;nxupirpo;c:\windows\system32\drivers\nxupirpo.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]
R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys [x]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2009-03-19 32808]
R3 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2011-01-31 341312]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
R3 PSVolAcc;PSVolAcc; [x]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 X6va005;X6va005;c:\users\KENNYD~1\AppData\Local\Temp\0057263.tmp [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [2009-11-17 98208]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 nlsX86cc;NLS Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-01-31 68928]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S2 Virtual Router;VirtualRouterService;c:\program files (x86)\Virtual Router\VirtualRouterService.exe [2009-11-18 12288]
S2 WinAgentsTftpService4;WinAgents TFTP Service 4;c:\program files (x86)\Common Files\WinAgents\TftpService.exe [2011-04-02 111376]
S3 ACPIService;Buttons and OSDs ACPI driver gen2;c:\windows\system32\DRIVERS\OSDACPI.SYS [x]
S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys [x]
S3 FintekCIR;Fintek eHome Transceiver;c:\windows\system32\DRIVERS\FintekCIR.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 hidkmdf;Microsoft HID Class Shim for KMDF;c:\windows\system32\DRIVERS\hidkmdf.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 NW1950;NextWindow 1950 Touch Screen;c:\windows\system32\DRIVERS\NW1950.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000Core.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-12-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000UA.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
2011-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-16 415256]
"combofix"="c:\commy\CF12974.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 127.0.0.1:8118
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-SmartMusic 2011a - c:\programdata\MakeMusic\UninstallSmartMusic 2011.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\KENNYD~1\AppData\Local\Temp\0057263.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF2573AE-E1ED-40E1-83BA-F544CB2EE135}"=hex:51,66,7a,6c,4c,1d,38,12,c0,70,36,
fb,df,af,8f,05,fc,ac,b6,04,ce,70,a5,21
"{167D9323-F7CC-48F5-948A-6F012831A69F}"=hex:51,66,7a,6c,4c,1d,38,12,4d,90,6e,
12,fe,b9,9b,0d,eb,9c,2c,41,2d,6f,e2,8b
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,a2,34,31,0f,bc,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
.
[HKEY_USERS\S-1-5-21-2503263900-158799546-2591639019-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AD6A3628-D3C3-DF2B-60B4-30788E7CE3FD}*]
"makjhmocnempbododhjoojkfap"=hex:6f,61,6c,70,69,65,6a,6f,64,64,6e,62,6a,70,65,
63,68,6c,63,6e,61,64,64,66,63,6e,6e,66,64,69,00,62
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
.
**************************************************************************
.
Completion time: 2011-12-22 19:49:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 00:49
.
Pre-Run: 761,791,774,720 bytes free
Post-Run: 761,672,978,432 bytes free
.
- - End Of File - - 55F6BD5D7FFFC4379E39AC986EB1E5B0




Last edited by roadran322 on Fri Dec 23, 2011 2:33 am; edited 1 time in total


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Fri Dec 23, 2011 1:10 am

I also should say that the computer froze up, I waited 10-15 minutes and had to do a force shutdown and restart.

Edit: Now files can open, had to restart computer. Internet also works now. I don't know if there are still remnants to this nasty virus.


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Sat Dec 24, 2011 12:41 pm

Bump?


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Sat Dec 24, 2011 4:25 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\windows\SysWow64\JgAbkOoX.com
    c:\windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll

    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "lrsykvie"=-
    "68C99590-AF86-B6DD-DB7A-D874F37B2C09"=-

    Driver::
    nxupirpo

    DDS::
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = 127.0.0.1:8118

    RegNull::
    [HKEY_USERS\S-1-5-21-2503263900-158799546-2591639019-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AD6A3628-D3C3-DF2B-60B4-30788E7CE3FD}*]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Sat Dec 24, 2011 5:15 pm

Ok, here is the log

ComboFix 11-12-24.03 - Kenny Diep 12/24/2011 11:55:51.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3831.2327 [GMT -5:00]
Running from: c:\users\Kenny Diep\Desktop\Commy.exe
Command switches used :: c:\users\Kenny Diep\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll"
"c:\windows\SysWow64\JgAbkOoX.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\windows\SysWow64\JgAbkOoX.com
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_nxupirpo
.
.
((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))
.
.
2011-12-24 17:05 . 2011-12-24 17:05 -------- d-----w- c:\users\f\AppData\Local\temp
2011-12-21 17:38 . 2011-12-21 17:38 -------- d-----w- c:\program files (x86)\ESET
2011-12-21 16:30 . 2011-12-21 16:30 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- C:\Cache
2011-12-20 19:03 . 2011-12-20 19:03 -------- d-----w- C:\Temp
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-13 22:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 22:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 22:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 22:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-13 22:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 22:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 00:02 . 2011-12-11 00:02 -------- d-----w- c:\windows\system32\Macromed
2011-12-10 21:04 . 2011-12-20 18:24 -------- d-----w- c:\users\Kenny Diep\AppData\Roaming\SUPERAntiSpyware.com
2011-12-07 19:48 . 2011-12-07 19:48 -------- d-----w- c:\program files (x86)\WhiteSmoke_Bar
2011-12-07 19:48 . 2011-12-20 18:45 -------- d-----w- c:\users\Kenny Diep\AppData\Local\RavenBleuSA
2011-12-07 12:16 . 2011-12-07 12:16 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Tracing
2011-12-04 14:00 . 2011-12-04 14:00 -------- d-----w- c:\programdata\Media Center Programs
2011-12-04 14:00 . 2011-12-02 22:29 116224 ----a-w- c:\windows\SysWow64\JgAbkOoX.com_
2011-12-04 13:51 . 2011-12-04 13:51 -------- d-----w- c:\program files (x86)\UBISOFT
2011-12-02 13:30 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FA25C06-85AF-46A0-8767-2DF90ADC8015}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 00:02 . 2011-03-03 12:14 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-11 00:02 . 2011-05-19 10:38 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-29 16:29 . 2011-11-09 13:10 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-01 13:12 . 2011-03-01 13:09 12067528 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-24 17:07 . 2011-12-24 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-24 17:07 . 2011-12-24 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2011-12-21 13:59 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-24 17:06 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-22 03:31 . 2011-12-24 17:06 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-07-22 03:31 . 2011-12-21 13:59 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-04-03 13:39 . 2011-12-24 17:06 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
- 2011-04-03 13:39 . 2011-12-21 13:59 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
+ 2010-11-26 21:57 . 2011-12-24 17:06 29041572 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-8192.dat
+ 2011-04-02 19:16 . 2011-12-24 17:06 57188676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-16 137536]
"RavenBleuSA"="c:\users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe" [2011-11-28 782848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-19 5486464]
"uTorrent"="c:\users\Kenny Diep\Downloads\utorrent.exe" [2011-08-09 639864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"68C99590-AF86-B6DD-DB7A-D874F37B2C09"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10r_ActiveX.exe" [2011-06-02 240288]
.
c:\users\f\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-3-1 12067528]
.
c:\users\Kenny Diep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
UniKeyNT - Shortcut.lnk - c:\users\Kenny Diep\Downloads\UniKeyNT.exe [2009-11-2 316928]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
68C99590-AF86-B6DD-DB7A-D874F37B2C09.lnk - c:\windows\System32\rundll32.exe [2009-7-13 45568]
Virtual Router Manager.lnk - c:\windows\Installer\{8DB05F7E-1F7A-4CC0-882F-375B97F04CD4}\_E6D9769DD20AF384865041.exe [2011-7-18 22486]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]
R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys [x]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 hidkmdf;Microsoft HID Class Shim for KMDF;c:\windows\system32\DRIVERS\hidkmdf.sys [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2009-03-19 32808]
R3 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2011-01-31 341312]
R3 NW1950;NextWindow 1950 Touch Screen;c:\windows\system32\DRIVERS\NW1950.sys [x]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
R3 PSVolAcc;PSVolAcc; [x]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 X6va005;X6va005;c:\users\KENNYD~1\AppData\Local\Temp\0059F13.tmp [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [2009-11-17 98208]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 nlsX86cc;NLS Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-01-31 68928]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S2 Virtual Router;VirtualRouterService;c:\program files (x86)\Virtual Router\VirtualRouterService.exe [2009-11-18 12288]
S2 WinAgentsTftpService4;WinAgents TFTP Service 4;c:\program files (x86)\Common Files\WinAgents\TftpService.exe [2011-04-02 111376]
S3 ACPIService;Buttons and OSDs ACPI driver gen2;c:\windows\system32\DRIVERS\OSDACPI.SYS [x]
S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys [x]
S3 FintekCIR;Fintek eHome Transceiver;c:\windows\system32\DRIVERS\FintekCIR.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000Core.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-12-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000UA.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-16 415256]
"combofix"="c:\commy20685c\CF30572.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = %SystemRoot%\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\system32\StikyNot.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\KENNYD~1\AppData\Local\Temp\0059F13.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF2573AE-E1ED-40E1-83BA-F544CB2EE135}"=hex:51,66,7a,6c,4c,1d,38,12,c0,70,36,
fb,df,af,8f,05,fc,ac,b6,04,ce,70,a5,21
"{167D9323-F7CC-48F5-948A-6F012831A69F}"=hex:51,66,7a,6c,4c,1d,38,12,4d,90,6e,
12,fe,b9,9b,0d,eb,9c,2c,41,2d,6f,e2,8b
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,a2,34,31,0f,bc,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2011-12-24 12:13:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-24 17:13
ComboFix2.txt 2011-12-23 00:49
.
Pre-Run: 765,187,895,296 bytes free
Post-Run: 764,746,407,936 bytes free
.
- - End Of File - - CABC4655022A9BCA42496735D4BC26D3


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Thu Dec 29, 2011 1:17 pm

Bump?


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Fri Dec 30, 2011 1:33 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Fri Dec 30, 2011 1:50 pm

Malwarebytes Anti-Malware 1.60.0.1800
[You must be registered and logged in to see this link.]

Database version: v2011.12.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny Diep :: TOUCHSMART [administrator]

12/29/2011 8:47:17 PM
mbam-log-2011-12-30 (08-47-06).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 564021
Time elapsed: 1 hour(s), 26 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RavenBleuSA (Adware.HotBar.RB) -> No action taken.
HKCU\Software\RavenBleuSA (Adware.Hotbar.RB) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RavenBleuSA (Adware.HotBar.RB) -> Data: "C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe" -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|68C99590-AF86-B6DD-DB7A-D874F37B2C09 (Trojan.FakeAlert) -> Data: "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi", start minimized -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender (Rogue.SecurityDefender) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0 (Adware.Hotbar.RB) -> No action taken.

Files Detected: 18
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe (Adware.HotBar.RB) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\SysWOW64\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\SysWOW64\JgAbkOoX.com.vir (Trojan.Email) -> No action taken.
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSAHook.dll (Adware.HotBar.RB) -> No action taken.
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuUninstaller.exe (Adware.HotBar.RB) -> No action taken.
C:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\App\lrsykvie.dll (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender\{22591AFD-D629-4738-6183-45DCBE2C8A46}.pst (Rogue.SecurityDefender) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender\{8943A8A9-E822-428C-5C99-1B0DD6BD7680}.pst (Rogue.SecurityDefender) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuSAHook.dll (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuUninstaller.exe (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

(end)


Odd. I do recall taking action?


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Tue Jan 03, 2012 1:07 am

Hello.
It says no action was taken, did you remove what was found?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Tue Jan 03, 2012 1:16 am

Yes, I did. I did the log before I removed it...


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Fri Jan 06, 2012 5:41 pm

Hello.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Fri Jan 06, 2012 8:54 pm

ComboFix 12-01-06.01 - Kenny Diep 01/06/2012 15:03:27.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3831.2395 [GMT -5:00]
Running from: c:\users\Kenny Diep\Desktop\Commy.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-06 20:12 . 2012-01-06 20:12 -------- d-----w- c:\users\f\AppData\Local\temp
2012-01-06 20:12 . 2012-01-06 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 14:24 . 2011-12-29 14:24 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2011-12-23 00:23 . 2011-12-23 00:49 -------- d-----w- C:\Commy
2011-12-21 17:38 . 2011-12-21 17:38 -------- d-----w- c:\program files (x86)\ESET
2011-12-21 16:30 . 2011-12-21 16:30 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- C:\Cache
2011-12-20 19:03 . 2011-12-20 19:03 -------- d-----w- C:\Temp
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-13 22:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 22:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 22:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 22:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-13 22:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 22:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 00:02 . 2011-12-11 00:02 -------- d-----w- c:\windows\system32\Macromed
2011-12-10 21:04 . 2011-12-20 18:24 -------- d-----w- c:\users\Kenny Diep\AppData\Roaming\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 14:24 . 2010-12-02 02:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-11 00:02 . 2011-03-03 12:14 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-11 00:02 . 2011-05-19 10:38 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-02-07 13:26 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 22:29 . 2011-12-04 14:00 116224 ----a-w- c:\windows\SysWow64\JgAbkOoX.com_
2011-11-21 11:40 . 2011-12-02 13:30 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FA25C06-85AF-46A0-8767-2DF90ADC8015}\mpengine.dll
2011-03-01 13:12 . 2011-03-01 13:09 12067528 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:46 . 2011-12-24 17:35 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-11-26 22:13 . 2011-08-30 00:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-26 22:13 . 2012-01-05 01:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-18 18:04 . 2011-11-18 18:04 39936 c:\windows\Installer\5f8d5e9.msi
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-06 20:13 . 2012-01-06 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-06 20:13 . 2012-01-06 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-03 13:51 . 2011-05-04 08:52 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 149280 c:\windows\SysWOW64\javaw.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 149280 c:\windows\SysWOW64\java.exe
+ 2009-07-14 05:01 . 2012-01-06 20:12 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-12-21 13:59 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-29 14:24 . 2011-12-29 14:24 207360 c:\windows\Installer\191f51b9.msi
- 2011-07-22 03:31 . 2011-12-21 13:59 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-07-22 03:31 . 2012-01-06 20:12 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-04-02 19:16 . 2012-01-06 20:12 6442228 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-4096.dat
+ 2011-04-03 13:39 . 2012-01-06 20:12 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
- 2011-04-03 13:39 . 2011-12-21 13:59 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
+ 2010-11-26 21:57 . 2012-01-06 20:12 29856920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-8192.dat
+ 2011-12-25 21:05 . 2011-12-25 21:05 52920320 c:\windows\Installer\5f8d5f2.msp
+ 2011-12-29 14:23 . 2011-12-29 14:23 12905472 c:\windows\Installer\191f51b2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-16 137536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-19 5486464]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10r_ActiveX.exe" [2011-06-02 240288]
.
c:\users\f\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-3-1 12067528]
.
c:\users\Kenny Diep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
UniKeyNT - Shortcut.lnk - c:\users\Kenny Diep\Downloads\UniKeyNT.exe [2009-11-2 316928]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
68C99590-AF86-B6DD-DB7A-D874F37B2C09.lnk - c:\windows\System32\rundll32.exe [2009-7-13 45568]
Virtual Router Manager.lnk - c:\windows\Installer\{8DB05F7E-1F7A-4CC0-882F-375B97F04CD4}\_E6D9769DD20AF384865041.exe [2011-7-18 22486]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]
R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys [x]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 hidkmdf;Microsoft HID Class Shim for KMDF;c:\windows\system32\DRIVERS\hidkmdf.sys [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2009-03-19 32808]
R3 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2011-01-31 341312]
R3 NW1950;NextWindow 1950 Touch Screen;c:\windows\system32\DRIVERS\NW1950.sys [x]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
R3 PSVolAcc;PSVolAcc; [x]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 X6va005;X6va005;c:\users\KENNYD~1\AppData\Local\Temp\0051D0C.tmp [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [2009-11-17 98208]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 nlsX86cc;NLS Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-01-31 68928]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S2 Virtual Router;VirtualRouterService;c:\program files (x86)\Virtual Router\VirtualRouterService.exe [2009-11-18 12288]
S2 WinAgentsTftpService4;WinAgents TFTP Service 4;c:\program files (x86)\Common Files\WinAgents\TftpService.exe [2011-04-02 111376]
S3 ACPIService;Buttons and OSDs ACPI driver gen2;c:\windows\system32\DRIVERS\OSDACPI.SYS [x]
S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys [x]
S3 FintekCIR;Fintek eHome Transceiver;c:\windows\system32\DRIVERS\FintekCIR.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000Core.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2012-01-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000UA.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-16 415256]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = %SystemRoot%\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Android Screencast - c:\windows\system32\javaws.exe
AddRemove-GCalc 3 - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\KENNYD~1\AppData\Local\Temp\0051D0C.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF2573AE-E1ED-40E1-83BA-F544CB2EE135}"=hex:51,66,7a,6c,4c,1d,38,12,c0,70,36,
fb,df,af,8f,05,fc,ac,b6,04,ce,70,a5,21
"{167D9323-F7CC-48F5-948A-6F012831A69F}"=hex:51,66,7a,6c,4c,1d,38,12,4d,90,6e,
12,fe,b9,9b,0d,eb,9c,2c,41,2d,6f,e2,8b
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,a2,34,31,0f,bc,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-01-06 15:25:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 20:25
ComboFix2.txt 2011-12-24 17:13
ComboFix3.txt 2011-12-23 00:49
.
Pre-Run: 764,160,598,016 bytes free
Post-Run: 763,920,113,664 bytes free
.
- - End Of File - - CBD94AD66420F20BA4D8DF55AFFEBCBE


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Tue Jan 10, 2012 3:06 am

Looks like that file is back? "JgAbkOoX.com_"


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Fri Jan 13, 2012 1:17 am

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download [You must be registered and logged in to see this link.] and save it to your desktop. DO NOT perform a scan yet.
[You must be registered and logged in to see this link.]
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "[You must be registered and logged in to see this link.]" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)



  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Fri Jan 13, 2012 9:55 pm

JgAbkOoX.com_;C:\Windows\SysWOW64;Trojan.Siggen3.33825;Deleted.;
GetAd[1].js\JSFile_1[0][7d9];C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB\GetAd[1];Probably SCRIPT.Virus;;
GetAd[1].js;C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB;Container contains infected objects;Moved.;
GetAd[1].js;C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB;Probably SCRIPT.Virus;Invalid path to file ;
consrv.dll.vir;C:\Qoobox\Quarantine\C\Windows\System32;BackDoor.Maxplus.90;Cured.;
Desktop.ini;C:\Windows\assembly\GAC_32;BackDoor.Maxplus.90;Deleted.;
Desktop.ini;C:\Windows\assembly\GAC_64;BackDoor.Maxplus.90;Deleted.;
mua la me bay live.au;F:\desktop;Trojan.WMALoader;Cured.;
mua la me bay.au;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien 320k bitrate quality.snd;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien [256k quality].mp3;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien [new single].au;F:\desktop;Trojan.WMALoader;Cured.;
vuong nhat huy live at vegas.snd;F:\desktop;Trojan.WMALoader;Cured.;


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Wed Jan 25, 2012 1:45 am

Am I for the all clear? It's really irking me, it's been ELEVEN days.


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Wed Jan 25, 2012 6:31 pm

Any difference now? think Dr web might have got it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by roadran322 on Wed Jan 25, 2012 6:54 pm

THANKYOU! I think I am good...


AHHHHH MY HEAD!!!!!!!!!!!!!!

"Education is what remains after one has forgotten everything he learned in school."
Albert Einstein

roadran322
Senior
Senior

Status :
Online
Offline

Posts : 231
Joined : 2010-08-05
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Win 7 Antivirus 2012 Remnants

Post by Belahzur on Fri Jan 27, 2012 8:19 pm

Is was probably them infected music files triggering it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum