Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Infection Suspected - Pls Assist!

This is a discussion on Infection Suspected - Pls Assist! within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hi, I suspect my desktop to be infected. 1) The 'My Computer' view has changed from the default. 2) On


Closed Thread
 
Thread Tools Search this Thread
Old 11-18-2015, 12:18 AM   #1
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Hi,

I suspect my desktop to be infected.
1) The 'My Computer' view has changed from the default.
2) On using USB drives with this system, a folder with drives name is being created on its own with the drives contents.
3) Constant data usage even when the system is idle.

Following is the DDS.txt log for review;

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 11.40.2
Run by parry at 13:35:33 on 2015-11-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.1890 [GMT 5.5:30]
.
AV: AVG AntiVirus Free Edition 2015 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\BUFFALO\Backup_Utility\BUService.exe
C:\Program Files\BUFFALO\Backup_Utility\BUVSSServiceXP.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Documents and Settings\All Users\Application Data\DatacardService\HWDeviceService.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\Photon Plus\Huawei\OnlineUpdate\ouc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.8.0\ToolbarUpdater.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.8.0\loggingserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\FileServe Manager\FSStarter.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\AVG Web TuneUp\vprot.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Kies\Kies.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU1\LULnchr.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU1\LogitechUpdate.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\AVG Web TuneUp\avgcefrend.exe
C:\Program Files\AVG\AVG2015\avgmfapx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\parry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\parry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://mysearch.avg.com/?cid={65BFE316-060B-49E2-BD52-66627FAB4F9B}&mid=30638dd225ac47d28498cd2623c57881-

a8cba8d0c701d27e3be6f0bc99fd599f19c07dbb&lang=en&ds=AVG&coid=avgtbavg&cmpid=0715tb&pr=fr&d=2014-11-08 13:55:47&v=4.1.4.948&pid=wtu&sg=&sap=hp
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} -
BHO: FileServeManager: {00000001-AB3B-4334-9DA2-EC6B2A02AFC6} - c:\program files\fileserve manager\FileServeBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_40\bin\ssv.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: SpeedBit Link Verification Helper: {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - c:\program files\dap\LinkVerifier.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_40\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\parry\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
uRun: [KiesAirMessage] c:\program files\samsung\kies\KiesAirMessage.exe -startup
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [FileServe Manager Task] "c:\program files\fileserve manager\FSStarter.exe"
mRun: [NPSStartup] <no file>
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\dhruvc~1\startm~1\programs\startup\h.lnk - c:\documents and settings\parry\application data\obckpnucef.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:181
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Verify with DAP - c:\program files\dap\dapverify.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download with FileServe Manager - c:\program files\fileserve manager\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{08906AF8-B224-4939-89E4-F192D7F30DA4} : NameServer = 202.56.215.55,202.56.215.54
TCP: Interfaces\{08906AF8-B224-4939-89E4-F192D7F30DA4} : DHCPNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\18.3.0\ViProtocol.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\dap\dapie.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\parry\application data\mozilla\firefox\profiles\mlhlmq22.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - plugin: c:\documents and settings\parry\local settings\application data\google\update\1.3.28.1\npGoogleUpdate3.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre1.8.0_40\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_40\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_17_0_0_169.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-5-13 190944]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-5-13 290272]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-5-13 170464]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-5-13 35808]
R0 BFRD4G;BUFFALO RAM Disk Driver;c:\windows\system32\drivers\BFRD4G.sys [2011-4-19 36344]
R0 bftpdskc;BUFFALO TurboPC Cache Filter;c:\windows\system32\drivers\bftpdskc.sys [2012-7-29 41472]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2010-10-21 19496]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-5-13 132576]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [2014-6-17 217008]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-5-13 29664]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-5-13 207328]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-5-13 213984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-11 120088]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2015\avgidsagent.exe [2015-7-7 3518376]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2015\avgwdsvc.exe [2015-7-7 314304]
R2 BFBackupUtilityService;Backup Utility Service;c:\program files\buffalo\backup_utility\buservice.exe -service_execute --> c:\program

files\buffalo\backup_utility\BUService.exe -Service_Execute [?]
R2 BFBackupUtilityVSSService;Backup Utility VSS Service for Windows XP;c:\program files\buffalo\backup_utility\buvssservicexp.exe -service_execute -->

c:\program files\buffalo\backup_utility\BUVSSServiceXP.exe -Service_Execute [?]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-10-21 68136]
R2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files\foxit software\foxit reader\foxit cloud\FCUpdateService.exe [2014-3-7 244392]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-3-1 238952]
R2 HWDeviceService.exe;HWDeviceService.exe;c:\documents and settings\all users\application data\datacardservice\HWDeviceService.exe [2011-3-14 271712]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-10-22 10136]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]
R2 Sentry;Sentry;c:\windows\system32\sentry.sys [2013-3-28 9180]
R2 vToolbarUpdater18.8.0;vToolbarUpdater18.8.0;c:\program files\common files\avg secure search\vtoolbarupdater\18.8.0\ToolbarUpdater.exe [2015-7-28 1874320]
R2 WtuSystemSupport;WtuSystemSupport;c:\program files\avg web tuneup\WtuSystemSupport.exe [2015-2-26 1195920]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2010-10-23 45288]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-3-1 36608]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2013-9-3 76544]
R3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [2010-10-28 82432]
R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [2010-10-28 119808]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-10-21 30392]
S2 Photon Plus. RunOuc;Photon Plus. OUC;c:\program files\photon plus\huawei\updatedog\ouc.exe [2013-9-3 655712]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-21 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 bftpusbx;BUFFALO TurboPC USB Filter;c:\windows\system32\drivers\bftpusbx.sys [2012-7-29 11776]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-12-17 13192]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2010-10-21 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-12-17 8456]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2013-9-3 102784]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2010-10-21 24944]
S3 Samsung UPD Service2;Samsung UPD Service2;c:\windows\system32\SUPDSvc2.exe [2013-2-9 129536]
.
=============== File Associations ===============
.
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2015-11-18 07:51:55 17488 ----a-w- c:\windows\gdrv.sys
.
============= FINISH: 13:36:24.77 ===============
Attached Files
File Type: txt attach.txt (17.2 KB, 39 views)
parry is offline  
Sponsored Links
Advertisement
 
Old 11-19-2015, 12:43 AM   #2
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Got this detection by AVG today.
Attached Thumbnails
Click image for larger version

Name:	AVG Detection 19.11.2015.jpg
Views:	122
Size:	34.9 KB
ID:	262426  
parry is offline  
Old 11-22-2015, 03:29 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\documents and settings\parry\application data\obckpnucef.exe

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analysed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 11-24-2015, 12:20 AM   #4
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Thanks chemist for reviewing my logs/ case.

1) As required, AdwCleaner report;

# AdwCleaner v5.022 - Logfile created 24/11/2015 at 13:30:57
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : parry - OFFICEDESKTOP
# Running from : C:\Documents and Settings\parry\Desktop\AdwCleaner_5.022.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****

[-] Service Deleted : vToolbarUpdater40.1.8

***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Speedbit
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Avg_Update_0215tb
[-] Folder Deleted : C:\Documents and Settings\parry\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\Extensions\[email protected]
[-] Folder Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Speedbit
[-] Folder Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User

Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi
[-] Folder Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User

Data\Default\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb
[!] Folder Not Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User

Data\Default\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb
[-] Folder Deleted : C:\Program Files\DAP
[-] Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
[-] Folder Deleted : C:\Program Files\Common Files\Speedbit

***** [ Files ] *****

[-] File Deleted : C:\Documents and Settings\parry\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\searchplugins\avg-secure-search.xml
[-] File Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-

extension_dgpdioedihjhncjafcpgbbjdpbbkikmi_0.localstorage
[-] File Deleted : C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-

extension_dgpdioedihjhncjafcpgbbjdpbbkikmi_0.localstorage-journal
[-] File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
[-] Key Deleted : HKLM\SOFTWARE\Classes\S
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
[-] Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
[-] Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb
[!] Key Not Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\SpeedBit
[-] Key Deleted : HKCU\Software\Avg Secure Update
[-] Key Deleted : HKLM\SOFTWARE\SpeedBit
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00B2-0409-0000-0000000FF1CE}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{90120000-00B2-0409-0000-0000000FF1CE}
[-] Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

***** [ Web browsers ] *****

[-] [C:\Documents and Settings\parry\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\prefs.js] [Preference] Deleted : user_pref

("browser.search.selectedEngine", "AVG Secure Search");
[-] [C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted :

dgpdioedihjhncjafcpgbbjdpbbkikmi
[-] [C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted :

ffdcfjdljhbehggjdkdioajnknjcpbjb
[-] [C:\Documents and Settings\parry\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted :

ffdcfjdljhbehggjdkdioajnknjcpbjb

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [7046 bytes] ##########


2) On 20 Nov 2015, I again got a prompt from AVG & selected the option 'Protect Me'.
Hence, I guess the file was quarantined.
Here's the link by clicking More Info from the Virus Vault. Hope its helps.

https://www.avgthreatlabs.com/ww-en/v...=RS&PRTYPE=AVF
parry is offline  
Old 11-24-2015, 12:54 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello parry. You're very welcome.

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-25-2015, 11:13 AM   #6
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Thanks for the update. Will revert with the Combofix results by tomorrow noon.

In the meanwhile, if you could advise what else precautions do I need to take apart from not using the PC for any financial logins.

I have been using the same machine for documents, accounts, internet browsing, emails & login to various online shopping sites.
parry is offline  
Old 11-25-2015, 01:55 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're welcome! The best thing to do is to run ComboFix as soon as possible, and to not resume normal browsing until we give the OK.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-26-2015, 04:42 AM   #8
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Today, I downloaded & ran Combofix. It installed Windows Recovery Console, post installation I continued with scanning. Scanning took about 10 minutes & completed till Stage 50.

1) After that the Windows got rebooted. On reboot I got the following Error Message stating that the system has recovered from a serious error. Screenshot as 1st Thumbnail is herewith for your reference. The second window is the Error Report.

2) On closing it, I went ahead for Combofix log in Drive C:. There instead of the text file for Combofix log it had Combofix with 'My Computer' icon. Screenshot as 2nd Thumbnail attached.

3) On double clicking the Combofix - My Computer icon it again opened the My Computer window (which used to be earlier before infection). Screenshot as 3rd Thumbnail attached.

On clicking the Drive C:, it was again opening the window as Screenshot 2nd Thumbnail.

Kindly advise.
Attached Thumbnails
Click image for larger version

Name:	Screenshot - Windows Error 2015.11.26.jpg
Views:	126
Size:	78.6 KB
ID:	263394   Click image for larger version

Name:	Screenshot - Post Combofix Drive C 2015.11.26.jpg
Views:	158
Size:	88.2 KB
ID:	263402   Click image for larger version

Name:	Screenshot - Post Combofix Drive C-01 2015.11.26.jpg
Views:	131
Size:	70.5 KB
ID:	263410  

parry is offline  
Old 11-26-2015, 05:55 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Run ComboFix again and post the log, C:\ComboFix.txt log it produces.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-27-2015, 03:52 AM   #10
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Ran Combofix twice, with no luck. Status quo.
parry is offline  
Old 11-27-2015, 12:05 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, parry.

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-28-2015, 01:19 AM   #12
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



FYI, this problem occured with the system in the month of August. Due to my travel schedule till Nov 17, could not sit to rectify. The machine was not used during that period. Hence, selected the 90days option as well while running Farbar scan.

Farbar Recovery Scan Tool Log;

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:27-11-2015
Ran by PARRY (administrator) on OFFICEDESKTOP (28-11-2015 13:39:25)
Running from C:\Documents and Settings\PARRY\Desktop
Loaded Profiles: PARRY (Available Profiles: PARRY)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
() C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Nalpeiron Ltd.) C:\WINDOWS\system32\ASTSRV.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(BUFFALO INC.) C:\Program Files\BUFFALO\Backup_Utility\BUService.exe
(BUFFALO INC.) C:\Program Files\BUFFALO\Backup_Utility\BUVSSServiceXp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Gigabyte\EasySaver\essvr.exe
(Teruten) C:\WINDOWS\system32\FsUsbExService.Exe
() C:\Documents and Settings\All Users\Application Data\DatacardService\HWDeviceService.exe
(Nitro PDF Software) C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
() C:\Documents and Settings\All Users\Application Data\Photon Plus\Huawei\OnlineUpdate\ouc.exe
(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
() C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(FileServe Limited) C:\Program Files\FileServe Manager\FSStarter.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
(Samsung) C:\Program Files\Samsung\Kies\Kies.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [102400 2010-04-06] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19523104 2010-04-06] (Realtek Semiconductor Corp.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [Samsung PanelMgr] => C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe [614400 2009-08-15] ()
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2005-02-17] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-02-17] (InstallShield Software Corporation)
HKLM\...\Run: [FileServe Manager Task] => C:\Program Files\FileServe Manager\FSStarter.exe [955808 2011-11-03] (FileServe Limited)
HKLM\...\Run: [NPSStartup] => [X]
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [itype] => C:\Program Files\Microsoft IntelliType Pro\itype.exe [1313640 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [KiesTrayAgent] => C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311616 2014-02-14] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3780008 2015-10-30] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Seagull Drivers] => ssdal_nc.exe startup
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2303256 2014-05-20] (Logitech, Inc.)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2010-04-07] (ATI Technologies Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2010-05-06] (Logitech, Inc.)
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Run: [Google Update] => C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [144200 2015-11-18] (Google Inc.)
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Run: [KiesPreload] => C:\Program Files\Samsung\Kies\Kies.exe [1564992 2014-02-14] (Samsung)
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Run: [KiesAirMessage] => C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {4b881cec-1475-11e3-a635-1c6f65219172} - G:\AutoRun.exe
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {76eb891a-1474-11e3-a634-1c6f65219172} - G:\AutoRun.exe
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {c0ed9e10-19e5-11e3-a63e-1c6f65219172} - G:\AutoRun.exe
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-08] (SuperAdBlocker.com)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(4).lnk [2010-11-11]
ShortcutTarget: EPSON Status Monitor 3 Environment Check(4).lnk -> C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV04.EXE (SEIKO EPSON CORPORATION)
Startup: C:\Documents and Settings\PARRY\Start Menu\Programs\Startup\h.lnk [2015-08-13]
ShortcutTarget: h.lnk -> C:\Documents and Settings\PARRY\Application Data\obckpnucef.exe (No File)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\..\Interfaces\{08906AF8-B224-4939-89E4-F192D7F30DA4}: [NameServer] 202.56.215.55,202.56.215.54

Internet Explorer:
==================
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={65BFE316-060B-49E2-BD52-66627FAB4F9B}&mid=30638dd225ac47d28498cd2623c57881-a8cba8d0c701d27e3be6f0bc99fd599f19c07dbb&lang=en&ds=AVG&coid=avgtbavg&cmpid=0715tb&pr=fr&d=2014-11-08 13:55:47&v=4.1.4.948&pid=wtu&sg=&sap=hp
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-448539723-1645522239-682003330-1003 - SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll No File
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-448539723-1645522239-682003330-1003 -> DefaultScope {71020E61-27AD-4f25-B989-F59745BF3A38} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD
SearchScopes: HKU\S-1-5-21-448539723-1645522239-682003330-1003 -> {71020E61-27AD-4f25-B989-F59745BF3A38} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD
SearchScopes: HKU\S-1-5-21-448539723-1645522239-682003330-1003 -> {AD396C16-3F96-42e7-B287-D00904920782} URL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=1975384696&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=en&q={searchTerms}
BHO: FileServeManager -> {00000001-AB3B-4334-9DA2-EC6B2A02AFC6} -> C:\Program Files\FileServe Manager\FileServeBHO.dll [2011-11-03] (FileServe Limited)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-05] (Oracle Corporation)
BHO: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files\DAP\LinkVerifier.dll => No File
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-05] (Oracle Corporation)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default
FF Homepage: chrome://speeddial/content/speeddial.xul
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-22] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-20] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-04-15] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-04-15] (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-05] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-05] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.7 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin HKU\S-1-5-21-448539723-1645522239-682003330-1003: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-11-18] (Google Inc.)
FF Plugin HKU\S-1-5-21-448539723-1645522239-682003330-1003: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-11-18] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-03-07] (Apple Inc.)
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-15] [not signed]
FF Extension: Xmarks - C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\extensions\[email protected] [2015-06-02]
FF Extension: Speed Dial - C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}.xpi [2015-11-20]
FF Extension: Kempelton - C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\Extensions\[email protected] [2010-10-22] [not signed]
FF Extension: WiseStamp Web - C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\Extensions\[email protected] [2015-11-20]
FF Extension: Adblock Plus - C:\Documents and Settings\PARRY\Application Data\Mozilla\Firefox\Profiles\mlhlmq22.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-20]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2015-11-20] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF HKLM\...\Firefox\Extensions: [{9F6FB1C9-22DA-4123-A7D4-9E7844B60EE5}] - C:\Program Files\FileServe Manager\FireFox_Extension\{9F6FB1C9-22DA-4123-A7D4-9E7844B60EE5}
FF Extension: FileServe Manager - C:\Program Files\FileServe Manager\FireFox_Extension\{9F6FB1C9-22DA-4123-A7D4-9E7844B60EE5} [2011-01-10] [not signed]
FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program Files\DAP\DAPFireFox => not found
FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\SeaMonkey\Extensions: [[email protected]] - C:\Documents and Settings\PARRY\Application Data\IDM\idmmzcc5 => not found
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2014-02-20]

Chrome:
=======
CHR StartupUrls: Default -> "hxxps://accounts.google.com/ServiceLogin?service=mail&continue=hxxps://mail.google.com/mail/#identifier"
CHR Profile: C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Xmarks Bookmark Sync) - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2015-03-15]
CHR Extension: (FS Extension) - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fpgkjhpjldibdbbppfcabadmpfenkdfe [2014-03-04]
CHR Extension: (AdBlock) - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-11-19]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-26]
CHR Extension: (WiseStamp - Email Signatures for Gmail) - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbcgnkmbeodkmiijjfnliicelkjfcldg [2015-11-24]
CHR HKLM\...\Chrome\Extension: [bodfdknjhecmadheclfjkhhiofeagdbh] - C:\Program Files\DAP\daplinkchecker.crx <not found>
CHR HKLM\...\Chrome\Extension: [fpgkjhpjldibdbbppfcabadmpfenkdfe] - C:\Program Files\FileServe Manager\FSChromeAddOn.crx [2011-11-03]
StartMenuInternet: chrome.exe - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
StartMenuInternet: Google Chrome - C:\Documents and Settings\PARRY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2015-11-24] (SUPERAntiSpyware.com)
S3 AppleChargerSrv; C:\WINDOWS\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3642280 2015-10-30] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [335656 2015-10-30] (AVG Technologies CZ, s.r.o.)
R2 BFBackupUtilityService; C:\Program Files\BUFFALO\Backup_Utility\BUService.exe [320888 2010-08-20] (BUFFALO INC.)
R2 BFBackupUtilityVSSService; C:\Program Files\BUFFALO\Backup_Utility\BUVSSServiceXP.exe [247160 2010-04-28] (BUFFALO INC.)
R2 ES lite Service; C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] ()
R2 HWDeviceService.exe; C:\Documents and Settings\All Users\Application Data\DatacardService\HWDeviceService.exe [271712 2011-03-14] ()
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 NitroDriverReadSpool; C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe [188736 2009-09-15] (Nitro PDF Software)
S2 PEVSystemStart; C:\ComboFix\pev.3XE [256000 2011-06-26] () [File not signed]
S2 Photon Plus. RunOuc; C:\Program Files\Photon Plus\Huawei\UpdateDog\ouc.exe [655712 2013-09-03] ()
S3 Samsung UPD Service2; C:\WINDOWS\system32\SUPDSvc2.exe [129536 2012-04-06] (Samsung Electronics)
R2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [1205136 2015-11-20] ()

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R1 AmdPPM; C:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R1 AppleCharger; C:\WINDOWS\System32\DRIVERS\AppleCharger.sys [19496 2010-04-27] ()
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [240048 2015-10-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [222640 2015-08-19] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [31664 2015-07-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [207328 2015-06-16] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [189872 2015-08-04] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [230832 2015-08-04] (AVG Technologies CZ, s.r.o.)
R0 BFRD4G; C:\WINDOWS\System32\DRIVERS\BFRD4G.sys [36344 2010-03-10] (BUFFALO INC.)
R0 bftpdskc; C:\WINDOWS\System32\drivers\bftpdskc.sys [41472 2010-10-15] (BUFFALO INC.) [File not signed]
S3 bftpusbx; C:\WINDOWS\System32\drivers\bftpusbx.sys [11776 2010-09-22] (BUFFALO INC.) [File not signed]
R3 BlueletAudio; C:\WINDOWS\System32\DRIVERS\blueletaudio.sys [34704 2007-05-11] (IVT Corporation.)
R3 BlueletSCOAudio; C:\WINDOWS\System32\DRIVERS\BlueletSCOAudio.sys [27792 2007-03-05] (IVT Corporation.)
S3 BT; C:\WINDOWS\System32\DRIVERS\btnetdrv.sys [18320 2007-03-05] (IVT Corporation.)
S3 Btcsrusb; C:\WINDOWS\System32\Drivers\btcusb.sys [36496 2007-05-09] (IVT Corporation.)
R0 BTHidEnum; C:\WINDOWS\System32\Drivers\vbtenum.sys [20880 2007-03-05] (IVT Corporation.)
R0 BTHidMgr; C:\WINDOWS\System32\Drivers\BTHidMgr.sys [35600 2007-03-05] (IVT Corporation.)
S3 BTNetFilter; C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys [22416 2006-11-21] (IVT Corporation.)
R2 DgiVecp; C:\WINDOWS\system32\Drivers\DgiVecp.sys [38400 2009-06-09] (Samsung Electronics Co., Ltd.) [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2010-07-15] () [File not signed]
S3 etdrv; C:\WINDOWS\etdrv.sys [17488 2011-09-23] (Windows (R) 2000 DDK provider)
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2010-07-15] () [File not signed]
R3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2010-06-14] () [File not signed]
R3 gdrv; C:\WINDOWS\gdrv.sys [17488 2015-11-28] (Windows (R) 2000 DDK provider)
S3 GVTDrv; C:\WINDOWS\system32\Drivers\GVTDrv.sys [24944 2011-10-12] ()
R3 ltmodem5; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [606684 2008-04-14] (LT)
S3 LUsbFilt; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [28624 2010-08-24] (Logitech, Inc.)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
R3 PciPPorts; C:\WINDOWS\System32\DRIVERS\PciPPorts.sys [82432 2008-05-22] ()
R3 PciSPorts; C:\WINDOWS\System32\DRIVERS\PciSPorts.sys [119808 2008-05-22] ()
R3 pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [47360 2010-11-27] (VSO Software) [File not signed]
R3 RTHDMIAzAudService; C:\WINDOWS\System32\drivers\RtKHDMI.sys [4078400 2010-01-27] (Realtek Semiconductor Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 Sentry; C:\WINDOWS\system32\sentry.sys [9180 2001-11-24] (Microsoft Corporation) [File not signed]
R3 VComm; C:\WINDOWS\System32\DRIVERS\VComm.sys [34448 2007-03-05] (IVT Corporation.)
R3 VcommMgr; C:\WINDOWS\System32\Drivers\VcommMgr.sys [44304 2007-03-05] (IVT Corporation.)
S3 catchme; \??\C:\DOCUME~1\DHRUVC~1\LOCALS~1\Temp\catchme.sys [X]
U5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [245376 2013-09-03] (Huawei Technologies Co., Ltd.)
S4 IntelIde; no ImagePath
S2 SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-28 13:22 - 2015-11-28 13:31 - 00055599 _____ C:\Documents and Settings\PARRY\Desktop\Addition (30).txt
2015-11-28 13:21 - 2015-11-28 13:39 - 00025321 _____ C:\Documents and Settings\PARRY\Desktop\FRST.txt
2015-11-28 13:21 - 2015-11-28 13:37 - 00032467 _____ C:\Documents and Settings\PARRY\Desktop\FRST (30).txt
2015-11-28 13:19 - 2015-11-28 13:19 - 01719808 _____ (Farbar) C:\Documents and Settings\PARRY\Desktop\FRST.exe
2015-11-27 18:06 - 2015-11-27 18:06 - 00509440 _____ (Tech Support Guy System) C:\Documents and Settings\PARRY\Desktop\SysInfo.exe
2015-11-27 16:49 - 2015-11-27 17:04 - 00000000 ___SD C:\ComboFix
2015-11-26 17:08 - 2015-11-26 17:08 - 00000000 _RSHD C:\cmdcons
2015-11-26 17:08 - 2013-01-22 14:33 - 00000223 _____ C:\Boot.bak
2015-11-26 17:08 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2015-11-26 17:06 - 2015-11-26 17:06 - 00000000 ____D C:\Qoobox
2015-11-26 17:06 - 2011-06-26 12:15 - 00256000 _____ C:\WINDOWS\PEV.exe
2015-11-26 17:06 - 2010-11-07 22:50 - 00208896 _____ C:\WINDOWS\MBR.exe
2015-11-26 17:06 - 2009-04-20 10:26 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00098816 _____ C:\WINDOWS\sed.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00080412 _____ C:\WINDOWS\grep.exe
2015-11-26 17:06 - 2000-08-31 05:30 - 00068096 _____ C:\WINDOWS\zip.exe
2015-11-26 17:05 - 2015-11-26 17:05 - 00000000 ____D C:\WINDOWS\erdnt
2015-11-26 17:02 - 2015-11-26 17:03 - 05640282 ____R (Swearware) C:\Documents and Settings\PARRY\Desktop\ComboFix.exe
2015-11-24 13:18 - 2015-11-24 13:21 - 01733632 _____ C:\Documents and Settings\PARRY\Desktop\AdwCleaner_5.022.exe
2015-11-20 13:09 - 2015-11-20 13:10 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-11-18 13:36 - 2015-11-27 18:18 - 00000000 ____D C:\Documents and Settings\PARRY\Desktop\TSF Nov 2015

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-28 13:39 - 2010-10-21 14:46 - 00000000 ____D C:\Documents and Settings\PARRY\Local Settings\Temp
2015-11-28 13:38 - 2014-06-14 13:29 - 00000000 ____D C:\FRST
2015-11-28 13:38 - 2010-10-21 19:28 - 00000000 ____D C:\WINDOWS
2015-11-28 13:31 - 2010-10-24 17:02 - 00001006 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1645522239-682003330-1003UA.job
2015-11-28 13:31 - 2010-10-24 17:02 - 00000954 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1645522239-682003330-1003Core.job
2015-11-28 13:31 - 2010-10-21 14:43 - 00032636 _____ C:\WINDOWS\SchedLgU.Txt
2015-11-28 13:13 - 2014-06-14 13:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2015-11-28 13:08 - 2011-01-12 16:29 - 00005278 _____ C:\WINDOWS\ModemLog_Bluetooth DUN Modem.txt
2015-11-28 13:08 - 2011-01-12 16:29 - 00005272 _____ C:\WINDOWS\ModemLog_Bluetooth Fax Modem.txt
2015-11-28 13:08 - 2011-01-12 16:29 - 00003998 _____ C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2015-11-28 13:08 - 2010-10-22 15:47 - 00017488 _____ (Windows (R) 2000 DDK provider) C:\WINDOWS\gdrv.sys
2015-11-28 13:08 - 2008-04-14 17:30 - 00002228 _____ C:\WINDOWS\system32\wpa.dbl
2015-11-28 13:07 - 2010-10-21 14:43 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-27 18:19 - 2011-08-23 17:22 - 00000000 ____D C:\WINDOWS\Minidump
2015-11-27 18:19 - 2010-10-21 15:33 - 00524288 _____ C:\WINDOWS\system32\config\ACEEvent.evt
2015-11-27 18:19 - 2010-10-21 14:46 - 00000178 ___SH C:\Documents and Settings\PARRY\ntuser.ini
2015-11-27 18:19 - 2010-10-21 14:46 - 00000000 ____D C:\Documents and Settings\PARRY
2015-11-27 16:57 - 2010-10-21 19:28 - 00110592 _____ C:\WINDOWS\DUMPb287.tmp
2015-11-26 17:08 - 2010-10-21 19:35 - 00000339 __RSH C:\boot.ini
2015-11-24 18:34 - 2011-06-21 13:19 - 00000000 ____D C:\Documents and Settings\PARRY\Local Settings\Application Data\Paint.NET
2015-11-24 18:33 - 2010-11-10 17:40 - 00000000 ____D C:\Documents and Settings\PARRY\Application Data\Nitro PDF
2015-11-24 18:23 - 2014-06-13 13:02 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-11-24 13:30 - 2014-06-08 13:02 - 00000000 ____D C:\AdwCleaner
2015-11-24 13:11 - 2010-10-21 19:28 - 00000000 ___HD C:\WINDOWS\inf
2015-11-21 14:58 - 2011-10-14 16:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TEMP
2015-11-21 14:52 - 2010-10-26 17:59 - 00000000 ____D C:\Documents and Settings\PARRY\Application Data\PrimoPDF
2015-11-20 17:43 - 2013-08-14 19:04 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-11-20 17:17 - 2012-04-25 14:12 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-11-20 15:00 - 2014-11-08 13:55 - 00000000 ____D C:\Program Files\AVG Web TuneUp
2015-11-20 14:37 - 2013-09-19 15:33 - 00002195 _____ C:\Documents and Settings\PARRY\Desktop\BusyWin 12.0.lnk
2015-11-19 18:18 - 2014-10-29 14:53 - 00000702 _____ C:\Documents and Settings\All Users\Desktop\AVG 2015.lnk
2015-11-19 18:18 - 2014-06-14 13:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-11-18 13:43 - 2010-10-24 17:04 - 00002337 _____ C:\Documents and Settings\PARRY\Desktop\Google Chrome.lnk

==================== Files in the root of some directories =======

2012-03-01 17:05 - 2012-03-01 17:05 - 0002528 _____ () C:\Documents and Settings\PARRY\Application Data\$_hpcst$.hpc
2013-03-22 15:35 - 2013-03-22 15:35 - 0000037 ___SH () C:\Documents and Settings\PARRY\Application Data\10952854204d11e2ac1a1d71.14988978
2010-11-27 14:15 - 2010-11-27 14:15 - 0087608 _____ () C:\Documents and Settings\PARRY\Application Data\inst.exe
2010-11-27 14:15 - 2010-11-27 14:15 - 0007887 _____ () C:\Documents and Settings\PARRY\Application Data\pcouffin.cat
2010-11-27 14:15 - 2010-11-27 14:15 - 0001144 _____ () C:\Documents and Settings\PARRY\Application Data\pcouffin.inf
2010-11-27 14:15 - 2010-11-27 14:15 - 0000034 _____ () C:\Documents and Settings\PARRY\Application Data\pcouffin.log
2010-11-27 14:15 - 2010-11-27 14:15 - 0047360 _____ (VSO Software) C:\Documents and Settings\PARRY\Application Data\pcouffin.sys
2010-11-27 14:16 - 2012-04-20 17:07 - 0001176 _____ () C:\Documents and Settings\PARRY\Application Data\vso_ts_preview.xml
2010-10-21 16:15 - 2014-10-01 14:20 - 0246784 _____ () C:\Documents and Settings\PARRY\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================
Attached Files
File Type: txt Addition.txt (54.3 KB, 27 views)
parry is offline  
Old 11-28-2015, 02:48 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, parry.

I noticed you have AVG Web TuneUp installed.

Please read this and decide if you want to keep it >> AVG Web TuneUp by AVG Technologies - Should I Remove It?

You can uninstall it via Add or Remove Programs in your Control Panel.

If you decide to uninstall it, please delete the following Folders if they still exist:

C:\Program Files\AVG Web TuneUp

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Please uninstall the following via Start->(or Computer)->Control Panel->Add or Remove Programs if it still exists:

Browser Configuration Utility<<Please read this

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000100-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000101-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000103-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000104-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000105-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000106-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000107-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000109-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> no filepath
    AlternateDataStreams: C:\WINDOWS:AstInfo
    AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:553CA6CA
    AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:56E2E879
    () C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
    HKLM\...\Run: [NPSStartup] => [X]
    HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {4b881cec-1475-11e3-a635-1c6f65219172} - G:\AutoRun.exe
    HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {76eb891a-1474-11e3-a634-1c6f65219172} - G:\AutoRun.exe
    HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {c0ed9e10-19e5-11e3-a63e-1c6f65219172} - G:\AutoRun.exe
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
    Startup: C:\Documents and Settings\PARRY\Start Menu\Programs\Startup\h.lnk [2015-08-13]
    ShortcutTarget: h.lnk -> C:\Documents and Settings\PARRY\Application Data\obckpnucef.exe (No File)
    HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={65BFE316-060B-49E2-BD52-66627FAB4F9B}&mid=30638dd225ac47d28498cd2623c57881-a8cba8d0c701d27e3be6f0bc99fd599f19c07dbb&lang=en&ds=AVG&coid=avgtbavg&cmpid=0715tb&pr=fr&d=2014-11-08 13:55:47&v=4.1.4.948&pid=wtu&sg=&sap=hp
    URLSearchHook: HKU\S-1-5-21-448539723-1645522239-682003330-1003 - SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll No File
    SearchScopes: HKLM -> DefaultScope value is missing
    BHO: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files\DAP\LinkVerifier.dll => No File
    FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program Files\DAP\DAPFireFox => not found
    FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\SeaMonkey\Extensions: [[email protected]] - C:\Documents and Settings\PARRY\Application Data\IDM\idmmzcc5 => not found
    CHR HKLM\...\Chrome\Extension: [bodfdknjhecmadheclfjkhhiofeagdbh] - C:\Program Files\DAP\daplinkchecker.crx <not found>
    S2 PEVSystemStart; C:\ComboFix\pev.3XE [256000 2011-06-26] () [File not signed]
    R2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [1205136 2015-11-20] ()
    EmptyTemp:
    end
  • Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2015, 12:09 AM   #14
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Hello chemist,

1) AVG Web TuneUp
a) Tried uninstalling it through Add/ Remove Programs but it did not proceed. Disabled AVG & also disconnected the system from net, but still no luck.
b) Is 'Web Protection' in AVG a part of Web TuneUp? Because, I have observed that it is deactivated on startups/ reboots.

2) CCleaner: I normally use to clear system of Temp files, cookies & other files. Never used the Registry Cleaner part of it. If not CCleaner, then what else utility you advise for this purpose?

3) uTorrent has not been used on this machine for a long time now. Should I totally uninstall it, in case of no use as well?

4) Browser Configuration Utility: Uninstalled through Control Panel.

5) Today got an alert from AVG for FRST.exe, screenshot attached for reference. Post it disabled AVG, disconnected internet and ran FRST > Fix. In between got a prompt stating 'FRST.exe encountered a problem and needs to close.' FRST closed without restart of the system. Underneath is the log it produced;

Fix result of Farbar Recovery Scan Tool (x86) Version:27-11-2015
Ran by parry (2015-11-29 13:13:11) Run:1
Running from C:\Documents and Settings\parry\Desktop\TSF Nov 2015
Loaded Profiles: parry (Available Profiles: parry)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
createrestorepoint:
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000100-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000101-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000103-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000104-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000105-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000106-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000107-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000109-0000-0010-8000-00AA006D2EA4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> no filepath
AlternateDataStreams: C:\WINDOWS:AstInfo
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:553CA6CA
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:56E2E879
() C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
HKLM\...\Run: [NPSStartup] => [X]
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {4b881cec-1475-11e3-a635-1c6f65219172} - G:\AutoRun.exe
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {76eb891a-1474-11e3-a634-1c6f65219172} - G:\AutoRun.exe
HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\MountPoints2: {c0ed9e10-19e5-11e3-a63e-1c6f65219172} - G:\AutoRun.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
Startup: C:\Documents and Settings\parry\Start Menu\Programs\Startup\h.lnk [2015-08-13]
ShortcutTarget: h.lnk -> C:\Documents and Settings\parry\Application Data\obckpnucef.exe (No File)
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={65BFE316-060B-49E2-BD52-66627FAB4F9B}&mid=30638dd225ac47d28498cd2623c57881-a8cba8d0c701d27e3be6f0bc99fd599f19c07dbb&lang=en&ds=AVG&coid=avgtbavg&cmpid=0715tb&pr=fr&d=2014-11-08 13:55:47&v=4.1.4.948&pid=wtu&sg=&sap=hp
URLSearchHook: HKU\S-1-5-21-448539723-1645522239-682003330-1003 - SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll No File
SearchScopes: HKLM -> DefaultScope value is missing
BHO: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files\DAP\LinkVerifier.dll => No File
FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program Files\DAP\DAPFireFox => not found
FF HKU\S-1-5-21-448539723-1645522239-682003330-1003\...\SeaMonkey\Extensions: [[email protected]] - C:\Documents and Settings\parry\Application Data\IDM\idmmzcc5 => not found
CHR HKLM\...\Chrome\Extension: [bodfdknjhecmadheclfjkhhiofeagdbh] - C:\Program Files\DAP\daplinkchecker.crx <not found>
S2 PEVSystemStart; C:\ComboFix\pev.3XE [256000 2011-06-26] () [File not signed]
R2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [1205136 2015-11-20] ()
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000100-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000101-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000103-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000104-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000105-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000106-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000107-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00000109-0000-0010-8000-00AA006D2EA4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}" => key removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}" => key removed successfully.
"C:\WINDOWS" => ":AstInfo" ADS not found.
C:\Documents and Settings\All Users\Application Data\TEMP => ":553CA6CA" ADS removed successfully..
C:\Documents and Settings\All Users\Application Data\TEMP => ":56E2E879" ADS removed successfully..
C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup => value removed successfully.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b881cec-1475-11e3-a635-1c6f65219172}" => key removed successfully.
HKCR\CLSID\{4b881cec-1475-11e3-a635-1c6f65219172} => key not found.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76eb891a-1474-11e3-a634-1c6f65219172}" => key removed successfully.
HKCR\CLSID\{76eb891a-1474-11e3-a634-1c6f65219172} => key not found.
"HKU\S-1-5-21-448539723-1645522239-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0ed9e10-19e5-11e3-a63e-1c6f65219172}" => key removed successfully.
HKCR\CLSID\{c0ed9e10-19e5-11e3-a63e-1c6f65219172} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\Documents and Settings\parry\Start Menu\Programs\Startup\h.lnk => moved successfully
C:\Documents and Settings\parry\Application Data\obckpnucef.exe => not found.
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} => value not found.
"HKCR\CLSID\{BC86E1AB-EDA5-4059-938F-CE307B0C6F0A}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5974A72-C81C-4DC3-BE77-A8A7BBC8864E}" => key removed successfully.
"HKCR\CLSID\{D5974A72-C81C-4DC3-BE77-A8A7BBC8864E}" => key removed successfully.
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Mozilla\Firefox\Extensions\\{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} => value removed successfully.
HKU\S-1-5-21-448539723-1645522239-682003330-1003\Software\Mozilla\SeaMonkey\Extensions\\[email protected] => value removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\bodfdknjhecmadheclfjkhhiofeagdbh" => key removed successfully.
PEVSystemStart => service removed successfully.
WtuSystemSupport => service not found.
Attached Thumbnails
Click image for larger version

Name:	Screenshot - AVG Alert FRST 2015.11.29.jpg
Views:	110
Size:	27.9 KB
ID:	263714  
parry is offline  
Old 11-29-2015, 05:17 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, parry. The detection of FRST by AVG is a false positive. Just ignore that detection.

Haven't used AVG in forever, so not sure about Web Protection vs. Web TuneUp, but that last FRST fix disabled AVG Web TuneUp from starting up on startups/reboots.

As far as CCleaner, as long as you don't use the registry cleaning feature, it is OK for other uses.

We use TFC.exe for clearing temp files, browser caches, etc.:

TFC Download

And, yes, I would uninstall uTorrent.

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :folderfind
    *TuneUp*
    
    :regfind
    TuneUp
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-01-2015, 01:49 AM   #16
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Hello chemist, as required underneath is the SystemLook.txt;

SystemLook 30.07.11 by jpshortstuff
Log created at 14:40 on 01/12/2015 by PARRY
Administrator - Elevation successful

========== folderfind ==========

Searching for "*TuneUp*"
C:\Documents and Settings\Default User\Application Data\TuneUp Software d------ [12:32 03/07/2014]
C:\Documents and Settings\PARRY\Application Data\TuneUp Software d------ [07:34 14/06/2014]
C:\Documents and Settings\PARRY\Local Settings\Application Data\AVG Web TuneUp d------ [08:26 08/11/2014]
C:\Program Files\AVG Web TuneUp d------ [08:25 08/11/2014]
C:\Program Files\AVG\AVG2015\Tuneup d------ [09:22 29/10/2014]
C:\Program Files\AVG Web TuneUp\ChromeRes\AVG Web TuneUp d------ [12:08 16/07/2015]

========== regfind ==========

Searching for "TuneUp"
[HKEY_CURRENT_USER\Software\AVG Tuneup]
[HKEY_CURRENT_USER\Software\AVG Web TuneUp]
[HKEY_CURRENT_USER\Software\AVG Web TuneUp]
"SiteSafetyPopupUrl"="https://webtuneup.avg.com/static/dist/app/4.1.6.0/popup.html"
[HKEY_CURRENT_USER\Software\AVG Web TuneUp]
"SiteSafetyInterstitialUrl"="https://webtuneup.avg.com/static/dist/app/4.1.6.0/interstitial.html"
[HKEY_CURRENT_USER\Software\AVG Web TuneUp]
"cache_file_0"="C:\Documents and Settings\PARRY\Local Settings\Application Data\AVG Web TuneUp\cache\0112c7e0950156bd__exp__24-11-2015 07-43-30"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\vprot.exe]
"Path"="C:\Program Files\AVG Web TuneUp\vprot.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\vprot.exe]
"Path"="C:\Program Files\AVG Web TuneUp\vprot.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\LanguageResources]
"LangTuneUp"="OfficeCompleted"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\AVG Web TuneUp\vprot.exe"="VProtect Application "
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Tuneup]
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Tuneup]
"Product Name"="AVG Web TuneUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp]
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp]
"ToolbarPath"="C:\Program Files\AVG Web TuneUp\4.1.8.599"
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp]
"Uninstall"="C:\Program Files\AVG Web TuneUp\UNINSTALL.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp]
"TBAPIPath"="C:\Program Files\AVG Web TuneUp\TBAPI.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp\Initialize\CONFIGXML]
"Installation/DSP/DisplayName"="AVG Web TuneUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp\Initialize\General]
"PARTNER_NAME"="AVG Web TuneUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}]
"LocalizedString"="@C:\Program Files\AVG\AVG2015\Tuneup\TUMicroScanner.exe,-31415"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\Elevation]
"IconReference"="@C:\Program Files\AVG\AVG2015\Tuneup\TUMicroScanner.exe,-27182"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\LocalServer32]
@="C:\PROGRA~1\AVG\AVG2015\Tuneup\TUMICR~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\5AE839A46EBF5064EA86DE2FB81FDC16]
"fea_TuneUp"="MainFea"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\5AE839A46EBF5064EA86DE2FB81FDC16]
"fea_TuneUp__QTune"=" MainFea"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\1.0\0\win32]
@="C:\Program Files\AVG\AVG2015\Tuneup\TUMicroScanner.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\1.0\HELPDIR]
@="C:\Program Files\AVG\AVG2015\Tuneup\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files\AVG\AVG2015\Tuneup\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1229C23182769C343810AD9DC875A619]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\TUMicroScanner.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1753368CBA87DE6408986CF8877EDEEE]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\RegistryCleaner.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26C33E702E8EF864EB1C6CE0CE702AFC]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\GainDiskSpace.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\41F4F9638B8EE534EB73D0BC25F57DC0]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\TUDiskCleanerLite.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5D923EBC7BBBACB4BBBCB9A435F5E58D]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\DriveDefrag32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5E8C5B61E578C1E409267CD36029EE34]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\TuneUpAPI32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C4EC124CE2BB77749A870FD954F75043]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\TUDiskCleaner.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F41AF0103B63552448B4A5B7705A9545]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\TuneUpCore.bpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F42F59C9A28B0444EA5CAF4938C0ED2B]
"5AE839A46EBF5064EA86DE2FB81FDC16"="C:\Program Files\AVG\AVG2015\Tuneup\ShortcutCleaner.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5AE839A46EBF5064EA86DE2FB81FDC16\Features]
"fea_TuneUp"="'(}Tj][email protected]@%7}?hwyUn]xPU%ukbb=!Fbh'5cAgkP+GJi&Oal=.&[email protected]=Zx9'HzsWI$OQb$L,&h}XK{=)ufiZ}G2f4bj6W5l~Q`9LK0=jiqm-'qAn1)p{qk9bPO$o^{YgVM9KA*y&w+Av%gq7H,oo9$t}D!Ty.C9y)r_O('F,C MainFea"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5AE839A46EBF5064EA86DE2FB81FDC16\Features]
"fea_TuneUp__QTune"="'(}Tj][email protected]@%7}?hwyUn]xPU%ukbb=!Fbh'5cAgkP+GJi&Oal=.&[email protected]=Zx9'HzsWI$OQb$L,&h}XK{=)ufiZ}G2f4bj6W5l~Q`9LK0=jiqm-'qAn1)p{qk9bPO$o^{YgVM9KA*y&w+Av%gq7H,oo9$t}D!Ty.C9y)r_O('F,C MainFea"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Web TuneUp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Web TuneUp]
"UninstallString"="C:\Program Files\AVG Web TuneUp\UNINSTALL.exe /PROMPT /UNINSTALL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Web TuneUp]
"DisplayIcon"="C:\Program Files\AVG Web TuneUp\favicon.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Web TuneUp]
"DisplayName"="AVG Web TuneUp"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\tuneup.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\tuneup.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\tuneup.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\tuneup.exe]
[HKEY_USERS\.DEFAULT\Software\AVG Web TuneUp]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Office\12.0\Common\LanguageResources]
"LangTuneUp"="OfficeCompleted"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Tuneup]
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Web TuneUp]
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Web TuneUp]
"SiteSafetyPopupUrl"="https://webtuneup.avg.com/static/dist/app/4.1.6.0/popup.html"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Web TuneUp]
"SiteSafetyInterstitialUrl"="https://webtuneup.avg.com/static/dist/app/4.1.6.0/interstitial.html"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Web TuneUp]
"cache_file_0"="C:\Documents and Settings\PARRY\Local Settings\Application Data\AVG Web TuneUp\cache\0112c7e0950156bd__exp__24-11-2015 07-43-30"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\IntelliPoint\AppSpecific\vprot.exe]
"Path"="C:\Program Files\AVG Web TuneUp\vprot.exe"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\IntelliType Pro\AppSpecific\vprot.exe]
"Path"="C:\Program Files\AVG Web TuneUp\vprot.exe"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Office\12.0\Common\LanguageResources]
"LangTuneUp"="OfficeCompleted"
[HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\AVG Web TuneUp\vprot.exe"="VProtect Application "
[HKEY_USERS\S-1-5-18\Software\AVG Web TuneUp]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Office\12.0\Common\LanguageResources]
"LangTuneUp"="OfficeCompleted"

-= EOF =-
parry is offline  
Old 12-01-2015, 06:07 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, parry. This should get rid of TuneUp Utilities.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[-HKEY_CURRENT_USER\Software\AVG Tuneup]

[-HKEY_CURRENT_USER\Software\AVG Web TuneUp]

[-HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\vprot.exe]

[-HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\vprot.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\AVG Web TuneUp\vprot.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Tuneup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Web TuneUp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\5AE839A46EBF5064EA86DE2FB81FDC16]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files\AVG\AVG2015\Tuneup\"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1229C23182769C343810AD9DC875A619]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1753368CBA87DE6408986CF8877EDEEE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26C33E702E8EF864EB1C6CE0CE702AFC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\41F4F9638B8EE534EB73D0BC25F57DC0]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5D923EBC7BBBACB4BBBCB9A435F5E58D]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5E8C5B61E578C1E409267CD36029EE34]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C4EC124CE2BB77749A870FD954F75043]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F41AF0103B63552448B4A5B7705A9545]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F42F59C9A28B0444EA5CAF4938C0ED2B]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5AE839A46EBF5064EA86DE2FB81FDC16]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Web TuneUp]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\tuneup.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\tuneup.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\tuneup.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\tuneup.exe]

[-HKEY_USERS\.DEFAULT\Software\AVG Web TuneUp]

[-HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Tuneup]

[-HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\AVG Web TuneUp]

[-HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\IntelliPoint\AppSpecific\vprot.exe]

[-HKEY_USERS\S-1-5-21-448539723-1645522239-682003330-1003\Software\Microsoft\IntelliType Pro\AppSpecific\vprot.exe]

[-HKEY_USERS\S-1-5-18\Software\AVG Web TuneUp]
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Default User\Application Data\TuneUp Software"
"C:\Documents and Settings\PARRY\Application Data\TuneUp Software"
"C:\Documents and Settings\PARRY\Local Settings\Application Data\AVG Web TuneUp"
"C:\Program Files\AVG Web TuneUp"
"C:\Program Files\AVG\AVG2015\Tuneup"

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-02-2015, 12:27 AM   #18
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Hello again chemist.

1) Registry Edit: Done as instructed, later got a prompt stating 'Information in fix.reg has been successfully entered into the registry.'

2) Batch File: Underneath is the log, with location of TuneUp.

C:\Program Files\AVG\AVG2015\Tuneup

3) AVG Update: Today got an update prompt from AVG, on going ahead with custom installation; it had the following components (as screenshot). One of them was Web Component. Hence, I exited without installation. Will it again install TuneUp?

Should we go with any other AV, if AVG is a botheration?

4) Virus/ Spyware/ Malware:
a) Have we been able to get rid of the initial infection? Can I use the system with internet & USB drives?
b) If we have, the 'My Computer' view is still same as post infection. How can we resolve it?
c) What else can be additionally installed to keep a check?
Attached Thumbnails
Click image for larger version

Name:	Screenshot - AVG Update Components 2015.12.02.jpg
Views:	113
Size:	35.1 KB
ID:	264106  
parry is offline  
Old 12-02-2015, 06:10 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, parry. We still have a couple of scan to do to make sure no malware remains, but you can now use the machine as normal and see how it behaves.

Can you post a pic of how your My Computer view is different?

------------------------------------------------------

Navigate to, right-click and delete this folder:

C:\Program Files\AVG\AVG2015\Tuneup

------------------------------------------------------

When updating AVG, just untick that Web option.

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Your Java is out of date.

Java(TM) 8 Update 40 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it. Also, let Java remove older versions if prompted.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options checked in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-03-2015, 05:04 AM   #20
Registered Member
 
Join Date: Jan 2007
Posts: 119
OS: XP Pro SP3 | W7 Pro | OSX 10.9.3



Hello chemist,

1) My Computer View: The first thumbnail is the default 'My Computer' view which used to be prior to the infection. Second thumbnail is the view after infection.

2) TuneUp Folder: Tried deleting TuneUp Folder @ C:\Program Files\AVG\AVG2015\Tuneup. Got error as third thumbnail.

3) Malwarebytes Anti-Malware Log;

Quote:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/3/2015
Scan Time: 1:34:15 PM
Logfile: MBAM Scan Log 2015.12.03.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.03.02
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: parry

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321722
Time Elapsed: 16 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
4) Java updated & deleted the temporary files.

5) ESET Report

Quote:
C:\Documents and Settings\parry\Local Settings\Application Data\Viber\Helper.dll a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application
C:\Documents and Settings\parry\Local Settings\Application Data\Viber\Uninstall.exe a variant of Win32/Toolbar.SearchSuite.W.gen potentially unwanted application
D:\Tally.ERP9\tally.exe a variant of Win32/Packed.Themida.AAE trojan
E:\Games\Gameloft 2007\Rock'n Blocks.jar a variant of J2ME/SMSReg.AY potentially unsafe application
E:\Softwares\Antispam & Antivirus\SDFix.zip Win32/PrcView potentially unsafe application
E:\Softwares\Antispam & Antivirus\BitDefender Total Security 2009\PATCH.rar MSIL/HackAV.B potentially unsafe application
E:\Softwares\Antispam & Antivirus\SDFix\SDFix.exe Win32/PrcView potentially unsafe application
E:\Softwares\Antispam & Antivirus\Zone Alarm Security Suite\Zone Alarm 7.0.470.00.exe a variant of Win32/AdInstaller potentially unwanted application
E:\Softwares\Antispam & Antivirus\Zone Alarm Security Suite\Zone Alarm 7.0.483.00.exe a variant of Win32/AdInstaller potentially unwanted application
E:\Softwares\Browsers\Firefox Optimizer.exe MSIL/FireOptimizer potentially unsafe application
E:\Softwares\BusyWin 12.0\AA_v3.1.exe Win32/RemoteAdmin.Ammyy.A potentially unsafe application
E:\Softwares\CD-DVD Burners\Ashampoo Burning Studio 2010 Advanced.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
E:\Softwares\CD-DVD Burners\Ashampoo Burning Studio 2010-9.24_7188.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
E:\Softwares\CD-DVD Burners\CDBurnerXP4.3.1.2101-Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Softwares\CD-DVD Burners\ImgBurn2.5.1.0_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Softwares\CD-DVD Burners\ImgBurn2.5.6.0_Setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
E:\Softwares\CD-DVD Burners\DVD Converters\CyberLink_PowerDVD.Copy.1.0.6720.rar Win32/HackTool.Patcher.A potentially unsafe application
E:\Softwares\CD-DVD Burners\Nero\Nero Free 9.4.12.3\Nero-9_1.4.12.3_free.exe Win32/Toolbar.AskSBar potentially unwanted application
E:\Softwares\CD-DVD Burners\Nero\Nero-6.6.1.15\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar potentially unwanted application
E:\Softwares\Internet & Download\uTorrent 3.3 Build 29544.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
E:\Softwares\Internet & Download\ViberSetup.exe Win32/Toolbar.SearchSuite.P potentially unwanted application
E:\Softwares\Internet & Download\Internet Download Manager 6.06 Build 8 Final\Internet Download Manager 6.06 Build 8 Final.rar a variant of MSIL/TrojanDropper.Agent.MK trojan
E:\Softwares\Media Players\BSplayer 2.5.7.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
E:\Softwares\Media Players\DVDVideo Soft Free3GPVideoConverter.exe Win32/Toolbar.Conduit.S potentially unwanted application
E:\Softwares\Media Players\DVDVideo Soft FreeStudio 5.exe Win32/Toolbar.Conduit.S potentially unwanted application
E:\Softwares\Media Players\Freemake Video Converter 3.0.1.3.exe a variant of Win32/Toolbar.Montiera.A potentially unwanted application
E:\Softwares\Media Players\FreeVideoFlipAndRotate.exe Win32/Toolbar.Conduit.S potentially unwanted application
E:\Softwares\Media Players\FreeVideoToiPhoneConverter.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
E:\Softwares\Media Players\VCDCutterSetup.exe multiple threats
E:\Softwares\Misc\Foxit Reader 6.0.2.0413.exe a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application
E:\Softwares\Tally\Tally 7.2\patch\Patch.exe Win32/HackTool.Patcher.BS potentially unsafe application
E:\Softwares\Tally\Tally 7.2 Full Ver\Patch_v7.2.exe Win32/HackTool.Patcher.BS potentially unsafe application
E:\Softwares\Tally\Tally 9 1.0\Crack\PATCH-FIXED.EXE a variant of Win32/Tool.TPE.A potentially unsafe application
E:\Softwares\Tally\Tally 9 1.0\Crack\patch.exe a variant of Win32/Tool.TPE.A potentially unsafe application
E:\Softwares\Tally\Tally.ERP 9 v1.89\TERPB189 CRK\tally.exe a variant of Win32/Packed.Themida.AAE trojan
E:\Softwares\Tally\Tally_ERP_ with_crack\crack\TERPB189 CRK\tally.exe a variant of Win32/Packed.Themida.AAE trojan
E:\Softwares\Utilities\AA_v3.1.exe Win32/RemoteAdmin.Ammyy.A potentially unsafe application
E:\Softwares\Utilities\Auslogics System Information 2.1.1.0.exe a variant of Win32/InstallCore.D potentially unwanted application
E:\Softwares\Utilities\CCleaner 5.04.5151.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
E:\Softwares\Utilities\HWMonitor-1.16_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Softwares\Utilities\PrimoPDF 5.0.0.19-Setup.exe Win32/OpenCandy potentially unsafe application
E:\Softwares\Utilities\PrimoPDF 5.1.0.2.exe Win32/OpenCandy potentially unsafe application
E:\Softwares\Utilities\SIWPortable_2010.03.10.paf.exe a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application
E:\Softwares\Utilities\Speccy 1.12.265.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
E:\Softwares\Utilities\HideFolders2009.3_2_15_583\hf2009_setup.exe Win32/Induc.A virus
E:\Softwares\Utilities\MySecretFolder.v4.3.XP(2).Edtion+Cracked\MySecretFolder[1].v4.3.XP.Edtion_Cracked.rar a variant of Win32/HackTool.Patcher.A potentially unsafe application
E:\Softwares\Utilities\Nitro PDF Professional\Nitro.PDF.Pro.6.0.1.8.rar Win32/HackTool.Patcher.A potentially unsafe application
E:\Softwares\Utilities\Nitro PDF Professional\patch\nitro.pdf.professional-patch.exe Win32/HackTool.Patcher.A potentially unsafe application
E:\Softwares\Utilities\RegistryFix 7.1\RegistryFix.7.1.rar a variant of Win32/Adware.ErrorClean application
E:\Softwares\Utilities\RegistryFix 7.1\registryfix.exe a variant of Win32/Adware.ErrorClean application
E:\Softwares\Utilities\RegistryFix 7.1\registryfix.rar a variant of Win32/Adware.ErrorClean application
E:\Softwares\Windows\XP\XP Extras\Screen Savers\AllWaterfallFree.exe Win32/Toolbar.Widgi potentially unwanted application
G:\Softwares\AA_v3.1.exe Win32/RemoteAdmin.Ammyy.A potentially unsafe application
G:\Softwares\Tally\Tally.ERP 9 v1.89\TERPB189 CRK\tally.exe a variant of Win32/Packed.Themida.AAE trojan
G:\Softwares\Tally\Tally_ERP_ with_crack\crack\TERPB189 CRK\tally.exe a variant of Win32/Packed.Themida.AAE trojan
6) Usage: Have been using the machine for some for documents & other stuff without connecting any external drives. Also, have been refraining from normal browsing. Only using net on this machine to access this thread. So far its been okay, without any issue.

a) Only today I noticed data usage even when the system was idle with no browser. Is that normal?

b) I have installed AdBlock as extension in Chrome. On accessing this forum this shows 5-7 ads blocked.

Should I start using the system with mails, other site logins & normal browsing?

Kindly advise further.
Attached Thumbnails
Click image for larger version

Name:	Screenshot - Post Combofix Drive C-01 2015.11.26.jpg
Views:	117
Size:	70.1 KB
ID:	264234   Click image for larger version

Name:	Screenshot - My Computer Post Infection.jpg
Views:	93
Size:	67.0 KB
ID:	264242   Click image for larger version

Name:	Screenshot - AVG TuneUp Deletion 2015.12.03.jpg
Views:	103
Size:	199.6 KB
ID:	264250  

parry is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware infection suspected at ISC, providers of the BIND DNS server software
https://nakedsecurity.sophos.com/2015/01/01/malware-infection-suspected-at-isc/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
JMH3143 Computer Security News 0 01-02-2015 03:21 PM
Windows 7 malware infection rate soars in 2012
Windows 7's malware infection rate climbed by as much as 182% this year, Microsoft said today. But even with that dramatic increase, Windows 7 remained two to three times less likely to fall to hacker attack than the aged Windows XP. Data from Microsoft's newest twice-yearly security report...
Glaswegian Computer Security News 0 10-09-2012 01:16 PM
Win7 infection rates rose during the second half of 2010
Win7 machines harder hit by infection as VXers change tactics ? The Register
reventon Computer Security News 0 05-15-2011 06:46 PM
Suspected Trojan Infection: Crippling Blue Screens
I've been having problems with my laptop which sprung up in the last week, caused by a trojan infection. I believe the harnig trojan is to blame, but obviously I am not sure(or else I wouldn't be here asking you to help me) and would appreciate any help in cleaning up my computer. Sometimes a...
MoreBreakdowns Inactive Malware Help Topics 2 05-02-2011 12:26 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:27 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts