WiredWX Hobby Weather ToolsLog in

 


Win 7 Antivirus 2012 Remnants

2 posters

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny Diep :: TOUCHSMART [administrator]

12/29/2011 8:47:17 PM
mbam-log-2011-12-30 (08-47-06).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 564021
Time elapsed: 1 hour(s), 26 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RavenBleuSA (Adware.HotBar.RB) -> No action taken.
HKCU\Software\RavenBleuSA (Adware.Hotbar.RB) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RavenBleuSA (Adware.HotBar.RB) -> Data: "C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe" -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|68C99590-AF86-B6DD-DB7A-D874F37B2C09 (Trojan.FakeAlert) -> Data: "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi", start minimized -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender (Rogue.SecurityDefender) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0 (Adware.Hotbar.RB) -> No action taken.

Files Detected: 18
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe (Adware.HotBar.RB) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\SysWOW64\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\SysWOW64\JgAbkOoX.com.vir (Trojan.Email) -> No action taken.
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSAHook.dll (Adware.HotBar.RB) -> No action taken.
C:\Users\Kenny Diep\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuUninstaller.exe (Adware.HotBar.RB) -> No action taken.
C:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\App\lrsykvie.dll (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\App\lrsykvie.dll (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\68C99590-AF86-B6DD-DB7A-D874F37B2C09.avi (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender\{22591AFD-D629-4738-6183-45DCBE2C8A46}.pst (Rogue.SecurityDefender) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Security Defender\{8943A8A9-E822-428C-5C99-1B0DD6BD7680}.pst (Rogue.SecurityDefender) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuSAHook.dll (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Local Settings\Application Data\RavenBleuSA\bin\1.0.11.0\RavenBleuUninstaller.exe (Adware.Hotbar.RB) -> No action taken.
C:\Users\Kenny Diep\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

(end)


Odd. I do recall taking action?

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Hello.
It says no action was taken, did you remove what was found?

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Yes, I did. I did the log before I removed it...

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Hello.

Please download ComboFix Win 7 Antivirus 2012 Remnants   - Page 2 Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
ComboFix 12-01-06.01 - Kenny Diep 01/06/2012 15:03:27.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3831.2395 [GMT -5:00]
Running from: c:\users\Kenny Diep\Desktop\Commy.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-06 20:12 . 2012-01-06 20:12 -------- d-----w- c:\users\f\AppData\Local\temp
2012-01-06 20:12 . 2012-01-06 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 14:24 . 2011-12-29 14:24 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2011-12-23 00:23 . 2011-12-23 00:49 -------- d-----w- C:\Commy
2011-12-21 17:38 . 2011-12-21 17:38 -------- d-----w- c:\program files (x86)\ESET
2011-12-21 16:30 . 2011-12-21 16:30 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- C:\Cache
2011-12-20 19:03 . 2011-12-20 19:03 -------- d-----w- C:\Temp
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-19 02:57 . 2011-12-19 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-13 22:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 22:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 22:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 22:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-13 22:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 22:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 00:02 . 2011-12-11 00:02 -------- d-----w- c:\windows\system32\Macromed
2011-12-10 21:04 . 2011-12-20 18:24 -------- d-----w- c:\users\Kenny Diep\AppData\Roaming\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 14:24 . 2010-12-02 02:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-11 00:02 . 2011-03-03 12:14 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-11 00:02 . 2011-05-19 10:38 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-02-07 13:26 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 22:29 . 2011-12-04 14:00 116224 ----a-w- c:\windows\SysWow64\JgAbkOoX.com_
2011-11-21 11:40 . 2011-12-02 13:30 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FA25C06-85AF-46A0-8767-2DF90ADC8015}\mpengine.dll
2011-03-01 13:12 . 2011-03-01 13:09 12067528 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-23_00.42.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:46 . 2011-12-24 17:35 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-11-26 22:13 . 2011-08-30 00:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-26 22:13 . 2012-01-05 01:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-18 18:04 . 2011-11-18 18:04 39936 c:\windows\Installer\5f8d5e9.msi
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-06 20:13 . 2012-01-06 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-06 20:13 . 2012-01-06 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-21 14:00 . 2011-12-23 00:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-03 13:51 . 2011-05-04 08:52 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 149280 c:\windows\SysWOW64\javaw.exe
+ 2011-12-29 14:24 . 2011-12-29 14:24 149280 c:\windows\SysWOW64\java.exe
+ 2009-07-14 05:01 . 2012-01-06 20:12 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-12-21 13:59 337792 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-29 14:24 . 2011-12-29 14:24 207360 c:\windows\Installer\191f51b9.msi
- 2011-07-22 03:31 . 2011-12-21 13:59 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-07-22 03:31 . 2012-01-06 20:12 3729608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-04-02 19:16 . 2012-01-06 20:12 6442228 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-4096.dat
+ 2011-04-03 13:39 . 2012-01-06 20:12 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
- 2011-04-03 13:39 . 2011-12-21 13:59 3652156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-12288.dat
+ 2010-11-26 21:57 . 2012-01-06 20:12 29856920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2503263900-158799546-2591639019-1000-8192.dat
+ 2011-12-25 21:05 . 2011-12-25 21:05 52920320 c:\windows\Installer\5f8d5f2.msp
+ 2011-12-29 14:23 . 2011-12-29 14:23 12905472 c:\windows\Installer\191f51b2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-16 137536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-19 5486464]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10r_ActiveX.exe" [2011-06-02 240288]
.
c:\users\f\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-3-1 12067528]
.
c:\users\Kenny Diep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
UniKeyNT - Shortcut.lnk - c:\users\Kenny Diep\Downloads\UniKeyNT.exe [2009-11-2 316928]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
68C99590-AF86-B6DD-DB7A-D874F37B2C09.lnk - c:\windows\System32\rundll32.exe [2009-7-13 45568]
Virtual Router Manager.lnk - c:\windows\Installer\{8DB05F7E-1F7A-4CC0-882F-375B97F04CD4}\_E6D9769DD20AF384865041.exe [2011-7-18 22486]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]
R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys [x]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
R3 hidkmdf;Microsoft HID Class Shim for KMDF;c:\windows\system32\DRIVERS\hidkmdf.sys [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2009-03-19 32808]
R3 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2011-01-31 341312]
R3 NW1950;NextWindow 1950 Touch Screen;c:\windows\system32\DRIVERS\NW1950.sys [x]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
R3 PSVolAcc;PSVolAcc; [x]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 X6va005;X6va005;c:\users\KENNYD~1\AppData\Local\Temp\0051D0C.tmp [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [2009-11-17 98208]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 nlsX86cc;NLS Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-01-31 68928]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S2 Virtual Router;VirtualRouterService;c:\program files (x86)\Virtual Router\VirtualRouterService.exe [2009-11-18 12288]
S2 WinAgentsTftpService4;WinAgents TFTP Service 4;c:\program files (x86)\Common Files\WinAgents\TftpService.exe [2011-04-02 111376]
S3 ACPIService;Buttons and OSDs ACPI driver gen2;c:\windows\system32\DRIVERS\OSDACPI.SYS [x]
S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys [x]
S3 FintekCIR;Fintek eHome Transceiver;c:\windows\system32\DRIVERS\FintekCIR.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000Core.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2012-01-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2503263900-158799546-2591639019-1000UA.job
- c:\users\Kenny Diep\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-16 02:10]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-16 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = %SystemRoot%\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Android Screencast - c:\windows\system32\javaws.exe
AddRemove-GCalc 3 - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\KENNYD~1\AppData\Local\Temp\0051D0C.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF2573AE-E1ED-40E1-83BA-F544CB2EE135}"=hex:51,66,7a,6c,4c,1d,38,12,c0,70,36,
fb,df,af,8f,05,fc,ac,b6,04,ce,70,a5,21
"{167D9323-F7CC-48F5-948A-6F012831A69F}"=hex:51,66,7a,6c,4c,1d,38,12,4d,90,6e,
12,fe,b9,9b,0d,eb,9c,2c,41,2d,6f,e2,8b
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,a2,34,31,0f,bc,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,a2,6e,12,56,62,af,41,94,d5,0c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10r_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10r.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-01-06 15:25:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 20:25
ComboFix2.txt 2011-12-24 17:13
ComboFix3.txt 2011-12-23 00:49
.
Pre-Run: 764,160,598,016 bytes free
Post-Run: 763,920,113,664 bytes free
.
- - End Of File - - CBD94AD66420F20BA4D8DF55AFFEBCBE

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Looks like that file is back? "JgAbkOoX.com_"

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)



  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
JgAbkOoX.com_;C:\Windows\SysWOW64;Trojan.Siggen3.33825;Deleted.;
GetAd[1].js\JSFile_1[0][7d9];C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB\GetAd[1];Probably SCRIPT.Virus;;
GetAd[1].js;C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB;Container contains infected objects;Moved.;
GetAd[1].js;C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KBBFI3ZB;Probably SCRIPT.Virus;Invalid path to file ;
consrv.dll.vir;C:\Qoobox\Quarantine\C\Windows\System32;BackDoor.Maxplus.90;Cured.;
Desktop.ini;C:\Windows\assembly\GAC_32;BackDoor.Maxplus.90;Deleted.;
Desktop.ini;C:\Windows\assembly\GAC_64;BackDoor.Maxplus.90;Deleted.;
mua la me bay live.au;F:\desktop;Trojan.WMALoader;Cured.;
mua la me bay.au;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien 320k bitrate quality.snd;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien [256k quality].mp3;F:\desktop;Trojan.WMALoader;Cured.;
thuy tien [new single].au;F:\desktop;Trojan.WMALoader;Cured.;
vuong nhat huy live at vegas.snd;F:\desktop;Trojan.WMALoader;Cured.;

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Am I for the all clear? It's really irking me, it's been ELEVEN days.

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Any difference now? think Dr web might have got it.

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
THANKYOU! I think I am good...

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
Is was probably them infected music files triggering it.

descriptionWin 7 Antivirus 2012 Remnants   - Page 2 EmptyRe: Win 7 Antivirus 2012 Remnants

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum