Trojan horse SHeur3.CNHF

One of my pc's keeps coming up with this virus. I have Symantec Endpoint Protection installed on this pc but this has failed to deal with this virus. I then installed AVG but again this does not seem to have done the trick as a message comes up saying " cannot be removed, invalid parameter specified.

I would appreciate any assistance in removing this virus.

Regards


Shottonmanager

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  

*****************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Hi Dave many thanks for your help in this matter. Please find the results of the AdwCleaner log as requested.

# AdwCleaner v2.112 - Logfile created 02/13/2013 at 09:35:52
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : User 1 - USER1-PC
# Boot Mode : Normal
# Running from : C:\Users\User 1\Desktop\adwcleaner0.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [609 octets] - [13/02/2013 09:35:52]

########## EOF - C:\AdwCleaner[R1].txt - [668 octets] ##########

Hi Dave and Malware log as well.

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.12.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
User 1 :: USER1-PC [administrator]

Protection: Enabled

13/02/2013 10:36:54
mbam-log-2013-02-13 (10-36-54).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 376473
Time elapsed: 47 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Comment removed. You are not authorized to post malware advice in this forum. If you have any problems you can contact me by pm.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
*********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

ComboFix 13-02-13.02 - User 1 14/02/2013 9:24.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2047.1102 [GMT 0:00]
Running from: c:\users\User 1\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2013-01-14 to 2013-02-14 )))))))))))))))))))))))))))))))
.
.
2013-02-14 09:33 . 2013-02-14 09:35 -------- d-----w- c:\users\User 1\AppData\Local\temp
2013-02-14 09:33 . 2013-02-14 09:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-14 09:33 . 2013-02-14 09:33 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-02-14 09:18 . 2013-02-14 09:18 -------- d-----w- c:\users\User 1\AppData\Local\Max Secure Software
2013-02-14 09:13 . 2013-02-14 09:19 -------- d-----w- c:\users\User 1\AppData\Roaming\GetRightToGo
2013-02-13 18:19 . 2013-01-04 03:00 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 18:19 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-13 18:19 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 18:19 . 2013-01-03 05:05 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 18:19 . 2013-01-03 05:04 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-13 18:19 . 2013-01-04 04:50 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-02-13 14:43 . 2013-02-13 16:33 -------- d-----w- c:\users\User 1\AppData\Roaming\SPE
2013-02-13 09:09 . 2013-02-13 09:09 -------- d-----w- c:\users\Default\AppData\Roaming\TuneUp Software
2013-02-06 13:30 . 2013-02-06 13:30 -------- d-----w- c:\users\User 1\AppData\Roaming\AVG2013
2013-02-06 13:29 . 2013-02-06 13:29 -------- d-----w- c:\users\User 1\AppData\Roaming\TuneUp Software
2013-02-06 13:29 . 2013-02-06 13:47 -------- d-----w- c:\programdata\AVG2013
2013-02-06 13:29 . 2013-02-06 13:29 -------- d-----w- C:\$AVG
2013-02-06 13:28 . 2013-02-06 13:28 -------- d-----w- c:\program files\AVG
2013-02-06 13:27 . 2013-02-13 17:42 -------- d-----w- c:\programdata\MFAData
2013-02-06 13:27 . 2013-02-06 13:32 -------- d-----w- c:\users\User 1\AppData\Local\Avg2013
2013-02-06 13:27 . 2013-02-06 13:27 -------- d--h--w- c:\programdata\Common Files
2013-02-06 13:27 . 2013-02-06 13:27 -------- d-----w- c:\users\User 1\AppData\Local\MFAData
2013-02-04 08:34 . 2013-02-04 08:34 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-04 08:34 . 2013-02-04 08:34 -------- d-----w- c:\program files\Java
2013-01-30 13:06 . 2013-01-30 13:06 -------- d-----w- c:\users\User 1\AppData\Local\Programs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-13 13:06 . 2012-06-14 07:24 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-13 13:06 . 2011-06-09 07:09 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-04 08:34 . 2012-08-21 06:59 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-04 08:34 . 2011-03-08 15:05 782240 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-16 14:13 . 2012-12-21 14:22 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 14:22 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-14 16:49 . 2012-11-07 17:02 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-07 12:26 . 2013-01-09 09:03 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20 . 2013-01-09 09:03 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 10:46 . 2013-01-09 09:03 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 10:46 . 2013-01-09 09:03 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 10:46 . 2013-01-09 09:03 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 09:03 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 09:03 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 09:03 23552 ----a-w- c:\windows\system32\oflc.rs
2012-12-07 10:46 . 2013-01-09 09:03 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 09:03 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 10:46 . 2013-01-09 09:03 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 10:46 . 2013-01-09 09:03 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 10:46 . 2013-01-09 09:03 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 10:46 . 2013-01-09 09:03 15360 ----a-w- c:\windows\system32\djctq.rs
2012-12-07 10:46 . 2013-01-09 09:03 51712 ----a-w- c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 09:03 55296 ----a-w- c:\windows\system32\cero.rs
2012-11-30 04:47 . 2013-01-09 09:03 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 09:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 02:55 . 2013-01-09 09:03 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38 . 2013-01-09 09:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 09:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 09:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 09:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:48 . 2013-01-09 09:03 49152 ----a-w- c:\windows\system32\taskhost.exe
2012-11-22 04:45 . 2013-01-09 09:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-20 04:51 . 2013-01-09 09:03 220160 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2012-12-04 1354736]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Clear TMP"="c:\users\User 1\AppData\tmpdir\cleartmp.bat" [2013-01-30 16]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 13:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shottonitcentre.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com
Trusted Zone: course-source.net
Trusted Zone: learndirect-business.com
Trusted Zone: learndirect.co.uk
Trusted Zone: learndirect.co.uk\access
Trusted Zone: learndirect.co.uk\learning
Trusted Zone: learndirect.co.uk\www
Trusted Zone: thirdforce.com
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-190431672-3697220943-4205324246-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D82972B8-4D50-421D-A9DC-3A14199FC5BB}*Win32"}]
@Allowed: (Read) (RestrictedCode)
"AppName"="Roblox.exe"
"Policy"=dword:00000003
"AppPath"="c:\\Users\\User 1\\AppData\\Local\\Roblox\\Versions\\version-6ca07d14e2274822\\"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-14 09:36:36
ComboFix-quarantined-files.txt 2013-02-14 09:36
.
Pre-Run: 123,850,731,520 bytes free
Post-Run: 123,843,944,448 bytes free
.
- - End Of File - - 6746A50C81866532CA21A376C427C1BA

Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2013
Symantec Endpoint Protection
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java 7 Update 13
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````

The CF log shows you have two AV programs active on your computer; AVG Anti-Virus Free Edition 2013 and Symantec Endpoint Protection. One will have to be disabled/uninstalled as they can cause conflicts.
************************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  Firefox::
  Trusted Zone: adobe.com
  Trusted Zone: course-source.net
  Trusted Zone: learndirect-business.com
  Trusted Zone: learndirect.co.uk
  Trusted Zone: learndirect.co.uk\access
  Trusted Zone: learndirect.co.uk\learning
  Trusted Zone: learndirect.co.uk\www
  Trusted Zone: thirdforce.com
  
  DDS::
  Trusted Zone: adobe.com
  Trusted Zone: course-source.net
  Trusted Zone: learndirect-business.com
  Trusted Zone: learndirect.co.uk
  Trusted Zone: learndirect.co.uk\access
  Trusted Zone: learndirect.co.uk\learning
  Trusted Zone: learndirect.co.uk\www
  Trusted Zone: thirdforce.com
  
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this script.
  

************************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*************************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

**************************************************

• Download RogueKiller on the desktop
  
• Close all the running programs
  
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
  
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Hi Dave, I really appreciate the effort and time you are putting into this. RogueKiller report as requested..
Jim

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User 1 [Admin rights]
Mode : Scan -- Date : 02/15/2013 08:59:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : Clear TMP ("C:\Users\User 1\AppData\tmpdir\cleartmp.bat") [-] -> FOUND
[TASK][SUSP PATH] AutoClose (1) : "C:\Users\User 1\AppData\TMPDIR\Game\1\closedown_Auto.bat" [x] -> FOUND
[TASK][SUSP PATH] AutoCloseManual (1) : "C:\Users\User 1\AppData\TMPDIR\Game\kick.vbs" [x] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82EE5B8B -> HOOKED (Unknown @ 0x85F8F600)
SSDT[14] : NtAlertThread @ 0x82E38BB0 -> HOOKED (Unknown @ 0x85F8F6E0)
SSDT[19] : NtAllocateVirtualMemory @ 0x82E31BBC -> HOOKED (Unknown @ 0x85F83B50)
SSDT[59] : ExpInterlockedPopEntrySListResume @ 0x82E7FE80 -> HOOKED (Unknown @ 0x85E33BB8)
SSDT[74] : NtCreateMutant @ 0x82E1827A -> HOOKED (Unknown @ 0x85F84E80)
SSDT[87] : NtCreateThread @ 0x82EE3DC6 -> HOOKED (Unknown @ 0x85F82300)
SSDT[131] : NtFreeVirtualMemory @ 0x82CC07FC -> HOOKED (Unknown @ 0x85F839B0)
SSDT[145] : NtImpersonateAnonymousToken @ 0x82DFD8DE -> HOOKED (Unknown @ 0x85F84F70)
SSDT[147] : NtImpersonateThread @ 0x82E81772 -> HOOKED (Unknown @ 0x85F8F520)
SSDT[168] : NtMapViewOfSection @ 0x82E4E4D9 -> HOOKED (Unknown @ 0x85F838D0)
SSDT[177] : NtOpenEvent @ 0x82E17C76 -> HOOKED (Unknown @ 0x85F84DA0)
SSDT[191] : NtOpenProcessToken @ 0x82E6C17F -> HOOKED (Unknown @ 0x85F83C20)
SSDT[199] : NtOpenThreadToken @ 0x82E8045B -> HOOKED (Unknown @ 0x85F8FBB8)
SSDT[304] : NtResumeThread @ 0x82E784D2 -> HOOKED (Unknown @ 0x85F81BF8)
SSDT[316] : NtSetContextThread @ 0x82EE5637 -> HOOKED (Unknown @ 0x85F8FAD8)
SSDT[333] : NtSetInformationProcess @ 0x82E4075D -> HOOKED (Unknown @ 0x85F8FCA8)
SSDT[335] : NtSetInformationThread @ 0x82E71C36 -> HOOKED (Unknown @ 0x85F8F9E8)
SSDT[366] : NtSuspendProcess @ 0x82EE5AC7 -> HOOKED (Unknown @ 0x85F84CC0)
SSDT[367] : NtSuspendThread @ 0x82E9CFAB -> HOOKED (Unknown @ 0x85F8F828)
SSDT[370] : NtTerminateProcess @ 0x82E62B9D -> HOOKED (Unknown @ 0x85F823E0)
SSDT[371] : NtTerminateThread @ 0x82E804AB -> HOOKED (Unknown @ 0x85F8F908)
SSDT[385] : NtUnmapViewOfSection @ 0x82E6C7BA -> HOOKED (Unknown @ 0x85F83810)
SSDT[399] : NtWriteVirtualMemory @ 0x82E6789A -> HOOKED (Unknown @ 0x85F83A80)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00Z7B0 ATA Device +++++
--- User ---
[MBR] f6fbbfb4a0e579da0fa363f5f9f17b50
[BSP] 302ad67884f2771dc2c7eaab6a3acb14 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 176839 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 362373120 | Size: 299999 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02152013_02d0859.txt >>
RKreport[1]_S_02152013_02d0859.txt

Sysprot.exe report as requested.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

Please run RogueKiller again after doing the above.