Previous Topic Next Topic

How to remove Win32/Small.CAvirus?

Solved/Closed
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012 - Nov 3, 2012 at 10:48 AM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Dec 5, 2012 at 04:36 PM
Hello,
I am not knowledgeable in the field of IT.Mostly i use my pc to surf on the net and for personal use.However since the 20th of October,windows action center detected an issue to be addressed. It said 'remove the Win32/Small.CAvirus'. Unable to remove it,it was automatically moved to archived messages.
The solution was to go to this site: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
However on activating the scan,halfway through it,the scan froze.And the system shut down by itself.
I was using AVG and AVira,but none of the above AV detected the virus win32.
Since then I am having same kind of problem.Unexpected shutdowns.I downloaded Microsoft Security Essentials,but again the AV cannot run the scan. It always shut down halfway,be it am running a quick or whole system scan.
Kindly help out please.



28 responses

Answer 1 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 3, 2012 at 04:14 PM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log.

1. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

https://authentification.site

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload ยป

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor
0
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 7, 2012 at 09:52 AM
Hi..Thanks a load 4 your reply and taking the time 2 reply..I followed your instructions..Though I am not used 2 the technical words,i think i did what u instructed n here it is..
http://speedy.sh/S68Tj/ZHPDiag.txt
0
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 7, 2012 at 09:55 AM
sorry if i aint got it right..
0
Answer 2 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 7, 2012 at 04:10 PM
Stand by for my analysis
0
Answer 3 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 7, 2012 at 04:42 PM
Hi

I have just finished studying your log. It took me over an hour and I have found over 100 infected items, adware, spyware, trojan horses. Most of the malware originate from your downloads and cracked applications and key generators. In other words, you machine is very badly infected and if it continues, you could ruin your system.

I will give you the best way to desinfect your computer but I must warn you that some of the cracked software may no longer work as they are also virused.

This is a very potent medicinal compound and you must follow my directives to the letter:1. Download Combofix to your desktop.

http://www.combofix.org/download.php

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

When all is finished, post the Combofix log here and upload a brand new ZHP Diag log and tell what is the link.

Good luck
0
Answer 4 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 10, 2012 at 11:02 AM
Hi..I installed the Combofix,but i found no program log file or report as u suggested above. So I am unable to post the Combofix log. However after the scan,it found 4 threats.
1. Virus.W32.HLLP.Labox.A (critical)
2. Trojan.Generic (critical)
3. Hoax.BadJoke.Agent.g (low)
4. TRojan.VB.dqc (low)
I tried to clean the threats detected,but it said that I have to purchase the Max secure detector (combofix) to be able to clean the threats. At this stage,should I move on with the purchase?Coz you did not specify whether I would have to purchase anything.
Advise please.
0

Didn't find the answer you are looking for?

Ask a question
Answer 5 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 10, 2012 at 03:38 PM
You have not downloaded the correct combofix, Combofix is totally free.

Go to this link and click on the button "Download @ Bleeping Computer.

https://www.bleepingcomputer.com/download/combofix/
0
Answer 6 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 15, 2012 at 05:21 AM
Hello,here is the log after the scan by combofix..

ComboFix 12-11-14.01 - user 11/14/2012 18:24:31.1.4 - x86
Microsoft Windows 7 Home Basic 6.1.7601.1.1252.1.1033.18.2026.1457 [GMT 4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\214a23bd427f7589d6d69546a3441bad_c
c:\windows\system32\drivers\MaxTdss.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))
.
.
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Nadeem\AppData\Local\temp
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Shafenaaz\AppData\Local\temp
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-14 14:02 . 2012-11-14 14:02 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\MpKsl547947ef.sys
2012-11-14 11:14 . 2012-10-11 18:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\mpengine.dll
2012-11-13 11:03 . 2012-10-11 18:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 15:01 . 2012-07-18 11:10 117248 ----a-w- c:\windows\system32\MaxNative.exe
2012-11-10 15:00 . 2012-11-10 15:08 -------- d-----w- c:\programdata\Max Secure
2012-11-10 15:00 . 2012-07-18 11:23 60448 ----a-w- c:\windows\system32\drivers\SDActMon2K.sys
2012-11-10 15:00 . 2012-11-10 16:34 -------- d-----w- c:\program files\Max Spyware Detector
2012-11-10 15:00 . 2012-07-18 11:23 60960 ----a-w- c:\windows\system32\drivers\MaxMgr.sys
2012-11-10 15:00 . 2012-07-18 11:23 12832 ----a-w- c:\windows\system32\drivers\004.sys
2012-11-10 15:00 . 2012-07-18 11:23 75296 ----a-w- c:\windows\system32\drivers\MaxProtector32.sys
2012-11-10 15:00 . 2012-07-18 11:23 101408 ----a-w- c:\windows\system32\drivers\SDActMon.sys
2012-11-10 14:10 . 2012-11-10 14:10 -------- d-----w- c:\users\user\AppData\Local\Max Secure Software
2012-11-10 14:07 . 2012-11-10 14:10 -------- d-----w- c:\users\user\AppData\Roaming\GetRightToGo
2012-11-07 15:29 . 2012-11-07 15:29 512 ----a-w- C:\PhysicalDisk0_MBR.bin
2012-11-07 15:05 . 2012-11-07 15:25 -------- d-----w- C:\ZHP
2012-11-07 15:05 . 2012-11-07 15:22 -------- d-----w- c:\program files\ZHP Diag
2012-11-05 13:09 . 2012-11-05 13:09 -------- d-----w- c:\programdata\YTD Video Downloader
2012-11-05 13:09 . 2012-11-05 13:09 -------- d-----w- c:\program files\GreenTree Applications
2012-11-02 16:04 . 2012-11-02 16:04 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CDC04F5-DEE3-4F3F-904E-1DCBBB9F1793}\gapaengine.dll
2012-11-02 15:51 . 2012-11-02 15:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-22 08:04 . 2012-10-22 08:04 -------- d-----w- c:\users\user\New folder (4)
2012-10-22 08:04 . 2012-10-22 08:04 -------- d-----w- c:\users\user\New folder (3)
2012-10-22 08:04 . 2012-10-22 08:09 -------- d-----w- c:\users\user\New folder (2)
2012-10-22 08:04 . 2012-10-22 08:05 -------- d-----w- c:\users\user\New folder
2012-10-20 10:44 . 2012-10-20 10:44 121984 ----a-w- c:\windows\system32\steam_api.dll
2012-10-19 17:24 . 2012-10-19 17:39 -------- d-----w- c:\users\user\AppData\Local\dxhr
2012-10-19 17:23 . 2012-10-19 17:23 -------- d-----w- c:\users\user\AppData\Local\SKIDROW
2012-10-19 17:23 . 2012-10-19 17:23 -------- d-----w- c:\users\user\AppData\Local\28050
2012-10-19 16:41 . 2012-10-19 16:41 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-10-19 16:18 . 2012-10-19 18:23 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A6592AB-AFE7-4872-B116-0FF15301646B}\offreg.dll
2012-10-19 06:33 . 2012-10-26 18:25 -------- d-----w- c:\users\user\COMS
2012-10-17 20:55 . 2012-10-17 20:55 -------- d-----w- c:\users\user\AppData\Local\APN
2012-10-17 20:54 . 2012-11-03 13:23 -------- d-----w- c:\programdata\Avira
2012-10-15 20:43 . 2012-10-15 20:43 -------- d-----w- c:\programdata\39AB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 14:10 . 2012-08-29 12:26 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-22 12:21 . 2012-03-30 10:41 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-22 12:21 . 2012-01-04 12:42 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-14 18:28 . 2012-10-10 05:40 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 17:18 . 2012-10-10 05:40 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 18:03 . 2012-08-30 18:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 18:03 . 2012-08-30 18:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-30 17:12 . 2012-10-10 05:40 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 05:40 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-24 16:57 . 2012-10-10 05:40 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 11:43 . 2012-08-24 11:43 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:07 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:07 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:07 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:07 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:07 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 14:59 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 14:59 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 14:59 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 14:59 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-22 13:31 . 2012-01-11 12:15 27152 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2012-08-22 13:31 . 2012-01-11 12:15 18448 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-08-21 20:12 . 2012-09-26 05:18 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40 . 2012-10-10 05:40 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40 . 2012-10-10 05:40 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37 . 2012-10-10 05:40 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 17:32 . 2012-10-10 05:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 14:10 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"fTalk"="c:\users\user\AppData\Local\fTalk\ftalk.exe" [2012-07-26 9421424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-18 10025576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-05 336384]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-31 928096]
"HF_G_Jul"="c:\program files\AVG Secure Search\HF_G_Jul.exe" [2012-07-18 36960]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SDActiveMonitor"="c:\program files\Max Spyware Detector\MaxSDTray.exe" [2012-07-18 1083936]
"MaxUSBProc"="c:\program files\Max Spyware Detector\MaxUSBProc.exe" [2012-07-18 421920]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WIA6EB~1\Datamngr\datamngr.dll c:\progra~1\WIA6EB~1\Datamngr\IEBHO.dll c:\progra~1\Bandoo\BndHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 MaxMgr;MaxMgr;c:\windows\System32\drivers\MaxMgr.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S1 MaxProtector32;MaxProtector32;c:\windows\system32\drivers\MaxProtector32.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 MaxMerger;MaxMerger;c:\program files\Max Spyware Detector\MaxMerger.exe [x]
S2 MaxWatchDogService;MaxWatchDogService;c:\program files\Max Spyware Detector\MaxWatchDogService.exe [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL547947EF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:21]
.
2012-11-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001Core.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001UA.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-10-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002Core.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002UA.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com
mStart Page = hxxp://searchfunmoods.com/?f=1&a=irtest1&chnl=irtest1&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBtD0DyDyC0B0C0F0B0FyCtN0D0Tzu0StCzytCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=925946745
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44D13809-B6B7-4A92-88BA-6C1D96F3D785}: NameServer = 196.192.110.11,202.123.2.11
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-!!{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-!!!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SDAutoScan - (no file)
AddRemove-1ClickDownload - c:\program files\1ClickDownload\uninst.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-14 18:45:03
ComboFix-quarantined-files.txt 2012-11-14 14:45
.
Pre-Run: 326,209,347,584 bytes free
Post-Run: 327,974,797,312 bytes free
.
- - End Of File - - C2684BAD3B23AA1C784D5CD64EF9E22E
0
Answer 7 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 15, 2012 at 05:23 AM
Hello..here is the log after the combofix scan..

ComboFix 12-11-14.01 - user 11/14/2012 18:24:31.1.4 - x86
Microsoft Windows 7 Home Basic 6.1.7601.1.1252.1.1033.18.2026.1457 [GMT 4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\214a23bd427f7589d6d69546a3441bad_c
c:\windows\system32\drivers\MaxTdss.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))
.
.
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Nadeem\AppData\Local\temp
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Shafenaaz\AppData\Local\temp
2012-11-14 14:41 . 2012-11-14 14:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-14 14:02 . 2012-11-14 14:02 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\MpKsl547947ef.sys
2012-11-14 11:14 . 2012-10-11 18:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\mpengine.dll
2012-11-13 11:03 . 2012-10-11 18:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 15:01 . 2012-07-18 11:10 117248 ----a-w- c:\windows\system32\MaxNative.exe
2012-11-10 15:00 . 2012-11-10 15:08 -------- d-----w- c:\programdata\Max Secure
2012-11-10 15:00 . 2012-07-18 11:23 60448 ----a-w- c:\windows\system32\drivers\SDActMon2K.sys
2012-11-10 15:00 . 2012-11-10 16:34 -------- d-----w- c:\program files\Max Spyware Detector
2012-11-10 15:00 . 2012-07-18 11:23 60960 ----a-w- c:\windows\system32\drivers\MaxMgr.sys
2012-11-10 15:00 . 2012-07-18 11:23 12832 ----a-w- c:\windows\system32\drivers\004.sys
2012-11-10 15:00 . 2012-07-18 11:23 75296 ----a-w- c:\windows\system32\drivers\MaxProtector32.sys
2012-11-10 15:00 . 2012-07-18 11:23 101408 ----a-w- c:\windows\system32\drivers\SDActMon.sys
2012-11-10 14:10 . 2012-11-10 14:10 -------- d-----w- c:\users\user\AppData\Local\Max Secure Software
2012-11-10 14:07 . 2012-11-10 14:10 -------- d-----w- c:\users\user\AppData\Roaming\GetRightToGo
2012-11-07 15:29 . 2012-11-07 15:29 512 ----a-w- C:\PhysicalDisk0_MBR.bin
2012-11-07 15:05 . 2012-11-07 15:25 -------- d-----w- C:\ZHP
2012-11-07 15:05 . 2012-11-07 15:22 -------- d-----w- c:\program files\ZHP Diag
2012-11-05 13:09 . 2012-11-05 13:09 -------- d-----w- c:\programdata\YTD Video Downloader
2012-11-05 13:09 . 2012-11-05 13:09 -------- d-----w- c:\program files\GreenTree Applications
2012-11-02 16:04 . 2012-11-02 16:04 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CDC04F5-DEE3-4F3F-904E-1DCBBB9F1793}\gapaengine.dll
2012-11-02 15:51 . 2012-11-02 15:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-22 08:04 . 2012-10-22 08:04 -------- d-----w- c:\users\user\New folder (4)
2012-10-22 08:04 . 2012-10-22 08:04 -------- d-----w- c:\users\user\New folder (3)
2012-10-22 08:04 . 2012-10-22 08:09 -------- d-----w- c:\users\user\New folder (2)
2012-10-22 08:04 . 2012-10-22 08:05 -------- d-----w- c:\users\user\New folder
2012-10-20 10:44 . 2012-10-20 10:44 121984 ----a-w- c:\windows\system32\steam_api.dll
2012-10-19 17:24 . 2012-10-19 17:39 -------- d-----w- c:\users\user\AppData\Local\dxhr
2012-10-19 17:23 . 2012-10-19 17:23 -------- d-----w- c:\users\user\AppData\Local\SKIDROW
2012-10-19 17:23 . 2012-10-19 17:23 -------- d-----w- c:\users\user\AppData\Local\28050
2012-10-19 16:41 . 2012-10-19 16:41 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-10-19 16:18 . 2012-10-19 18:23 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A6592AB-AFE7-4872-B116-0FF15301646B}\offreg.dll
2012-10-19 06:33 . 2012-10-26 18:25 -------- d-----w- c:\users\user\COMS
2012-10-17 20:55 . 2012-10-17 20:55 -------- d-----w- c:\users\user\AppData\Local\APN
2012-10-17 20:54 . 2012-11-03 13:23 -------- d-----w- c:\programdata\Avira
2012-10-15 20:43 . 2012-10-15 20:43 -------- d-----w- c:\programdata\39AB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 14:10 . 2012-08-29 12:26 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-22 12:21 . 2012-03-30 10:41 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-22 12:21 . 2012-01-04 12:42 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-14 18:28 . 2012-10-10 05:40 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 17:18 . 2012-10-10 05:40 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 18:03 . 2012-08-30 18:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 18:03 . 2012-08-30 18:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-30 17:12 . 2012-10-10 05:40 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 05:40 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-24 16:57 . 2012-10-10 05:40 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 11:43 . 2012-08-24 11:43 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:07 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:07 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:07 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:07 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:07 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 14:59 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 14:59 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 14:59 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 14:59 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-22 13:31 . 2012-01-11 12:15 27152 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2012-08-22 13:31 . 2012-01-11 12:15 18448 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-08-21 20:12 . 2012-09-26 05:18 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40 . 2012-10-10 05:40 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40 . 2012-10-10 05:40 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37 . 2012-10-10 05:40 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 17:32 . 2012-10-10 05:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 14:10 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"fTalk"="c:\users\user\AppData\Local\fTalk\ftalk.exe" [2012-07-26 9421424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-18 10025576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-05 336384]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-31 928096]
"HF_G_Jul"="c:\program files\AVG Secure Search\HF_G_Jul.exe" [2012-07-18 36960]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SDActiveMonitor"="c:\program files\Max Spyware Detector\MaxSDTray.exe" [2012-07-18 1083936]
"MaxUSBProc"="c:\program files\Max Spyware Detector\MaxUSBProc.exe" [2012-07-18 421920]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WIA6EB~1\Datamngr\datamngr.dll c:\progra~1\WIA6EB~1\Datamngr\IEBHO.dll c:\progra~1\Bandoo\BndHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 MaxMgr;MaxMgr;c:\windows\System32\drivers\MaxMgr.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S1 MaxProtector32;MaxProtector32;c:\windows\system32\drivers\MaxProtector32.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 MaxMerger;MaxMerger;c:\program files\Max Spyware Detector\MaxMerger.exe [x]
S2 MaxWatchDogService;MaxWatchDogService;c:\program files\Max Spyware Detector\MaxWatchDogService.exe [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL547947EF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:21]
.
2012-11-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001Core.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001UA.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-10-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002Core.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002UA.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com
mStart Page = hxxp://searchfunmoods.com/?f=1&a=irtest1&chnl=irtest1&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBtD0DyDyC0B0C0F0B0FyCtN0D0Tzu0StCzytCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=925946745
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44D13809-B6B7-4A92-88BA-6C1D96F3D785}: NameServer = 196.192.110.11,202.123.2.11
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-!!{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-!!!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SDAutoScan - (no file)
AddRemove-1ClickDownload - c:\program files\1ClickDownload\uninst.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-14 18:45:03
ComboFix-quarantined-files.txt 2012-11-14 14:45
.
Pre-Run: 326,209,347,584 bytes free
Post-Run: 327,974,797,312 bytes free
.
- - End Of File - - C2684BAD3B23AA1C784D5CD64EF9E22E
0
Answer 8 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 15, 2012 at 06:20 AM
Hi...here is the new ZHP diag log's link..

http://speedy.sh/jkK6M/ZHPDiag.txt
0
Answer 9 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 15, 2012 at 06:21 AM
Thanx a lot 4 ur time..
0
Answer 10 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 15, 2012 at 08:30 AM
You have posted the very same ZHP Diag log as before.
0
Answer 11 / 28
faraa Posts 9 Registration date Monday October 15, 2012 Status Member Last seen November 16, 2012
Nov 16, 2012 at 06:01 AM
Hi...I dwnloaded a new ZHPdiag n here is the new link after the scan..

http://speedy.sh/4uWZ7/ZHPDiag.txt
0
Answer 12 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 16, 2012 at 04:07 PM
Hello

Again, you have uploaded the very same log. It sometimes happens when the previous log has not been completely deleted.

Here is what I suggest.

1. Download and install CCleaner:

https://ccm.net/downloads/security-and-maintenance/4555-ccleaner/

2. Launch CCleaner

3. Using the tool button, delete ZHP Diag

4. Click on the registry button, run the tool and delete the items found.

(CCleaner can be used later for when ever you wish to clean your temporary files)

5. Redownload and install ZHP Diag.

6. Generate a new log and upload it on Speedyshare.

Regards
0
Answer 13 / 28
faraa
Nov 18, 2012 at 11:08 PM
Hi..here it is..
http://speedy.sh/G6pYU/ZHPDiag.txt
Thanx..
0
Answer 14 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 19, 2012 at 05:43 AM
Hi

I still got a log showing full of viruses the same as before.

Download, install and run Malwarebyte which you can find on this site:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware

Ensure you make an update.

Boot your computer in safemode

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

Let me know the results.
0
Answer 15 / 28
faraa
Nov 21, 2012 at 08:01 PM
Hi..i cmplted the abovedwnload.
N here the link after the scan
http://speedy.sh/6qqxN/ZHPDiag.txt
0
Answer 16 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 23, 2012 at 04:51 AM
Hi,

I still received the same log as before.

You have run both Combofix, you have used ZHP Fix as directed and you ran Malwarebyte. I assume that you deleted all of the key gens and cracked software. Considering the above I also assume that your computer is desinfected. Am I correct or do you still experience difficulties?

If you are satisfied, please mark this thread as solved.

Best regards
0
Answer 17 / 28
faraa
Nov 23, 2012 at 12:00 PM
Hi..I do not no if I am doing it right,but here is a new link after I downloaded a new ZHP.
http://speedy.sh/xGFrF/ZHPDiag.txt

However in my Windows Action Center there is still this message about the Win 32 virus.And my AV detected it some time back (currently using AVG2012) i.e when I downloaded the Malwarebyte.
I am currently not facing the same problem of unexpected shut downs.
I am really grateful to you..You have really helped me..
I just need to know if the message about the win32 in the Action Center is normal or it should have already been addressed to and deleted??
Regards..
0
Answer 18 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 23, 2012 at 04:33 PM
Hello Nadeem,

Well this time your log is different but your machine got really badly infested again by all sorts of malware (150 malware to be exact) including some really dangerous ones for your system; as a matter of a fact, it's in worst condition.

I could tell you how to clean your machine but it would not be honest for me to do so. You see, I am a Kioskea Moderator and Security Contributor.

You have on your machine some applications for which you have not purchased a license and which you cracked. You are also using a key generator. You are also using a peer-to-peer sharing application which is a vector for infections.

After my analysis, it as clear as crystal that all the malware on your machine originated from the cracks. I asked you before to delete all of those illegal applications. It seems that you have elected to keep them. Therefore, my efforts to help you clean your computer are doomed to failure.

I predict that if you continue to use your computer the way you do, that your system will totally crippled in a short period of time, I would say December 31, 2012.

Sorry
0
Answer 19 / 28
faraa
Nov 24, 2012 at 05:52 AM
Hi..i did exactly what u instructed 2 do..i do not understand where i failed..
I mean with the download of the malwarebyte,i messed up??
And its faraa..nadeem is my liitle brother n he uses the pc more than me n dwnload a lot of things.
Am at a lost..
So u cnt help?
0
Answer 20 / 28
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,171
Nov 24, 2012 at 03:57 PM
Well Faraa, I'm afraid that Nadeem is about to totally ruin your system by downloading illegal software and viruses. If you don't stop him all my efforts are in vain.

You once ran Malwarebyte and it sent all the viruses in quarantine. I can see them, but, thanks to Nadeem, you system got all infected again but worst.

Tell you what, you delete the following items and once you are finished send me another ZHP Diag.

1. Delete the Babylon toolbar, here is how:

http://ccm.net/faq/14594-how-to-get-rid-of-babylon-search-toolbar

2. Also delete the following:

C:\Program Files\TorrentHandler

CorelDRAW.Graphics.Suite.X4 Keymaker & Activation\keygen.exe
Macromedia Flash Professional v8.0 + keygen\setup.exe
Program\WinRAR_3.93__www.crackedsoftwares.com.zip

3. Rerun a full system scan with Malwarebyte.

Report to me again with a Malwarebyte log.

Good luck
0
  • 1
  • 2

Similar discussions

How to undo "remove link" in bio?
mary22 -
Gourav -

13 responses
Call barring cancel code
Abubakkar -
dwebb -

1 response
Ig stories from close friends to public
Darren -
zara -

31 responses