We're aware that some users are experiencing technical issues which the team are working to resolve. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

google search AVAST comes up with malicious virus

Options
1356

Comments

  • cepheus
    cepheus Posts: 20,053 Forumite
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-13 20:56:06
    20:56:06.570 OS Version: Windows x64 6.1.7601 Service Pack 1
    20:56:06.570 Number of processors: 4 586 0x2505
    20:56:06.570 ComputerName: STEPHEN-TOSH UserName: stephen
    20:56:08.879 Initialize success
    20:56:09.706 AVAST engine defs: 12081300
    20:57:03.705 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    20:57:03.705 Disk 0 Vendor: TOSHIBA_ GH10 Size: 305245MB BusType: 3
    20:57:03.736 Disk 0 MBR read successfully
    20:57:03.736 Disk 0 MBR scan
    20:57:03.767 Disk 0 Windows 7 default MBR code
    20:57:03.767 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 400 MB offset 2048
    20:57:03.783 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 152622 MB offset 821248
    20:57:03.814 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 152222 MB offset 313391104
    20:57:03.845 Disk 0 scanning C:\Windows\system32\drivers
    20:57:19.282 Service scanning
    20:58:04.452 Modules scanning
    20:58:04.484 Disk 0 trace - called modules:
    20:58:04.530 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    20:58:05.061 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c85060]
    20:58:05.076 3 CLASSPNP.SYS[fffff88001baf43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80049fe050]
    20:58:06.240 AVAST engine scan C:\Windows
    20:58:08.338 AVAST engine scan C:\Windows\system32
    21:01:13.244 AVAST engine scan C:\Windows\system32\drivers
    21:01:35.709 AVAST engine scan C:\Users\stephen
    21:54:41.545 AVAST engine scan C:\ProgramData
    21:58:42.893 Scan finished successfully
    22:10:58.188 Disk 0 MBR has been saved successfully to "C:\Users\stephen\Documents\Desktop\MBR.dat"
    22:10:58.188 The log file has been saved successfully to "C:\Users\stephen\Documents\Desktop\virusscan.txt"
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Thanks.

    Go here and read through the instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial
    • Ensure you temporarily turn off your antivirus before running. Instructions here
    • Double click combofix.exe & follow the prompts closely.
    • When it's finished, it'll produce a log. Post the contents of that log.
    • It'll be found on your C:\ drive named combofix.txt
    Above all, BE PATIENT! and let it run it's course.
  • cepheus
    cepheus Posts: 20,053 Forumite
    That was unpleasant, after running that, I kept getting 'illegal operation on a registry key marked for delete' on every single programme. Couldn't open anything!

    I attempted a system restore which failed, but perhaps the second reboot fixed it or else I wouldn't be able to reply or do anything!
  • cepheus
    cepheus Posts: 20,053 Forumite
    ComboFix 12-08-13.01 - stephen 13/08/2012 22:49:16.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3891.1461 [GMT 1:00]
    Running from: c:\users\stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7OZP33DW\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\bProtector
    c:\programdata\bProtector\component_71.decrpt
    c:\users\stephen\AppData\Roaming\Microsoft\Windows\Recent\ADVFN - Free Bulletin Board - The Great Global Warming Swindle.url
    c:\users\stephen\Documents\~WRL0003.tmp
    c:\users\stephen\Documents\~WRL1188.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-13 21:59 . 2012-08-13 21:59
    d
    w- c:\users\Default\AppData\Local\temp
    2012-08-13 18:20 . 2012-08-13 18:20 268720 ----a-w- c:\windows\system32\javaws.exe
    2012-08-13 18:20 . 2012-08-13 18:20 955840 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-08-13 18:20 . 2012-08-13 18:20 189360 ----a-w- c:\windows\system32\javaw.exe
    2012-08-13 18:20 . 2012-08-13 18:20 188840 ----a-w- c:\windows\system32\java.exe
    2012-08-10 06:22 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C7F1222-6DB2-4E39-AF93-535EA3756F69}\mpengine.dll
    2012-07-30 17:09 . 2012-07-30 17:09
    d
    w- c:\program files (x86)\Common Files\Java
    2012-07-30 17:09 . 2012-07-30 17:09 772592 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-07-29 17:41 . 2012-07-29 17:41
    d
    w- C:\_OTL
    2012-07-29 17:20 . 2012-07-03 12:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-29 17:20 . 2012-07-29 17:20
    d
    w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-28 20:37 . 2012-07-28 20:37
    d
    w- c:\users\stephen\AppData\Local\{132931E3-D8F4-11E1-8270-B8AC6F996F26}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-13 18:20 . 2011-05-30 08:38 839096 ----a-w- c:\windows\system32\deployJava1.dll
    2012-07-30 17:09 . 2010-11-10 14:39 687600 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-07-11 22:02 . 2011-06-01 06:05 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-07-03 16:21 . 2012-02-26 20:54 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-07-03 16:21 . 2011-05-26 18:44 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-07-03 16:21 . 2011-05-26 18:44 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21 . 2011-05-26 18:44 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-07-03 16:21 . 2011-05-26 18:44 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-07-03 16:21 . 2011-05-26 18:44 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-07-03 16:21 . 2011-05-26 18:43 41224 ----a-w- c:\windows\avastSS.scr
    2012-07-03 16:21 . 2011-05-26 18:43 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-07-03 16:21 . 2011-05-26 18:44 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-21 16:00 . 2012-03-30 21:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-21 16:00 . 2011-06-19 08:40 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-12 03:08 . 2012-07-11 22:07 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-06-09 05:43 . 2012-07-11 07:58 14172672 ----a-w- c:\windows\system32\shell32.dll
    2012-06-06 06:06 . 2012-07-11 07:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-06 06:06 . 2012-07-11 07:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-06 06:02 . 2012-07-11 07:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
    2012-06-06 05:05 . 2012-07-11 07:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-06-06 05:05 . 2012-07-11 07:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-06-06 05:03 . 2012-07-11 07:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
    2012-06-04 22:07 . 2012-06-04 22:07 0 ----a-w- c:\windows\SysWow64\shoBB9A.tmp
    2012-06-02 22:19 . 2012-06-19 05:39 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 05:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 05:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 05:39 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 05:39 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 05:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 05:39 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-19 05:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:15 . 2012-06-19 05:39 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 12:49 . 2012-07-11 22:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-06-02 12:17 . 2012-07-11 22:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-06-02 12:12 . 2012-07-11 22:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 12:05 . 2012-07-11 22:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-06-02 12:05 . 2012-07-11 22:01 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 12:04 . 2012-07-11 22:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 12:04 . 2012-07-11 22:01 237056 ----a-w- c:\windows\system32\url.dll
    2012-06-02 12:03 . 2012-07-11 22:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-06-02 12:01 . 2012-07-11 22:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 12:00 . 2012-07-11 22:01 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-06-02 11:59 . 2012-07-11 22:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-06-02 11:57 . 2012-07-11 22:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-06-02 11:57 . 2012-07-11 22:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 11:54 . 2012-07-11 22:01 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-06-02 08:33 . 2012-07-11 22:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-06-02 08:25 . 2012-07-11 22:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-06-02 08:25 . 2012-07-11 22:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-11 22:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-11 22:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-06-02 05:50 . 2012-07-11 07:58 458704 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-06-02 05:48 . 2012-07-11 07:58 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 05:48 . 2012-07-11 07:58 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 05:45 . 2012-07-11 07:58 340992 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 05:44 . 2012-07-11 07:58 307200 ----a-w- c:\windows\system32\ncrypt.dll
    2012-06-02 04:40 . 2012-07-11 07:58 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-06-02 04:40 . 2012-07-11 07:58 225280 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-06-02 04:39 . 2012-07-11 07:58 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-06-02 04:34 . 2012-07-11 07:58 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2012-05-31 11:25 . 2011-05-30 12:00 279656
    w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 136176]
    R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-05 7884288]
    R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-05 285696]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-16 113120]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
    R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-05-11 124368]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 137560]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-27 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 ssoftnt4;ssoftnt4;c:\windows\system32\Drivers\ssoftnt4.sys [2011-04-27 103704]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]
    S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
    S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2011-06-05 296808]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-27 1811456]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
    S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [2011-03-04 20592]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 35008]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 932384]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 09:35]
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 09:35]
    .
    .
    X64 Entries
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-07-28 2120808]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    Supplementary Scan
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: Download with &Shareaza - c:\program files (x86)\Shareaza\RazaWebHook32.dll/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Lookup on Merriam Webster - [URL]file://c:\program[/URL] files (x86)\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - [URL]file://c:\program[/URL] files (x86)\ieSpell\wikipedia.HTM
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110620094923
    FF - ProfilePath - c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\aicv56t1.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    .
    .
    .
    LOCKED REGISTRY KEYS
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Other Running Processes
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\windows\SysWOW64\cryptainersrv.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    c:\program files (x86)\Internet Explorer\IELowutil.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-13 23:07:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-13 22:07
    .
    Pre-Run: 75,289,088,000 bytes free
    Post-Run: 74,811,772,928 bytes free
    .
    - - End Of File - - E145DD01E20A1F5FDD5D3E95A0935AAD
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Running from: c:\users\stephen\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\7OZP33DW\ComboFix.exe
    As per the instructions in the tutorial you need to save ComboFix.exe to your desktop.
    Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop.
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    ...after running that, I kept getting 'illegal operation on a registry key marked for delete' on every single programme...

    ... perhaps the second reboot fixed it
    Yes, it's a quirk of the OS. A reboot fixes it.

    How are things now?
  • cepheus
    cepheus Posts: 20,053 Forumite
    edited 14 August 2012 at 8:29AM
    Unfortunately the threats still pop up with Firefox

    Are you saying not saving combofix to the desktop caused the registry problem or failure to remove the virus?

    I have the combofix saved to the desktop now, if you wan't me to run it again.
  • GunJack
    GunJack Posts: 11,826 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Before you do, you'd be well-advised to clear temp files, etc. CCleaner (both cleaner and registry parts) should suffice, then re-run CF from your desktop (may have to right-click and run as admin)
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • cepheus
    cepheus Posts: 20,053 Forumite
    File after running CCleaner followed by Combofix programme (saved on desktop)


    ComboFix 12-08-13.01 - stephen 14/08/2012 9:48.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3891.2393 [GMT 1:00]
    Running from: c:\users\stephen\Documents\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-14 08:57 . 2012-08-14 08:57
    d
    w- c:\users\Default\AppData\Local\temp
    2012-08-13 18:20 . 2012-08-13 18:20 268720 ----a-w- c:\windows\system32\javaws.exe
    2012-08-13 18:20 . 2012-08-13 18:20 955840 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-08-13 18:20 . 2012-08-13 18:20 189360 ----a-w- c:\windows\system32\javaw.exe
    2012-08-13 18:20 . 2012-08-13 18:20 188840 ----a-w- c:\windows\system32\java.exe
    2012-08-10 06:22 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C7F1222-6DB2-4E39-AF93-535EA3756F69}\mpengine.dll
    2012-07-30 17:09 . 2012-07-30 17:09
    d
    w- c:\program files (x86)\Common Files\Java
    2012-07-30 17:09 . 2012-07-30 17:09 772592 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-07-29 17:41 . 2012-07-29 17:41
    d
    w- C:\_OTL
    2012-07-29 17:20 . 2012-07-03 12:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-29 17:20 . 2012-07-29 17:20
    d
    w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-28 20:37 . 2012-07-28 20:37
    d
    w- c:\users\stephen\AppData\Local\{132931E3-D8F4-11E1-8270-B8AC6F996F26}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-13 18:20 . 2011-05-30 08:38 839096 ----a-w- c:\windows\system32\deployJava1.dll
    2012-07-30 17:09 . 2010-11-10 14:39 687600 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-07-11 22:02 . 2011-06-01 06:05 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-07-03 16:21 . 2012-02-26 20:54 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-07-03 16:21 . 2011-05-26 18:44 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-07-03 16:21 . 2011-05-26 18:44 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21 . 2011-05-26 18:44 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-07-03 16:21 . 2011-05-26 18:44 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-07-03 16:21 . 2011-05-26 18:44 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-07-03 16:21 . 2011-05-26 18:43 41224 ----a-w- c:\windows\avastSS.scr
    2012-07-03 16:21 . 2011-05-26 18:43 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-07-03 16:21 . 2011-05-26 18:44 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-21 16:00 . 2012-03-30 21:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-21 16:00 . 2011-06-19 08:40 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-12 03:08 . 2012-07-11 22:07 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-06-09 05:43 . 2012-07-11 07:58 14172672 ----a-w- c:\windows\system32\shell32.dll
    2012-06-06 06:06 . 2012-07-11 07:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-06 06:06 . 2012-07-11 07:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-06 06:02 . 2012-07-11 07:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
    2012-06-06 05:05 . 2012-07-11 07:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-06-06 05:05 . 2012-07-11 07:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-06-06 05:03 . 2012-07-11 07:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
    2012-06-04 22:07 . 2012-06-04 22:07 0 ----a-w- c:\windows\SysWow64\shoBB9A.tmp
    2012-06-02 22:19 . 2012-06-19 05:39 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 05:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 05:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 05:39 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 05:39 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 05:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 05:39 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-19 05:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:15 . 2012-06-19 05:39 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 12:49 . 2012-07-11 22:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-06-02 12:17 . 2012-07-11 22:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-06-02 12:12 . 2012-07-11 22:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 12:05 . 2012-07-11 22:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-06-02 12:05 . 2012-07-11 22:01 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 12:04 . 2012-07-11 22:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 12:04 . 2012-07-11 22:01 237056 ----a-w- c:\windows\system32\url.dll
    2012-06-02 12:03 . 2012-07-11 22:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-06-02 12:01 . 2012-07-11 22:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 12:00 . 2012-07-11 22:01 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-06-02 11:59 . 2012-07-11 22:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-06-02 11:57 . 2012-07-11 22:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-06-02 11:57 . 2012-07-11 22:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 11:54 . 2012-07-11 22:01 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-06-02 08:33 . 2012-07-11 22:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-06-02 08:25 . 2012-07-11 22:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-06-02 08:25 . 2012-07-11 22:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-11 22:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-11 22:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-06-02 05:50 . 2012-07-11 07:58 458704 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-06-02 05:48 . 2012-07-11 07:58 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 05:48 . 2012-07-11 07:58 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 05:45 . 2012-07-11 07:58 340992 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 05:44 . 2012-07-11 07:58 307200 ----a-w- c:\windows\system32\ncrypt.dll
    2012-06-02 04:40 . 2012-07-11 07:58 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-06-02 04:40 . 2012-07-11 07:58 225280 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-06-02 04:39 . 2012-07-11 07:58 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-06-02 04:34 . 2012-07-11 07:58 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2012-05-31 11:25 . 2011-05-30 12:00 279656
    w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( [EMAIL="SnapShot@2012-08-13_22.01.37"]SnapShot@2012-08-13_22.01.37[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-08-13 21:59 . 2012-08-13 21:59 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2012-08-14 08:57 . 2012-08-14 08:57 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2009-07-14 04:54 . 2012-08-13 22:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-08-14 08:58 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-08-13 22:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-14 08:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-14 08:58 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-13 22:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-11-10 13:03 . 2012-08-14 06:47 56932 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-14 06:47 33882 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-05-26 13:38 . 2012-08-14 06:47 23234 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1672613982-4168803175-1453337641-1001_UserData.bin
    + 2011-05-26 13:29 . 2012-08-14 08:40 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-05-26 13:29 . 2012-08-13 20:39 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-05-26 13:29 . 2012-08-14 08:40 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-05-26 13:29 . 2012-08-13 20:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-13 20:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-14 08:40 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-14 08:58 . 2012-08-14 08:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-13 22:01 . 2012-08-13 22:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-13 22:01 . 2012-08-13 22:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-14 08:58 . 2012-08-14 08:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-13 22:00 . 2012-08-13 22:00 338800 c:\windows\system32\FNTCACHE.DAT
    + 2012-08-14 08:58 . 2012-08-14 08:58 338800 c:\windows\system32\FNTCACHE.DAT
    - 2009-07-14 05:01 . 2012-08-13 21:59 300768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-08-14 08:57 300768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-05-27 22:19 . 2012-08-14 08:57 58231092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1672613982-4168803175-1453337641-1001-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 136176]
    R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-05 7884288]
    R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-05 285696]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-16 113120]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
    R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-05-11 124368]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 137560]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-27 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 ssoftnt4;ssoftnt4;c:\windows\system32\Drivers\ssoftnt4.sys [2011-04-27 103704]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]
    S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
    S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2011-06-05 296808]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-27 1811456]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
    S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [2011-03-04 20592]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 35008]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 932384]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 09:35]
    .
    2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-30 09:35]
    .
    .
    X64 Entries
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-07-28 2120808]
    .
    Supplementary Scan
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: Download with &Shareaza - c:\program files (x86)\Shareaza\RazaWebHook32.dll/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Lookup on Merriam Webster - [URL]file://c:\program[/URL] files (x86)\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - [URL]file://c:\program[/URL] files (x86)\ieSpell\wikipedia.HTM
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110620094923
    FF - ProfilePath - c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\aicv56t1.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    LOCKED REGISTRY KEYS
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Other Running Processes
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\windows\SysWOW64\cryptainersrv.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-14 10:04:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-14 09:04
    ComboFix2.txt 2012-08-13 22:07
    .
    Pre-Run: 75,597,205,504 bytes free
    Post-Run: 75,541,258,240 bytes free
    .
    - - End Of File - - 679BDCAB5D2DEB007F408B45BCC3BC06
  • cepheus
    cepheus Posts: 20,053 Forumite
    Same problem with Firefox

    Infection Details

    URL:http://14.ppcperpayadvertising.com/2feed...Process:C:\Program Files (x86)\Mozilla Firefox\f...Infection:URL:Mal
  • GunJack
    GunJack Posts: 11,826 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    just a thought...it looks like you didn't turn avast off before that second CF run ??
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.6K Banking & Borrowing
  • 253K Reduce Debt & Boost Income
  • 453.4K Spending & Discounts
  • 243.6K Work, Benefits & Business
  • 598.4K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 256.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture