« previous next »
Pages: 1 2 3 [4]   Go Down

Author Topic: [Resolved] AVG found Trojan Horse Crypt.ASHD  (Read 4711 times)

0 Members and 1 Guest are viewing this topic.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2147
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #45 on: March 31, 2012, 08:50:08 PM »
Hi KC

I found a couple of additional issues, but nothing significant enough to cause the problems you are having.  Let's fix these and then see what happens next.

First let's uninstall your  tuneup program.  These do not help and can cause problems.

1. Please go to start/control panel/add or remove programs and completely uninstall the following program:
AVG PC Tuneup 

2.   Double click on the OTL icon to run it (Vista and Windows 7 users right click and select Run as  Administrator). Make sure all other windows are closed and to let it run uninterrupted. 

3.  In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".  On the upper right be sure Use Company-Name WhiteList and Skip Microsoft Files are checked.  Copy the code in the code box below and paste it into the Custom Scan box .

Code: [Select]
:OTL
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

:FILES

:Commands
[CREATERESTOREPOINT]
[REBOOT]
[EMPTYTEMP]
[RESETHOSTS]
[EMPTYJAVA]

4.  Click on the Run Fix button.  The fix log is saved on your C: drive under OTL\Moved Files as date-some number.log.  Reboot you PC.

5.  Now click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.  When the scan completes, it will open two notepad windows.  OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

6. Run MBAM again.  Be sure to update the program and run a full system scan.  And be sure to fix all problems found.

7.  Download ESET Online Scanner ESET Online Scanner and save it to your desktop.

8.  Double-click on esetsmartinstaller and then click Run.  Click Yes on the license and then Start.

9.  Be sure that ONLY the following items are checked:
   Remove found threats
   Scan for potentially unwanted applications
   Enable Anti-Stealth technology

Click Start.

It may take some time for the virus definitions to download and the scan to finish.  Do not click on the interface, download or install anything until the scan completes.  When the scan completes click Finish.

10.  Navigate to the following file path, C:\Program Files\ESET\ESET Online Scanner and Double-click on the log.txt file.  Click File/Save As and name the file ESETLog.txt and save it to your desktop.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
OTL Fix Log
mbam-log-latest date
EsetLog.txt
Let me know how your computer is operating
If you have any questions or problems, let me know that as well
Logged
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #46 on: April 02, 2012, 10:02:40 AM »
OTL logfile created on: 4/2/2012 9:50:47 AM - Run 2
OTL by OldTimer - Version 3.2.39.2     Folder = C:\Documents and Settings\customer1\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.65% Memory free
5.85 Gb Paging File | 5.39 Gb Available in Paging File | 92.22% Paging File free
Paging file location(s): c:\pagefile.sys 4092 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 130.93 Gb Free Space | 87.84% Space Free | Partition Type: NTFS
 
Computer Name: KEVINSPC | User Name: customer1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012/03/31 11:28:19 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\customer1\Desktop\google.exe.exe
PRC - [2012/03/12 08:03:43 | 000,918,880 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
PRC - [2012/03/12 08:03:40 | 000,982,880 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2012/01/24 18:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/01/14 22:25:38 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\realplayer\Update\realsched.exe
PRC - [2011/11/28 02:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/10/12 07:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 21:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 07:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 07:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/12 11:57:28 | 000,292,336 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
PRC - [2006/11/03 17:04:46 | 000,304,008 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
PRC - [2006/10/11 16:48:50 | 000,532,480 | ---- | M] ( ) -- C:\WINDOWS\system32\dlcxcoms.exe
PRC - [2006/01/02 18:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/07/22 14:03:00 | 000,425,984 | ---- | M] (Dell) -- C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
PRC - [2005/06/21 15:19:38 | 000,491,520 | ---- | M] () -- C:\WINDOWS\system32\dlcccoms.exe
PRC - [2004/10/14 11:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2003/01/01 05:08:46 | 000,045,568 | ---- | M] (USBest) -- C:\WINDOWS\system32\UTSCSI.EXE
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012/03/12 08:03:43 | 000,918,880 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
MOD - [2012/03/12 08:03:40 | 001,869,152 | ---- | M] () -- C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
MOD - [2012/03/12 08:03:40 | 000,982,880 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2012/01/11 04:02:05 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_cb6ca372\mscorlib.dll
MOD - [2012/01/11 04:01:58 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_5af389e8\system.drawing.dll
MOD - [2012/01/11 04:01:50 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_68c1ca44\system.xml.dll
MOD - [2012/01/11 04:01:44 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_d6d5949d\system.windows.forms.dll
MOD - [2012/01/11 04:01:32 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_ab886053\system.dll
MOD - [2012/01/11 04:01:15 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/11 04:01:14 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2012/01/11 04:01:13 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2007/01/12 11:57:28 | 000,292,336 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
MOD - [2006/11/03 17:04:46 | 000,304,008 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
MOD - [2006/10/20 00:33:26 | 000,117,760 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\dlcxdrpp.dll
MOD - [2006/10/06 07:24:28 | 000,016,384 | ---- | M] () -- C:\Program Files\Dell PC Fax\dlctrstr.dll
MOD - [2006/10/06 07:06:16 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\DLPRMON.DLL
MOD - [2006/10/06 07:04:20 | 000,032,768 | ---- | M] () -- C:\Program Files\Dell PC Fax\ipcmt.dll
MOD - [2006/09/06 05:13:14 | 000,073,728 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\DLCXcfg.dll
MOD - [2006/08/08 14:54:18 | 000,278,528 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\dlcxscw.dll
MOD - [2006/07/18 20:39:33 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2006/07/18 20:39:33 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2006/07/18 20:39:32 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2006/07/18 20:39:32 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2006/03/14 16:38:24 | 000,143,360 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\dlcxdrec.dll
MOD - [2005/06/21 15:22:06 | 000,483,328 | ---- | M] () -- C:\WINDOWS\system32\dlcclmpm.dll
MOD - [2005/06/21 15:19:38 | 000,491,520 | ---- | M] () -- C:\WINDOWS\system32\dlcccoms.exe
MOD - [2005/06/21 15:18:24 | 000,155,648 | ---- | M] () -- C:\WINDOWS\system32\dlccprox.dll
MOD - [2005/06/06 10:58:38 | 000,065,536 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll
MOD - [2005/04/27 16:30:44 | 000,118,784 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/03/31 18:03:45 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/12 08:03:43 | 000,918,880 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0)
SRV - [2011/10/12 07:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 07:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2008/04/14 06:42:04 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/14 06:41:56 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2006/10/11 16:48:50 | 000,532,480 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\system32\dlcxcoms.exe -- (dlcx_device)
SRV - [2005/06/21 15:19:38 | 000,491,520 | ---- | M] () [On_Demand | Running] -- C:\WINDOWS\system32\dlcccoms.exe -- (dlcc_device)
SRV - [2003/01/01 05:08:46 | 000,045,568 | ---- | M] (USBest) [Auto | Running] -- C:\WINDOWS\system32\UTSCSI.EXE -- (UTSCSI)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTGLM7X.sys -- (SetupNTGLM7X)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (RT2500USB)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PCANDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTACCESS.sys -- (NTACCESS)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\irsir.sys -- (irsir)
DRV - File not found [Kernel | System | Stopped] --  -- (InCDRm)
DRV - File not found [Kernel | System | Stopped] --  -- (InCDPass)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2011/10/07 07:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 07:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 07:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 07:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 02:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 02:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 02:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 02:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/03/03 11:00:00 | 000,043,392 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SiSGbeXP.sys -- (SiSGbeXP)
DRV - [2006/06/07 04:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/08/18 04:52:06 | 000,093,568 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2005/08/10 07:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/07/26 07:01:56 | 000,415,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2005/07/26 06:58:30 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2005/05/16 08:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/04/05 14:22:30 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/05 14:22:28 | 000,033,536 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/09 01:53:00 | 000,036,352 | R--- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/03/01 12:01:40 | 000,392,704 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/14 12:55:44 | 000,088,960 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2004/03/29 04:23:42 | 000,140,288 | R--- | M] (Inprocomm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i2220ntx.sys -- (IPN2220)
DRV - [2001/08/17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBF_en
IE - HKCU\..\SearchScopes\{8260C2B8-E0D1-448a-B062-33D12D468BF0}: "URL" = http://search.alot.com/web?pr=prov&client_id=6B02A47001C8345C0009EC19&install_time=01-12-2007:14:54&src_id=11003&tb_version=1.0.1.0&q={searchTerms}
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={4192E04B-5472-40CF-9B5A-D5A52A438979}&mid=394e44f4630a47d18da8d15e776005a6-87d0ec190e4c69a23e608e916e5c08d08c9e9e6c&lang=en&ds=AVG&pr=fr&d=2012-01-28 17:54:40&v=9.0.0.23&sap=dsp&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:12.0.0.1912
FF - prefs.js..extensions.enabledItems: avg@toolbar:9.0.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:15.0.1
FF - prefs.js..keyword.URL: "http://isearch.avg.com/search?cid=%7B9b5491a7-5335-4be7-ac85-02b376fd61ba%7D&mid=394e44f4630a47d18da8d15e776005a6-87d0ec190e4c69a23e608e916e5c08d08c9e9e6c&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2011-12-22%2017%3A52%3A00&sap=ku&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_228.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.1: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\PROGRA~1\SONYON~1\npsoe.dll ()
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\customer1\Application Data\nprhapengine.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG2012\Firefox\ [2012/02/02 09:19:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/02 09:20:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.2.0.3\ [2012/03/12 08:03:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/14 22:25:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/24 13:21:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/24 13:21:30 | 000,000,000 | ---D | M]
 
[2009/07/05 17:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\customer1\Application Data\Mozilla\Extensions
[2009/07/05 17:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\customer1\Application Data\Mozilla\Firefox\Profiles\gygvqas6.default\extensions
[2012/04/01 15:29:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/01 15:29:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/03/12 08:03:53 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AVG SECURE SEARCH\10.2.0.3
[2012/04/01 15:28:54 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/03/12 23:39:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/01 15:28:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/03/12 08:03:39 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/03/12 23:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/12 23:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
O1 HOSTS File: ([2012/04/02 09:31:20 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O2 - BHO: (AL2Spy Class) - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AutoLogin\AL2DLL.dll (Fineart)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DLCCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [DLCXCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.DLL ()
O4 - HKLM..\Run: [dlcxmon.exe] C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe ()
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Dell PC Fax\fm3032.exe ()
O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 926\memcard.exe ()
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www.freerealms.com/gamedata/FreeRealmsInstaller.cab (SonyOnlineInstallerX)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160522783484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155655455656 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab (CTAdjust Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.38.1.91 66.38.0.240 66.38.0.241
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A17128A-31C1-494A-B8F5-0761BE95C120}: DhcpNameServer = 66.38.1.91 66.38.0.240 66.38.0.241
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6151B8D1-1250-49F0-A78C-282061E09E38}: DhcpNameServer = 66.38.1.91 66.38.0.240 66.38.0.241
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8AD25AF2-6805-4F2F-B834-8F6890B2EDCB}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FAA11E2B-BF70-4753-AC88-0B28DAA776B1}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\customer1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\customer1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/18 17:45:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[CREATERESTOREPOINT]
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/04/02 09:30:51 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/01 19:01:32 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/31 11:28:19 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\customer1\Desktop\google.exe.exe
[2012/03/31 11:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\customer1\Desktop\Logs
[2012/03/31 11:11:59 | 002,068,016 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\customer1\Desktop\tdsskiller.exe
[2012/03/29 16:13:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/28 16:29:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/28 16:27:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/28 16:27:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/28 16:27:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/28 16:27:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/28 16:26:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/28 16:26:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/28 16:20:48 | 004,448,457 | R--- | C] (Swearware) -- C:\Documents and Settings\customer1\Desktop\ComboFix.exe
 
========== Files - Modified Within 30 Days ==========
 
[2012/04/02 09:34:10 | 000,001,596 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/02 09:33:34 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-73586283-842925246-725345543-1004.job
[2012/04/02 09:33:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/02 09:31:20 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/04/02 09:26:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/04/02 09:02:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/01 19:01:29 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2012/04/01 18:57:22 | 093,316,310 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/01 12:43:11 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/03/31 13:58:52 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/31 11:28:19 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\customer1\Desktop\google.exe.exe
[2012/03/31 11:11:59 | 002,068,016 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\customer1\Desktop\tdsskiller.exe
[2012/03/29 18:56:46 | 000,245,021 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/03/29 15:55:52 | 000,000,417 | ---- | M] () -- C:\Documents and Settings\customer1\Desktop\fixhosts.bat
[2012/03/29 10:54:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-73586283-842925246-725345543-1004.job
[2012/03/28 16:29:22 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/28 16:20:48 | 004,448,457 | R--- | M] (Swearware) -- C:\Documents and Settings\customer1\Desktop\ComboFix.exe
[2012/03/24 13:21:45 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/03/24 13:21:45 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/03/24 13:07:34 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/03/24 13:07:34 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/15 09:21:37 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/03/15 03:18:56 | 000,260,640 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/15 03:01:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 07:02:55 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/12 07:02:55 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
 
========== Files Created - No Company Name ==========
 
[2012/04/01 19:01:29 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2012/03/31 17:57:46 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/03/28 16:34:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/28 16:29:22 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/28 16:29:18 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/28 16:27:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/28 16:27:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/28 16:27:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/28 16:27:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/28 16:27:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/28 16:07:12 | 000,000,417 | ---- | C] () -- C:\Documents and Settings\customer1\Desktop\fixhosts.bat
[2012/03/24 13:21:45 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/03/24 13:21:45 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/03/24 13:21:45 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/03/24 13:07:34 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\customer1\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/03/13 16:10:00 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/02/15 01:19:34 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
 
========== LOP Check ==========
 
[2012/03/12 08:03:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search
[2012/02/24 23:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2006/12/19 10:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/12/22 18:51:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/05/20 19:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2008/09/04 06:17:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2012/04/02 08:54:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2007/12/01 16:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/07/16 10:20:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2012/02/24 23:33:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\AVG
[2011/12/22 18:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\AVG Secure Search
[2011/12/22 18:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\AVG2012
[2009/12/24 23:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\GameHouse
[2009/01/21 13:06:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\iWin
[2011/12/29 22:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\QuickScan
[2009/12/24 23:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\Scrabble Plus
[2009/02/02 14:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\Simply Super Software
[2008/08/19 12:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\customer1\Application Data\SpinTop
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< :OTL >
 
< @Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 >
 
<  >
 
< :FILES >
 
<  >
 
< :Commands >
 
< [REBOOT] >
 
< [EMPTYTEMP] >
 
< [RESETHOSTS] >
 
< [EMPTYJAVA] >
 
<  >
 
<  >
 
<  >

< End of report >
Logged

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #47 on: April 02, 2012, 10:04:33 AM »
ll processes killed
========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
========== FILES ==========
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 565 bytes
 
User: All Users
 
User: customer1
->Temp folder emptied: 24956363 bytes
->Temporary Internet Files folder emptied: 7748129 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 201342604 bytes
->Flash cache emptied: 487 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4324566 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 138413 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 52317 bytes
RecycleBin emptied: 104 bytes
 
Total Files Cleaned = 228.00 mb
 
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYJAVA]
 
User: Administrator
 
User: All Users
 
User: customer1
->Java cache emptied: 0 bytes
 
User: Default User
 
User: LocalService
 
User: NetworkService
 
Total Java Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.39.2 log created on 04022012_093051

Files\Folders moved on Reboot...
C:\Documents and Settings\customer1\Local Settings\Temporary Internet Files\Content.IE5\R94RAPBX\index[1].htm moved successfully.
C:\Documents and Settings\customer1\Local Settings\Temporary Internet Files\Content.IE5\OECUT2CT\xd_proxy[1].php moved successfully.
C:\Documents and Settings\customer1\Local Settings\Temporary Internet Files\Content.IE5\DBM0BY9Q\xml[1].xml moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_374.dat moved successfully.

Registry entries deleted on Reboot...
Logged

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #48 on: April 02, 2012, 02:25:32 PM »
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
customer1 :: KEVINSPC [administrator]

4/2/2012 2:25:44 PM
mbam-log-2012-04-02 (14-25-44).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251568
Time elapsed: 53 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Logged

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #49 on: April 02, 2012, 03:18:20 PM »
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7cddecc5f0edd54581b58aba42b06253
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-02 09:15:58
# local_time=2012-04-02 04:15:58 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 121039629 121039629 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=61401
# found=0
# cleaned=0
# scan_time=1685
Logged

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #50 on: April 02, 2012, 03:20:56 PM »
I believe I found the main problem.  She has a bad modem.  I brought my computer, which I know to be a good one, over and hooked it up.  It was very slow with some of the same issues.  At that point, I hooked their computer back up and hooked up my modem.  It was much faster and the blu-ray player and Netflix worked as well.  I believe that is the main problem.

With that being said, was there malware on this computer from any of the earlier logs I posted?  The original concern I had was that AVG detected the Trojann Horse Crypt.ASHD. 
Logged

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2147
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #51 on: April 02, 2012, 04:50:17 PM »
Hi KC

Yes your PC was infected, but it is clean now.  I will post you some important clean up instructions and also instructions to harden your PC against future infection.
Logged
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2147
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #52 on: April 02, 2012, 04:52:43 PM »
Hi KC

1.  Uninstall ComboFix as follows:  Copy the code in the code box below.

Code: [Select]

combofix /uninstall


Now click on start/run and paste the copied code into the input box.
Click OK.  Reboot your PC.

2.  Next disable and Enable System Restore.  Use the following instructions: System Restore XP.  Now reboot. 
 
Re-enable system restore with instructions from above and create a System Restore Point.
Go to All Programs, then to Accessories, System Tools  and System Restore. Check the box for Create Restore Point (do not select a restore point), then click Next and follow the instructions

3.  Run CCleaner as follows:

Select Options / Advanced and uncheck "Only delete files in Windows Temp folder older than 48 hours" Then select the following:

In the Windows Tab:
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Check all in the Firefox/Mozilla section.
Check all in the Applications section.
Check Sun Java in the Internet section.
Check all in the Multimedia section.
Check any others you choose.

Click the "Run Cleaner" button.  A pop up box will appear advising this process will permanently delete files from your system. Click OK.  Click exit when done.

4.  Download OTC to your desktop and run it.

Click Yes to beginning the Cleanup process and yes to remove these components, including this application.  You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
This will remove all the malware tools we have used.

5.   MOST IMPORTANT : Windows, IE and any other software you have that connects to the net, needs to be kept updated.  I recommend running Secunia PSI.  It will monitor the software you have installed and let you know when something needs to be updated.

6.  Go to Start/Windows Update and install all recommended updates.  You may have to do this more than once to get your operating system and Internet Explorer up to date.

7. Now update Java by clicking Here, click on Windows Online then click on Run/Install/Next and finally click Close when the installation is complete.

Click on Start/Programs and launch the Adobe Reader program.  Click on Help and Check for Updates and install all updates available.

8.  Now some tips for prevention of further infections:

Always use an updated anti-virus program. Make sure you update this weekly, if not more often. This is critical.

Keep Malwarebytes' Anti-Malware up to date as well.  Unless you have the paid version (which you can schedule), be sure to run scans several times per week.

Always use your firewall.  Learn how to use your firewall.   Only programs that need it should have access to the net.  But these are specific to the firewall you use, so you will need to learn how.  Check your firewall provider's web site for more information on making your firewall secure. 

9.  Go to WOT download and install this program.  It will help keep you safe on the internet.

Never run two Antivirus programs or two Firewalls at the same time.

NEVER use P2P or file sharing software.  Many P2P file sharing programs contain bundled spyware.  But all these programs expose you to risks because of the very nature of the P2P file sharing process.  Many very malicious worms and trojans target and spread across P2P file sharing networks.

Before downloading, installing or using any malware detection/removal software check Rogue/Suspeckt Spyware List andRogue Applications List.  That way you will know if the program you are considering is safe.  If you want to know how it rates against other programs check out SpywareWarrior.

We have a good guide on how to prevent malware infections here at SpywareHammer.  You might want to peruse this and follow the recommendations Prevent Infection.

Let us know if you have any more problems, either new or old.  The internet is a wonderful tool for work and fun, but always be safe.

I would appreciate if after a couple of days of using your computer you let me know if everything is running fine so that I can close this post. 

Logged
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #53 on: April 03, 2012, 07:39:56 PM »
I will do all of these things.  I have one final question. You say not to run two Antivirus programs at the same time.  She has both Malware Bytes and AVG on her computer.  Should she uninstall one of these? If so, which is the best to keep?

Thanks so much for all of your help.  I really appreciate the time that you volunteer.  Thank you!
Logged

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2147
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #54 on: April 04, 2012, 12:15:12 AM »
Hi KC

Malwarebytes and AVG play well together.  Not a problem.  Use them both and keep both updated regularly.
Logged
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline kcrawhorn

  • Bronze Member
  • Posts: 126
Re: [In Progress B]AVG found Trojan Horse Crypt.ASHD
« Reply #55 on: April 07, 2012, 10:38:32 AM »
The computer is running much better.  I'm working on the rest of the directions you sent.  Feel free to close this thread.  Thank you again for your time to help me and others like myself.   :ty
Logged
Pages: 1 2 3 [4]   Go Up
« previous next »