How to remove Win32/Small.CAvirus? Solved/Closed

Question

Hello,
        I am not knowledgeable in the field of IT.Mostly i use my pc to surf on the net and for personal use.However since the 20th of October,windows action center detected an issue to be addressed. It said 'remove the Win32/Small.CAvirus'. Unable to remove it,it was automatically moved to archived messages.
The solution was to go to this site: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
However on activating the scan,halfway through it,the scan froze.And the system shut down by itself.
I was using AVG and AVira,but none of the above AV detected the virus win32.
Since then I am having same kind of problem.Unexpected shutdowns.I downloaded Microsoft Security Essentials,but again the AV cannot run the scan. It always shut down halfway,be it am running a quick or whole system scan.
Kindly help out please.



Configuration: Windows 7 / Chrome 22.0.1229.96

Ambucias · Answer

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log. 

1. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step). 

4. Double click on the short cut ZHPDiag on your Destktop. 

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

7. Close ZHPDiag. 

8. To transmit the report, click on this link : 

https://authentification.site 

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt). 

10. Select the file ZHPDiag.txt. 

11. Click on "upload » 

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor

Ambucias · Answer

Stand by for my analysis

Ambucias · Answer

Hi

I have just finished studying your log.  It took me over an hour and I have found over 100 infected items, adware, spyware, trojan horses.  Most of the malware originate from your downloads and cracked applications and key generators.  In other words, you machine is very badly infected and if it continues, you could ruin your system.

I will give you the best way to desinfect your computer but I must warn you that some of the cracked software may no longer work as they are also virused.

This is a very potent medicinal compound and you must follow my directives to the letter:1. Download Combofix to your desktop. 

http://www.combofix.org/download.php 

2.Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. 

3. Double click on the ComboFix icon. 

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. 

4. Accept the disclaimer and the recovery 

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. 

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. 

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. 

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. 

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run. 

When all is finished, post the Combofix log here and upload a brand new ZHP Diag log and tell what is the link.

Good luck

faraa · Answer

Hi..I installed the Combofix,but i found no program log file or report as u suggested above. So I am unable to post the Combofix log. However after the scan,it found 4 threats.
1. Virus.W32.HLLP.Labox.A (critical)
2. Trojan.Generic (critical)
3. Hoax.BadJoke.Agent.g (low)
4. TRojan.VB.dqc (low)
I tried to clean the threats detected,but it said that I have to purchase the Max secure detector (combofix) to be able to clean the threats. At this stage,should I move on with the purchase?Coz you did not specify whether I would have to purchase anything.
Advise please.

Ambucias · Answer

You have not downloaded the correct combofix, Combofix is totally free. 

Go to this link and click on the button "Download @ Bleeping Computer. 

https://www.bleepingcomputer.com/download/combofix/

faraa · Answer

Hello,here is the log after the scan by combofix.. 

ComboFix 12-11-14.01 - user 11/14/2012  18:24:31.1.4 - x86
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.1.1033.18.2026.1457 [GMT 4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\214a23bd427f7589d6d69546a3441bad_c
c:\windows\system32\drivers\MaxTdss.sys
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-14 to 2012-11-14  )))))))))))))))))))))))))))))))
.
.
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Nadeem\AppData\Local	emp
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Shafenaaz\AppData\Local	emp
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Default\AppData\Local	emp
2012-11-14 14:02 . 2012-11-14 14:02	29904	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\MpKsl547947ef.sys
2012-11-14 11:14 . 2012-10-11 18:56	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\mpengine.dll
2012-11-13 11:03 . 2012-10-11 18:56	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 15:01 . 2012-07-18 11:10	117248	----a-w-	c:\windows\system32\MaxNative.exe
2012-11-10 15:00 . 2012-11-10 15:08	--------	d-----w-	c:\programdata\Max Secure
2012-11-10 15:00 . 2012-07-18 11:23	60448	----a-w-	c:\windows\system32\drivers\SDActMon2K.sys
2012-11-10 15:00 . 2012-11-10 16:34	--------	d-----w-	c:\program files\Max Spyware Detector
2012-11-10 15:00 . 2012-07-18 11:23	60960	----a-w-	c:\windows\system32\drivers\MaxMgr.sys
2012-11-10 15:00 . 2012-07-18 11:23	12832	----a-w-	c:\windows\system32\drivers\004.sys
2012-11-10 15:00 . 2012-07-18 11:23	75296	----a-w-	c:\windows\system32\drivers\MaxProtector32.sys
2012-11-10 15:00 . 2012-07-18 11:23	101408	----a-w-	c:\windows\system32\drivers\SDActMon.sys
2012-11-10 14:10 . 2012-11-10 14:10	--------	d-----w-	c:\users\user\AppData\Local\Max Secure Software
2012-11-10 14:07 . 2012-11-10 14:10	--------	d-----w-	c:\users\user\AppData\Roaming\GetRightToGo
2012-11-07 15:29 . 2012-11-07 15:29	512	----a-w-	C:\PhysicalDisk0_MBR.bin
2012-11-07 15:05 . 2012-11-07 15:25	--------	d-----w-	C:\ZHP
2012-11-07 15:05 . 2012-11-07 15:22	--------	d-----w-	c:\program files\ZHP Diag
2012-11-05 13:09 . 2012-11-05 13:09	--------	d-----w-	c:\programdata\YTD Video Downloader
2012-11-05 13:09 . 2012-11-05 13:09	--------	d-----w-	c:\program files\GreenTree Applications
2012-11-02 16:04 . 2012-11-02 16:04	740784	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CDC04F5-DEE3-4F3F-904E-1DCBBB9F1793}\gapaengine.dll
2012-11-02 15:51 . 2012-11-02 15:51	--------	d-----w-	c:\program files\Microsoft Security Client
2012-10-22 08:04 . 2012-10-22 08:04	--------	d-----w-	c:\users\user\New folder (4)
2012-10-22 08:04 . 2012-10-22 08:04	--------	d-----w-	c:\users\user\New folder (3)
2012-10-22 08:04 . 2012-10-22 08:09	--------	d-----w-	c:\users\user\New folder (2)
2012-10-22 08:04 . 2012-10-22 08:05	--------	d-----w-	c:\users\user\New folder
2012-10-20 10:44 . 2012-10-20 10:44	121984	----a-w-	c:\windows\system32\steam_api.dll
2012-10-19 17:24 . 2012-10-19 17:39	--------	d-----w-	c:\users\user\AppData\Local\dxhr
2012-10-19 17:23 . 2012-10-19 17:23	--------	d-----w-	c:\users\user\AppData\Local\SKIDROW
2012-10-19 17:23 . 2012-10-19 17:23	--------	d-----w-	c:\users\user\AppData\Local\28050
2012-10-19 16:41 . 2012-10-19 16:41	--------	d-----w-	c:\windows\system32\%LOCALAPPDATA%
2012-10-19 16:18 . 2012-10-19 18:23	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A6592AB-AFE7-4872-B116-0FF15301646B}\offreg.dll
2012-10-19 06:33 . 2012-10-26 18:25	--------	d-----w-	c:\users\user\COMS
2012-10-17 20:55 . 2012-10-17 20:55	--------	d-----w-	c:\users\user\AppData\Local\APN
2012-10-17 20:54 . 2012-11-03 13:23	--------	d-----w-	c:\programdata\Avira
2012-10-15 20:43 . 2012-10-15 20:43	--------	d-----w-	c:\programdata\39AB
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 14:10 . 2012-08-29 12:26	26984	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-10-22 12:21 . 2012-03-30 10:41	696760	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-10-22 12:21 . 2012-01-04 12:42	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-14 18:28 . 2012-10-10 05:40	2048	----a-w-	c:\windows\system32	zres.dll
2012-08-31 17:18 . 2012-10-10 05:40	1211760	----a-w-	c:\windows\system32\drivers
tfs.sys
2012-08-30 18:03 . 2012-08-30 18:03	99272	----a-w-	c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 18:03 . 2012-08-30 18:03	193552	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-08-30 17:12 . 2012-10-10 05:40	3914096	----a-w-	c:\windows\system32
toskrnl.exe
2012-08-30 17:12 . 2012-10-10 05:40	3968880	----a-w-	c:\windows\system32
tkrnlpa.exe
2012-08-24 16:57 . 2012-10-10 05:40	172544	----a-w-	c:\windows\system32\wintrust.dll
2012-08-24 11:43 . 2012-08-24 11:43	301920	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:07	1800704	----a-w-	c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:07	1129472	----a-w-	c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:07	1427968	----a-w-	c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:07	142848	----a-w-	c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:07	420864	----a-w-	c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:07	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 14:59	1292144	----a-w-	c:\windows\system32\drivers	cpip.sys
2012-08-22 17:16 . 2012-09-12 14:59	712048	----a-w-	c:\windows\system32\drivers
dis.sys
2012-08-22 17:16 . 2012-09-12 14:59	240496	----a-w-	c:\windows\system32\drivers
etio.sys
2012-08-22 17:16 . 2012-09-12 14:59	187760	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-22 13:31 . 2012-01-11 12:15	27152	----a-w-	c:\windows\system32
itrolocalmon2.dll
2012-08-22 13:31 . 2012-01-11 12:15	18448	----a-w-	c:\windows\system32
itrolocalui2.dll
2012-08-21 20:12 . 2012-09-26 05:18	245760	----a-w-	c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40 . 2012-10-10 05:40	169984	----a-w-	c:\windows\system32\winsrv.dll
2012-08-20 17:40 . 2012-10-10 05:40	293376	----a-w-	c:\windows\system32\KernelBase.dll
2012-08-20 17:37 . 2012-10-10 05:40	271360	----a-w-	c:\windows\system32\conhost.exe
2012-08-20 17:32 . 2012-10-10 05:40	4608	---ha-w-	c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	5120	---ha-w-	c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 14:10	1796552	----a-w-	c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"fTalk"="c:\users\user\AppData\Local\fTalk\ftalk.exe" [2012-07-26 9421424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-18 10025576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-05 336384]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-31 928096]
"HF_G_Jul"="c:\program files\AVG Secure Search\HF_G_Jul.exe" [2012-07-18 36960]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SDActiveMonitor"="c:\program files\Max Spyware Detector\MaxSDTray.exe" [2012-07-18 1083936]
"MaxUSBProc"="c:\program files\Max Spyware Detector\MaxUSBProc.exe" [2012-07-18 421920]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WIA6EB~1\Datamngr\datamngr.dll c:\progra~1\WIA6EB~1\Datamngr\IEBHO.dll c:\progra~1\Bandoo\BndHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 MaxMgr;MaxMgr;c:\windows\System32\drivers\MaxMgr.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S1 MaxProtector32;MaxProtector32;c:\windows\system32\drivers\MaxProtector32.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 MaxMerger;MaxMerger;c:\program files\Max Spyware Detector\MaxMerger.exe [x]
S2 MaxWatchDogService;MaxWatchDogService;c:\program files\Max Spyware Detector\MaxWatchDogService.exe [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL547947EF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:21]
.
2012-11-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001Core.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001UA.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-10-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002Core.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002UA.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com
mStart Page = hxxp://searchfunmoods.com/?f=1&a=irtest1&chnl=irtest1&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBtD0DyDyC0B0C0F0B0FyCtN0D0Tzu0StCzytCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=925946745
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44D13809-B6B7-4A92-88BA-6C1D96F3D785}: NameServer = 196.192.110.11,202.123.2.11
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-!!{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-!!!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SDAutoScan - (no file)
AddRemove-1ClickDownload - c:\program files\1ClickDownload\uninst.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-14  18:45:03
ComboFix-quarantined-files.txt  2012-11-14 14:45
.
Pre-Run: 326,209,347,584 bytes free
Post-Run: 327,974,797,312 bytes free
.
- - End Of File - - C2684BAD3B23AA1C784D5CD64EF9E22E

faraa · Answer

Hello..here is the log after the combofix scan..

ComboFix 12-11-14.01 - user 11/14/2012  18:24:31.1.4 - x86
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.1.1033.18.2026.1457 [GMT 4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\214a23bd427f7589d6d69546a3441bad_c
c:\windows\system32\drivers\MaxTdss.sys
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-14 to 2012-11-14  )))))))))))))))))))))))))))))))
.
.
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Nadeem\AppData\Local	emp
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Shafenaaz\AppData\Local	emp
2012-11-14 14:41 . 2012-11-14 14:41	--------	d-----w-	c:\users\Default\AppData\Local	emp
2012-11-14 14:02 . 2012-11-14 14:02	29904	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\MpKsl547947ef.sys
2012-11-14 11:14 . 2012-10-11 18:56	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C9DDFA6-EB25-4715-AC9D-70444C7E3A07}\mpengine.dll
2012-11-13 11:03 . 2012-10-11 18:56	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 15:01 . 2012-07-18 11:10	117248	----a-w-	c:\windows\system32\MaxNative.exe
2012-11-10 15:00 . 2012-11-10 15:08	--------	d-----w-	c:\programdata\Max Secure
2012-11-10 15:00 . 2012-07-18 11:23	60448	----a-w-	c:\windows\system32\drivers\SDActMon2K.sys
2012-11-10 15:00 . 2012-11-10 16:34	--------	d-----w-	c:\program files\Max Spyware Detector
2012-11-10 15:00 . 2012-07-18 11:23	60960	----a-w-	c:\windows\system32\drivers\MaxMgr.sys
2012-11-10 15:00 . 2012-07-18 11:23	12832	----a-w-	c:\windows\system32\drivers\004.sys
2012-11-10 15:00 . 2012-07-18 11:23	75296	----a-w-	c:\windows\system32\drivers\MaxProtector32.sys
2012-11-10 15:00 . 2012-07-18 11:23	101408	----a-w-	c:\windows\system32\drivers\SDActMon.sys
2012-11-10 14:10 . 2012-11-10 14:10	--------	d-----w-	c:\users\user\AppData\Local\Max Secure Software
2012-11-10 14:07 . 2012-11-10 14:10	--------	d-----w-	c:\users\user\AppData\Roaming\GetRightToGo
2012-11-07 15:29 . 2012-11-07 15:29	512	----a-w-	C:\PhysicalDisk0_MBR.bin
2012-11-07 15:05 . 2012-11-07 15:25	--------	d-----w-	C:\ZHP
2012-11-07 15:05 . 2012-11-07 15:22	--------	d-----w-	c:\program files\ZHP Diag
2012-11-05 13:09 . 2012-11-05 13:09	--------	d-----w-	c:\programdata\YTD Video Downloader
2012-11-05 13:09 . 2012-11-05 13:09	--------	d-----w-	c:\program files\GreenTree Applications
2012-11-02 16:04 . 2012-11-02 16:04	740784	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CDC04F5-DEE3-4F3F-904E-1DCBBB9F1793}\gapaengine.dll
2012-11-02 15:51 . 2012-11-02 15:51	--------	d-----w-	c:\program files\Microsoft Security Client
2012-10-22 08:04 . 2012-10-22 08:04	--------	d-----w-	c:\users\user\New folder (4)
2012-10-22 08:04 . 2012-10-22 08:04	--------	d-----w-	c:\users\user\New folder (3)
2012-10-22 08:04 . 2012-10-22 08:09	--------	d-----w-	c:\users\user\New folder (2)
2012-10-22 08:04 . 2012-10-22 08:05	--------	d-----w-	c:\users\user\New folder
2012-10-20 10:44 . 2012-10-20 10:44	121984	----a-w-	c:\windows\system32\steam_api.dll
2012-10-19 17:24 . 2012-10-19 17:39	--------	d-----w-	c:\users\user\AppData\Local\dxhr
2012-10-19 17:23 . 2012-10-19 17:23	--------	d-----w-	c:\users\user\AppData\Local\SKIDROW
2012-10-19 17:23 . 2012-10-19 17:23	--------	d-----w-	c:\users\user\AppData\Local\28050
2012-10-19 16:41 . 2012-10-19 16:41	--------	d-----w-	c:\windows\system32\%LOCALAPPDATA%
2012-10-19 16:18 . 2012-10-19 18:23	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A6592AB-AFE7-4872-B116-0FF15301646B}\offreg.dll
2012-10-19 06:33 . 2012-10-26 18:25	--------	d-----w-	c:\users\user\COMS
2012-10-17 20:55 . 2012-10-17 20:55	--------	d-----w-	c:\users\user\AppData\Local\APN
2012-10-17 20:54 . 2012-11-03 13:23	--------	d-----w-	c:\programdata\Avira
2012-10-15 20:43 . 2012-10-15 20:43	--------	d-----w-	c:\programdata\39AB
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 14:10 . 2012-08-29 12:26	26984	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-10-22 12:21 . 2012-03-30 10:41	696760	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-10-22 12:21 . 2012-01-04 12:42	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-14 18:28 . 2012-10-10 05:40	2048	----a-w-	c:\windows\system32	zres.dll
2012-08-31 17:18 . 2012-10-10 05:40	1211760	----a-w-	c:\windows\system32\drivers
tfs.sys
2012-08-30 18:03 . 2012-08-30 18:03	99272	----a-w-	c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 18:03 . 2012-08-30 18:03	193552	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-08-30 17:12 . 2012-10-10 05:40	3914096	----a-w-	c:\windows\system32
toskrnl.exe
2012-08-30 17:12 . 2012-10-10 05:40	3968880	----a-w-	c:\windows\system32
tkrnlpa.exe
2012-08-24 16:57 . 2012-10-10 05:40	172544	----a-w-	c:\windows\system32\wintrust.dll
2012-08-24 11:43 . 2012-08-24 11:43	301920	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2012-08-24 06:59 . 2012-09-22 07:07	1800704	----a-w-	c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:07	1129472	----a-w-	c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:07	1427968	----a-w-	c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:07	142848	----a-w-	c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:07	420864	----a-w-	c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:07	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 14:59	1292144	----a-w-	c:\windows\system32\drivers	cpip.sys
2012-08-22 17:16 . 2012-09-12 14:59	712048	----a-w-	c:\windows\system32\drivers
dis.sys
2012-08-22 17:16 . 2012-09-12 14:59	240496	----a-w-	c:\windows\system32\drivers
etio.sys
2012-08-22 17:16 . 2012-09-12 14:59	187760	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-22 13:31 . 2012-01-11 12:15	27152	----a-w-	c:\windows\system32
itrolocalmon2.dll
2012-08-22 13:31 . 2012-01-11 12:15	18448	----a-w-	c:\windows\system32
itrolocalui2.dll
2012-08-21 20:12 . 2012-09-26 05:18	245760	----a-w-	c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40 . 2012-10-10 05:40	169984	----a-w-	c:\windows\system32\winsrv.dll
2012-08-20 17:40 . 2012-10-10 05:40	293376	----a-w-	c:\windows\system32\KernelBase.dll
2012-08-20 17:37 . 2012-10-10 05:40	271360	----a-w-	c:\windows\system32\conhost.exe
2012-08-20 17:32 . 2012-10-10 05:40	4608	---ha-w-	c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	5120	---ha-w-	c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 17:32 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	3584	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33 . 2012-10-10 05:40	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 14:10	1796552	----a-w-	c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"fTalk"="c:\users\user\AppData\Local\fTalk\ftalk.exe" [2012-07-26 9421424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-18 10025576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-05 336384]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-31 928096]
"HF_G_Jul"="c:\program files\AVG Secure Search\HF_G_Jul.exe" [2012-07-18 36960]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SDActiveMonitor"="c:\program files\Max Spyware Detector\MaxSDTray.exe" [2012-07-18 1083936]
"MaxUSBProc"="c:\program files\Max Spyware Detector\MaxUSBProc.exe" [2012-07-18 421920]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WIA6EB~1\Datamngr\datamngr.dll c:\progra~1\WIA6EB~1\Datamngr\IEBHO.dll c:\progra~1\Bandoo\BndHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 MaxMgr;MaxMgr;c:\windows\System32\drivers\MaxMgr.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S1 MaxProtector32;MaxProtector32;c:\windows\system32\drivers\MaxProtector32.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 MaxMerger;MaxMerger;c:\program files\Max Spyware Detector\MaxMerger.exe [x]
S2 MaxWatchDogService;MaxWatchDogService;c:\program files\Max Spyware Detector\MaxWatchDogService.exe [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL547947EF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:21]
.
2012-11-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-12 09:39]
.
2012-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001Core.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1001UA.job
- c:\users\Nadeem\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-14 08:55]
.
2012-10-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002Core.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1002UA.job
- c:\users\Shafenaaz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-14 04:55]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1764882691-417280452-3045153381-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-03 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com
mStart Page = hxxp://searchfunmoods.com/?f=1&a=irtest1&chnl=irtest1&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBtD0DyDyC0B0C0F0B0FyCtN0D0Tzu0StCzytCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=925946745
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44D13809-B6B7-4A92-88BA-6C1D96F3D785}: NameServer = 196.192.110.11,202.123.2.11
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-!!{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-!!!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SDAutoScan - (no file)
AddRemove-1ClickDownload - c:\program files\1ClickDownload\uninst.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1764882691-417280452-3045153381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-14  18:45:03
ComboFix-quarantined-files.txt  2012-11-14 14:45
.
Pre-Run: 326,209,347,584 bytes free
Post-Run: 327,974,797,312 bytes free
.
- - End Of File - - C2684BAD3B23AA1C784D5CD64EF9E22E

faraa · Answer

Hi...here is the new ZHP diag log's link..

http://speedy.sh/jkK6M/ZHPDiag.txt

faraa · Answer

Thanx a lot 4 ur time..

Ambucias · Answer

You have posted the very same ZHP Diag log as before.

faraa · Answer

Hi...I dwnloaded a new ZHPdiag n here is the new link after the scan..

http://speedy.sh/4uWZ7/ZHPDiag.txt

Ambucias · Answer

Hello

Again, you have uploaded the very same log.  It sometimes happens when the previous log has not been completely deleted.

Here is what I suggest.

1. Download and install CCleaner:

https://ccm.net/downloads/security-and-maintenance/4555-ccleaner/

2. Launch CCleaner

3. Using the tool button, delete ZHP Diag

4. Click on the registry button, run the tool and delete the items found.

(CCleaner can be used later for when ever you wish to clean your temporary files)

5. Redownload and install ZHP Diag.

6. Generate a new log and upload it on Speedyshare.

Regards

faraa · Answer

Hi..here it is..
http://speedy.sh/G6pYU/ZHPDiag.txt
Thanx..

Ambucias · Answer

Hi

I still got a log showing full of viruses the same as before.

Download, install and run Malwarebyte which you can find on this site: 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware 

Ensure you make an update.

Boot your computer in safemode

Please request a FULL system scan, which may take from 20 minutes to hours.  Do not interfere no matter how long in takes.  The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan. 

When the scan is completed, delete all items found.

Let me know the results.

faraa · Answer

Hi..i cmplted the abovedwnload.
N here the link after the scan
http://speedy.sh/6qqxN/ZHPDiag.txt

Ambucias · Answer

Hi,

I still received the same log as before.

You have run both Combofix, you have used ZHP Fix as directed and you ran Malwarebyte.  I assume that you deleted all of the key gens and cracked software.  Considering the above I also assume that your computer is desinfected.  Am I correct or do you still experience difficulties?

If you are satisfied, please mark this thread as solved.

Best regards

faraa · Answer

Hi..I do not no if I am doing it right,but here is a new link after I downloaded a new ZHP.
 http://speedy.sh/xGFrF/ZHPDiag.txt

However in my Windows Action Center there is still this message about the Win 32 virus.And my AV detected it some time back (currently using AVG2012) i.e when I downloaded the Malwarebyte.
I am currently not facing the same problem of unexpected shut downs.
I am really grateful to you..You have really helped me..
I just need to know if the message about the win32 in the Action Center is normal  or it should have already been addressed to and deleted??
                                                                                                           Regards..

Ambucias · Answer

Hello Nadeem,

Well this time your log is different but your machine got really badly infested again by all sorts of malware (150 malware to be exact) including some really dangerous ones for your system; as a matter of a fact, it's in worst condition.

I could tell you how to clean your machine but it would not be honest for me to do so.  You see, I am a Kioskea Moderator and Security Contributor.

You have on your machine some applications for which you have not purchased a license and which you cracked.  You are also using a key generator.  You are also using a peer-to-peer sharing application which is a vector for infections.

After my analysis, it as clear as crystal that all the malware on your machine originated from the cracks.  I asked you before to delete all of those illegal applications.   It seems that you have elected to keep them.  Therefore, my efforts to help you clean your computer are doomed to failure.

I predict that if you continue to use your computer the way you do, that your system will totally crippled in a short period of time, I would say December 31, 2012.

Sorry

faraa · Answer

Hi..i did exactly what u instructed 2 do..i do not understand where i failed..
I mean with the download of the malwarebyte,i messed up??
And its faraa..nadeem is my liitle brother n he uses the pc more than me n dwnload  a lot of things.
Am at a lost..
So u cnt help?

Ambucias · Answer

Well Faraa, I'm afraid that Nadeem is about to totally ruin your system by downloading illegal software and viruses.  If you don't stop him all my efforts are in vain. 

You once ran Malwarebyte and it sent all the viruses in quarantine.  I can see them, but, thanks to Nadeem, you system got all infected again but worst.

Tell you what, you delete the following items and once you are finished send me another ZHP Diag.

1. Delete the Babylon toolbar, here is how:

http://ccm.net/faq/14594-how-to-get-rid-of-babylon-search-toolbar

2. Also delete the following:

C:\Program Files\TorrentHandler    

CorelDRAW.Graphics.Suite.X4 Keymaker & Activation\keygen.exe 
Macromedia Flash Professional v8.0 + keygen\setup.exe    
Program\WinRAR_3.93__www.crackedsoftwares.com.zip 

3. Rerun a full system scan with Malwarebyte.

Report to me again with a Malwarebyte log.

Good luck

faraa · Answer

Hello...
http://speedy.sh/t8Ymv/mbam-log-2012-11-26-22-46-27.txt

This is the malwarebyte log link..
Am sorry if i aint got it right..

Ambucias · Answer

You got it right!
The Malwarebyte log shows no malicious files.

I trust you deleted the files I mentioned before.

You may still be getting a warning which is a fake alert, I believe it comes from: Max Spyware Detector.
If you remove it, I think it should stop.  Having more than one antivirus will create conflicts, resulting in fake alerts or letting viruses in.

Please launch ZHP Fix and copy the following lines:

G1 - GCS: Preference [User Data\Default] http://www.search.ask.com/?o=10148&l=dis
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} Orphean Key
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Orphean Key
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} Orphean Key
O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} Orphean Key
O2 - BHO: (no name) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} Orphean Key
O3 - Toolbar: (no name) - [HKLM]{95B7759C-8C7F-4BF1-B163-73684A933233} . (...) --  (.not file.)

Click on the second icon, looks like a clipboard and the above lines which you have just copied will paste.  The Go button will appear. Click it and close ZHP Fix.

In you programme files, you have a programme called Bandoo, it's adware and spyware. Using CCleaner, please remove it.

You also have the following Microsoft Net Framework and Visual ++, if you are in the programming business, keep them, if not they take space needlessly.  You can remove them with CCleaner.

Again, using CCleaner, delete all of your temp files, they are crudding your harddisk.

Good luck and let me know if you are experiencing more difficulties.

Please, keep a close eye on Nadeem, he is very imprudent with the system.

Regards

Ambucias · Answer

Faraa,

Please correct me if I'm wrong.

1. Nadeem has not been on the computer since my last message.

2. You have deleted all files pertaining key gens.

3. You ran ZHP Fix as directed.

4. You ran Combofix.

5. You ran a full system scan with Malwarebyte after updating it.

6. You deleted Max Spyware Detector.

7. You ran CCleaner for both temp and registry files.

You say that you still:

1. Get a message asking to remove win32/small.ca virus

2. You still experience surprised shutdowns.

Please send me a brand new ZHP Diag log.

faraa · Answer

Hi.. I no longer experience unexpected shut downs.. It has stopped completely!!!!
The message asking to ask to remove the win32/small virus is still in the archived messages in the Action Center. 
Here is a new ZHP Diag log :
http://speedy.sh/tqH7v/ZHPDiag.txt

Ambucias · Answer

Hi

This is a typical bug with Win 7 action center.

Go to the Action Center (by clicking Control Panel | System and Security | Action Center) and select to Change Action Center Settings. This allows you to disable specific types of messages, including messages about Windows Update, Internet security settings, User Account Control, Windows Backup, and more.

Uncheck virus notification.

Ambucias · Answer

Faraa,

I am still getting a log showing full of all kinds of malware, the same as before.

This is very frustrating as I question if you followed my instructions to the letter.  I would hate having to repeat everything.

You must insure that all of the previous ZHP Diag logs have been removed from your machine.

Make a search for ZHPDiag and delete all .txt files.  There could still be one in the programme files under ZHP.

Then you can generate and upload another log.  If the new log shows all of malware again, I will eat my shirt, but I will leave the collar and sleeves for you to chew on.

Regards

faraa · Answer

Hi..I followed ur instructions clearly..
Am sending u a malwarebyte log..here it is :
http://speedy.sh/zSdUp/mbam-log-2012-12-05-21-56-50.txt
I do not have any unexpected shut downs or any other prob with my pc..and thanx to u 4 having taken the time 4 me..

Ambucias · Answer

Malwarebyte has not found malware.

What I understand from your message is that you no longer have any problems and that you computer is running like new.

I was glad to help you.

Regards

How to remove Win32/Small.CAvirus?

28 responses

Similar discussions

Subscribe To Our Newsletter!