Pretty sure I'm infected

[doffy90]

Hey,

So today when I was trying to access my email, my password didn't work. I even tried to reset the password but the person who got into my account changed the alternate email address so I am completely locked out. Anyway this leads me to believe that I have a trojan on my computer. Here's the thing though; I have scanned the entire computer with Avast and Malwarebytes and they report that it is 100 % clean. I have also checked HiJackThis and nothing stands out.

I'm at a complete loss so that's why I've come here. Below are the two logs:

.

UNLESS SPECIFICALLY INSTRUCTED' date=' DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11.07.2012 00:32:01

System Uptime: 21.03.2013 21:09:18 (3 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P7P55D

Processor: Intel® Core™ i5 CPU 750 @ 2.67GHz | LGA1156 | 1173/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 58 GiB total, 36,333 GiB free.

D: is FIXED (NTFS) - 407 GiB total, 293,648 GiB free.

F: is FIXED (NTFS) - 932 GiB total, 113,39 GiB free.

H: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}

Description: High Definition Audio Controller

Device ID: PCI\VEN_1002&DEV_AA58&SUBSYS_AA581682&REV_00\4&5C759D9&0&01E0

Manufacturer: Microsoft

Name: High Definition Audio Controller

PNP Device ID: PCI\VEN_1002&DEV_AA58&SUBSYS_AA581682&REV_00\4&5C759D9&0&01E0

Service: HDAudBus

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Ace Utilities

Adobe Flash Player 11 Plugin

Adobe Photoshop CS

Adobe Reader X (10.1.6)

AMD Accelerated Video Transcoding

AMD APP SDK Runtime

AMD Catalyst Install Manager

AMD Drag and Drop Transcoding

AMD Media Foundation Decoders

Apple-programsupport

Apple Mobile Device Support

Apple Software Update

Application Profiles

avast! Pro Antivirus

Bonjour

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Curse Client

DivX Setup

iTunes

Java 7 Update 17

Java 7 Update 17 (64-bit)

Java Auto Updater

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft Office Access MUI (English) 2010

Microsoft Office Access MUI (Norwegian (Bokmål)) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Excel MUI (Norwegian (Bokmål)) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office Groove MUI (Norwegian (Bokmål)) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office InfoPath MUI (Norwegian (Bokmål)) 2010

Microsoft Office Language Pack 2010 - Norwegian/norsk

Microsoft Office O MUI (Norwegian (Bokmål)) 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office OneNote MUI (Norwegian (Bokmål)) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office Outlook MUI (Norwegian (Bokmål)) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office PowerPoint MUI (Norwegian (Bokmål)) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (German) 2010

Microsoft Office Proof (Norwegian (Bokmål)) 2010

Microsoft Office Proof (Norwegian (Nynorsk)) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Proofing (Norwegian (Bokmål)) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Publisher MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office SharePoint Designer MUI (Norwegian (Bokmål)) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Office Word MUI (Norwegian (Bokmål)) 2010

Microsoft Office X MUI (Norwegian (Bokmål)) 2010

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

Mozilla Firefox 15.0 (x86 en-US)

MP3Test

TagScanner 4.9 build 492

VC80CRTRedist - 8.0.50727.6195

VLC media player 2.0.3

Vuze

WinRAR 4.01 (64-bit)

.

==== Event Viewer Messages From Past Week ========

.

21.03.2013 23:54:47, Error: Disk [11'] - The driver detected a controller error on \Device\Harddisk2\DR3.

21.03.2013 21:16:31, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.101 with the system having network hardware address 68-09-27-7F-1D-15. Network operations on this system may be disrupted as a result.

.

==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: BrowserJavaVersion: 10.17.2

Run by CHRIS at 0:14:53 on 2013-03-22

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4087.942 [GMT 1:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

svchost.exe

D:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

svchost.exe

C:\Windows\system32\taskhost.exe

C:\Users\CHRIS\Desktop\HijackThis.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

D:\Program Files (x86)\Mozilla Firefox\firefox.exe

D:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit = userinit.exe

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - d:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - d:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - d:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

mRun: [avast] "d:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-Explorer: NoDrives = dword:0

IE: E&xport to Microsoft Excel - D:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000

TCP: Interfaces\{9678C1B2-D3D2-42BF-A25D-7E5E479870DB} : NameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

SSODL: WebCheck - <orphaned>

x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - d:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - d:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Notify: DfLogon - LogonDll.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\CHRIS\AppData\Roaming\Mozilla\Firefox\Profiles\gcaj10da.default\

FF - prefs.js: browser.startup.homepage - google.com

.

============= SERVICES / DRIVERS ===============

.

R0 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2012-7-11 22600]

R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-4 65336]

R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-4 178624]

R0 DeepFrz;DeepFrz;C:\Windows\System32\drivers\DeepFrz.sys [2011-9-1 234520]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-7-11 1025808]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-7-11 377920]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-7-11 33400]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-7-11 80816]

R2 avast! Antivirus;avast! Antivirus;D:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-3-16 45248]

R2 DFServ;DFServ;C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe [2011-9-1 1075200]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-11 59392]

S4 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

S4 Sysdrv1c;Sysdrv1c; [x]

.

=============== File Associations ===============

.

FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [userChoice]

.

=============== Created Last 30 ================

.

2013-03-21 22:23:48 -------- d-----w- C:\Users\CHRIS\AppData\Roaming\Malwarebytes

2013-03-21 22:23:17 -------- d-----w- C:\ProgramData\Malwarebytes

2013-03-21 22:23:15 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-21 22:23:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-03-21 22:23:09 -------- d-----w- C:\Users\CHRIS\AppData\Local\Programs

2013-03-16 18:44:07 -------- d-----w- C:\Program Files (x86)\AMD AVT

2013-03-16 18:44:00 -------- d-----w- C:\Program Files (x86)\AMD APP

2013-03-16 18:43:55 -------- d-----w- C:\Program Files\Common Files\ATI Technologies

2013-03-16 18:43:55 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies

2013-03-16 18:42:13 -------- d-----w- C:\Program Files\ATI

2013-03-16 18:39:00 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-03-16 18:39:00 -------- d-----w- C:\Program Files\iTunes

2013-03-16 18:39:00 -------- d-----w- C:\Program Files\iPod

2013-03-16 18:35:30 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 18:35:30 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-03-04 20:21:57 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll

2013-03-04 20:21:37 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-04 20:11:32 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys

2013-03-04 20:11:32 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys

.

==================== Find3M ====================

.

2013-03-21 20:10:33 16336688 ----a-w- C:\Persi0.sys

2013-03-06 23:33:21 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2013-03-06 23:33:21 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2013-03-06 23:33:20 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2013-03-06 23:33:20 22600 ----a-w- C:\Windows\System32\drivers\aswKbd.sys

2013-03-06 23:32:51 41664 ----a-w- C:\Windows\avastSS.scr

2013-03-04 20:21:53 963488 ----a-w- C:\Windows\System32\deployJava1.dll

2013-03-04 20:21:53 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll

2013-03-04 20:21:33 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-03-04 20:21:32 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

.

============= FINISH: 0:15:08' date='93 ===============

[/quote']

[Maniac]

Hello doffy90 and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
  

Step 1

Please uninstall this application: Vuze

Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log
  
• a new fresh DDS log

[doffy90]

Hello Maniac and thank you for taking the time to help me!

I wasn't able to scan with aswMBR.exe because it stops working in the middle of scanning. I have taken a screen of it:

Here's the other logs however:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.22.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

CHRIS :: CHRIS-PC [administrator]

22.03.2013 18:16:31

mbam-log-2013-03-22 (18-16-31).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202764

Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: BrowserJavaVersion: 10.17.2

Run by CHRIS at 18:26:13 on 2013-03-22

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4087.3019 [GMT 1:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

d:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

D:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit = userinit.exe

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - d:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - d:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - d:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

mRun: [avast] "d:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRunOnce: [Malwarebytes Anti-Malware] d:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-Explorer: NoDrives = dword:0

IE: E&xport to Microsoft Excel - D:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000

TCP: Interfaces\{9678C1B2-D3D2-42BF-A25D-7E5E479870DB} : NameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

SSODL: WebCheck - <orphaned>

x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - d:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - d:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Notify: DfLogon - LogonDll.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\CHRIS\AppData\Roaming\Mozilla\Firefox\Profiles\gcaj10da.default\

FF - prefs.js: browser.startup.homepage - google.com

.

============= SERVICES / DRIVERS ===============

.

R0 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2012-7-11 22600]

R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-4 65336]

R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-4 178624]

R0 DeepFrz;DeepFrz;C:\Windows\System32\drivers\DeepFrz.sys [2011-9-1 234520]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-7-11 1025808]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-7-11 377920]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-7-11 33400]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-7-11 80816]

R2 avast! Antivirus;avast! Antivirus;D:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-3-16 45248]

R2 DFServ;DFServ;C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe [2011-9-1 1075200]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-11 59392]

S4 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

S4 Sysdrv1c;Sysdrv1c; [x]

.

=============== File Associations ===============

.

FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [userChoice]

.

=============== Created Last 30 ================

.

2013-03-22 17:15:53 -------- d-----w- C:\Users\CHRIS\AppData\Roaming\Malwarebytes

2013-03-22 17:15:34 -------- d-----w- C:\ProgramData\Malwarebytes

2013-03-22 17:15:32 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-22 17:15:24 -------- d-----w- C:\Users\CHRIS\AppData\Local\Programs

2013-03-16 18:44:07 -------- d-----w- C:\Program Files (x86)\AMD AVT

2013-03-16 18:44:00 -------- d-----w- C:\Program Files (x86)\AMD APP

2013-03-16 18:43:55 -------- d-----w- C:\Program Files\Common Files\ATI Technologies

2013-03-16 18:43:55 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies

2013-03-16 18:42:13 -------- d-----w- C:\Program Files\ATI

2013-03-16 18:39:00 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-03-16 18:39:00 -------- d-----w- C:\Program Files\iTunes

2013-03-16 18:39:00 -------- d-----w- C:\Program Files\iPod

2013-03-16 18:35:30 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 18:35:30 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-03-04 20:21:57 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll

2013-03-04 20:21:37 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-04 20:11:32 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys

2013-03-04 20:11:32 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys

.

==================== Find3M ====================

.

2013-03-06 23:33:21 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2013-03-06 23:33:21 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2013-03-06 23:33:20 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2013-03-06 23:33:20 22600 ----a-w- C:\Windows\System32\drivers\aswKbd.sys

2013-03-06 23:32:51 41664 ----a-w- C:\Windows\avastSS.scr

2013-03-04 20:21:53 963488 ----a-w- C:\Windows\System32\deployJava1.dll

2013-03-04 20:21:53 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll

2013-03-04 20:21:33 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-03-04 20:21:32 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

.

============= FINISH: 18:26:24,90 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11.07.2012 00:32:01

System Uptime: 22.03.2013 18:11:18 (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P7P55D

Processor: Intel® Core i5 CPU 750 @ 2.67GHz | LGA1156 | 1307/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 58 GiB total, 36,524 GiB free.

D: is FIXED (NTFS) - 407 GiB total, 293,623 GiB free.

F: is FIXED (NTFS) - 932 GiB total, 113,39 GiB free.

H: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}

Description: High Definition Audio Controller

Device ID: PCI\VEN_1002&DEV_AA58&SUBSYS_AA581682&REV_00\4&5C759D9&0&01E0

Manufacturer: Microsoft

Name: High Definition Audio Controller

PNP Device ID: PCI\VEN_1002&DEV_AA58&SUBSYS_AA581682&REV_00\4&5C759D9&0&01E0

Service: HDAudBus

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Ace Utilities

Adobe Flash Player 11 Plugin

Adobe Photoshop CS

Adobe Reader X (10.1.6)

AMD Accelerated Video Transcoding

AMD APP SDK Runtime

AMD Catalyst Install Manager

AMD Drag and Drop Transcoding

AMD Media Foundation Decoders

Apple-programsupport

Apple Mobile Device Support

Apple Software Update

Application Profiles

avast! Pro Antivirus

Bonjour

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Curse Client

DivX Setup

iTunes

Java 7 Update 17

Java 7 Update 17 (64-bit)

Java Auto Updater

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft Office Access MUI (English) 2010

Microsoft Office Access MUI (Norwegian (Bokmål)) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Excel MUI (Norwegian (Bokmål)) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office Groove MUI (Norwegian (Bokmål)) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office InfoPath MUI (Norwegian (Bokmål)) 2010

Microsoft Office Language Pack 2010 - Norwegian/norsk

Microsoft Office O MUI (Norwegian (Bokmål)) 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office OneNote MUI (Norwegian (Bokmål)) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office Outlook MUI (Norwegian (Bokmål)) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office PowerPoint MUI (Norwegian (Bokmål)) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (German) 2010

Microsoft Office Proof (Norwegian (Bokmål)) 2010

Microsoft Office Proof (Norwegian (Nynorsk)) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Proofing (Norwegian (Bokmål)) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Publisher MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared MUI (Norwegian (Bokmål)) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office SharePoint Designer MUI (Norwegian (Bokmål)) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Office Word MUI (Norwegian (Bokmål)) 2010

Microsoft Office X MUI (Norwegian (Bokmål)) 2010

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

Mozilla Firefox 15.0 (x86 en-US)

MP3Test

TagScanner 4.9 build 492

VC80CRTRedist - 8.0.50727.6195

VLC media player 2.0.3

WinRAR 4.01 (64-bit)

.

==== End Of File ===========================

[Maniac]

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[doffy90]

I disabled the Avast shields and stopped its service, but when I ran ComboFix it said that Avast was running but I couldn't cancel the operation so it started scanning anyway. Here's the log:

ComboFix 13-03-21.02 - CHRIS 22.03.2013 18:45:36.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4087.3097 [GMT 1:00]

Running from: c:\users\CHRIS\Desktop\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2013-02-22 to 2013-03-22 )))))))))))))))))))))))))))))))

.

.

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\users\CHRIS\AppData\Roaming\Malwarebytes

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\programdata\Malwarebytes

2013-03-22 17:15 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\users\CHRIS\AppData\Local\Programs

2013-03-16 18:44 . 2013-03-16 18:44 -------- d-----w- c:\program files (x86)\AMD AVT

2013-03-16 18:44 . 2013-03-16 18:44 -------- d-----w- c:\program files (x86)\AMD APP

2013-03-16 18:43 . 2013-03-16 18:43 -------- d-----w- c:\program files\Common Files\ATI Technologies

2013-03-16 18:43 . 2013-03-16 18:43 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies

2013-03-16 18:42 . 2013-03-16 18:42 -------- d-----w- c:\program files\ATI

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\program files\iTunes

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\program files\iPod

2013-03-16 18:35 . 2013-03-16 18:35 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 18:35 . 2013-03-16 18:35 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-03-04 20:22 . 2013-03-04 20:21 310688 ----a-w- c:\windows\system32\javaws.exe

2013-03-04 20:21 . 2013-03-04 20:21 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll

2013-03-04 20:21 . 2013-03-04 20:21 188832 ----a-w- c:\windows\system32\javaw.exe

2013-03-04 20:21 . 2013-03-04 20:21 188320 ----a-w- c:\windows\system32\java.exe

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files\Java

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-03-04 20:21 . 2013-03-04 20:21 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files (x86)\Java

2013-03-04 20:11 . 2013-03-06 23:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-03-04 20:11 . 2013-03-06 23:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-06 23:33 . 2012-07-11 07:15 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys

2013-03-06 23:33 . 2012-07-11 07:15 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-03-06 23:33 . 2012-07-11 07:15 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2013-03-06 23:33 . 2012-07-11 07:15 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-03-06 23:33 . 2012-07-11 07:18 22600 ----a-w- c:\windows\system32\drivers\aswKbd.sys

2013-03-06 23:33 . 2012-07-11 07:15 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2013-03-06 23:33 . 2012-07-11 07:15 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-03-06 23:32 . 2012-07-11 07:14 41664 ----a-w- c:\windows\avastSS.scr

2013-03-06 23:32 . 2012-07-11 07:15 287840 ----a-w- c:\windows\system32\aswBoot.exe

2013-03-04 20:21 . 2012-07-11 07:27 963488 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:27 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:26 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:26 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D /k:F *

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DFServ]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe"

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

"BCSSync"="d:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"

"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R4 Sysdrv1c;Sysdrv1c; [x]

S0 aswKbd;aswKbd; [x]

S0 aswRvrt;aswRvrt; [x]

S0 aswVmm;aswVmm; [x]

S0 DeepFrz;DeepFrz; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-12-19 240640]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]

S2 DFServ;DFServ;c:\program files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe [2011-09-01 1075200]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-11-06 96256]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2013-03-06 23:32 133840 ----a-w- d:\program files\AVAST Software\Avast\ashShA64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

TCP: Interfaces\{9678C1B2-D3D2-42BF-A25D-7E5E479870DB}: NameServer = 192.168.1.1

FF - ProfilePath - c:\users\CHRIS\AppData\Roaming\Mozilla\Firefox\Profiles\gcaj10da.default\

FF - prefs.js: browser.startup.homepage - google.com

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

d:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

.

**************************************************************************

.

Completion time: 2013-03-22 18:52:05 - machine was rebooted

ComboFix-quarantined-files.txt 2013-03-22 17:52

.

Pre-Run: 39 124 320 256 bytes free

Post-Run: 39 033 286 656 bytes free

.

- - End Of File - - 0F56AFFDF8AA9BBAE0BF66066DF7E367

[Maniac]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::

Sysdrv1c

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[doffy90]

No Avast warning this time

ComboFix 13-03-21.02 - CHRIS 22.03.2013 22:25:08.3.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4087.3052 [GMT 1:00]

Running from: c:\users\CHRIS\Desktop\ComboFix.exe

Command switches used :: c:\users\CHRIS\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Sysdrv1c

.

.

((((((((((((((((((((((((( Files Created from 2013-02-22 to 2013-03-22 )))))))))))))))))))))))))))))))

.

.

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\users\CHRIS\AppData\Roaming\Malwarebytes

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\programdata\Malwarebytes

2013-03-22 17:15 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-22 17:15 . 2013-03-22 17:15 -------- d-----w- c:\users\CHRIS\AppData\Local\Programs

2013-03-16 18:44 . 2013-03-16 18:44 -------- d-----w- c:\program files (x86)\AMD AVT

2013-03-16 18:44 . 2013-03-16 18:44 -------- d-----w- c:\program files (x86)\AMD APP

2013-03-16 18:43 . 2013-03-16 18:43 -------- d-----w- c:\program files\Common Files\ATI Technologies

2013-03-16 18:43 . 2013-03-16 18:43 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies

2013-03-16 18:42 . 2013-03-16 18:42 -------- d-----w- c:\program files\ATI

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\program files\iTunes

2013-03-16 18:39 . 2013-03-16 18:39 -------- d-----w- c:\program files\iPod

2013-03-16 18:35 . 2013-03-16 18:35 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 18:35 . 2013-03-16 18:35 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-03-04 20:22 . 2013-03-04 20:21 310688 ----a-w- c:\windows\system32\javaws.exe

2013-03-04 20:21 . 2013-03-04 20:21 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll

2013-03-04 20:21 . 2013-03-04 20:21 188832 ----a-w- c:\windows\system32\javaw.exe

2013-03-04 20:21 . 2013-03-04 20:21 188320 ----a-w- c:\windows\system32\java.exe

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files\Java

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-03-04 20:21 . 2013-03-04 20:21 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-04 20:21 . 2013-03-04 20:21 -------- d-----w- c:\program files (x86)\Java

2013-03-04 20:11 . 2013-03-06 23:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-03-04 20:11 . 2013-03-06 23:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-06 23:33 . 2012-07-11 07:15 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys

2013-03-06 23:33 . 2012-07-11 07:15 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-03-06 23:33 . 2012-07-11 07:15 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2013-03-06 23:33 . 2012-07-11 07:15 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-03-06 23:33 . 2012-07-11 07:18 22600 ----a-w- c:\windows\system32\drivers\aswKbd.sys

2013-03-06 23:33 . 2012-07-11 07:15 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2013-03-06 23:33 . 2012-07-11 07:15 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-03-06 23:32 . 2012-07-11 07:14 41664 ----a-w- c:\windows\avastSS.scr

2013-03-06 23:32 . 2012-07-11 07:15 287840 ----a-w- c:\windows\system32\aswBoot.exe

2013-03-04 20:21 . 2012-07-11 07:27 963488 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:27 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:26 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-03-04 20:21 . 2012-07-11 07:26 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D /k:F *

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DFServ]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe"

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

"BCSSync"="d:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"

"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

S0 aswKbd;aswKbd; [x]

S0 aswRvrt;aswRvrt; [x]

S0 aswVmm;aswVmm; [x]

S0 DeepFrz;DeepFrz; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-12-19 240640]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]

S2 DFServ;DFServ;c:\program files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe [2011-09-01 1075200]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-11-06 96256]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2013-03-06 23:32 133840 ----a-w- d:\program files\AVAST Software\Avast\ashShA64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

TCP: Interfaces\{9678C1B2-D3D2-42BF-A25D-7E5E479870DB}: NameServer = 192.168.1.1

FF - ProfilePath - c:\users\CHRIS\AppData\Roaming\Mozilla\Firefox\Profiles\gcaj10da.default\

FF - prefs.js: browser.startup.homepage - google.com

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

d:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

.

**************************************************************************

.

Completion time: 2013-03-22 22:30:39 - machine was rebooted

ComboFix-quarantined-files.txt 2013-03-22 21:30

ComboFix2.txt 2013-03-22 21:23

ComboFix3.txt 2013-03-22 17:52

.

Pre-Run: 39 110 938 624 bytes free

Post-Run: 38 874 628 096 bytes free

.

- - End Of File - - 8D5141CBC17B402C42BAFCCECDF69FA9

[Maniac]

Could you please using WinRaR to compress the following folder: C:\Qoobox\Quarantine and to upload it somewhere, for example in www.mediafire.com . Next, send me a download link via PM.

Thanks in advance!

[doffy90]

Could you please using WinRaR to compress the following folder: C:\Qoobox\Quarantine and to upload it somewhere, for example in www.mediafire.com . Next, send me a download link via PM.

Thanks in advance!

You've got mail.

[Maniac]

Thank you!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[doffy90]

Thank you!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Should I also check "scan archives" and "scan for potentially unsafe applications"?

[doffy90]

Here's the log without checking what I previously asked.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=8

# IEXPLORE.EXE=10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=877eef126645054fb3a121009a18cb98

# engine=13465

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-03-23 12:13:07

# local_time=2013-03-23 01:13:07 (+0100, Romance Standard Time)

# country="Norway"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776573 100 94 15852471 115627437 0 0

# scanned=137319

# found=1

# cleaned=1

# scan_time=1768

sh=C3F40FA6674806552A891192BBACBA164E630B43 ft=1 fh=b1fbd04628adf8b1 vn="a variant of Win32/Packed.VMProtect.AAH trojan (cleaned by deleting - quarantined)" ac=C fn="F:\GAMES\Max.Payne.3-RELOADED\Max.Payne.3.Update.v1.0.0.22-RELOADED\Crack\gsrld.dll"

[Maniac]

How are things now?

[doffy90]

How are things now?

[doffy90]

Well I deleted the infected file, but I'm not entirely sur that was the problem to begin with. I guess I just have to wait and see if I get hacked again

[Maniac]

One last scan please:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!