[Feather24]

Hello thanks for your quick reply.

1. I haven't re enabled spybot since I disabled it, however, I mentioned that I have 2 versions on my system and asked you if I needed to disable both. At the time you said just one, to disable, so that maybe the reason. I'll take a look at try to disable.

2. I haven't installed any other software prog's as instructed, I have e.g. downloaded ebooks, or mp3's but that shouldn't count should it, and I didn't get any indication from winpatrol there was a problem when I've done that. Winpatrol only asked me about c:windows/system32/appmgmts.dll after I installed combofix.

If I am asked by winpatrol to allow windows/system32/appmgmts.dll again should I or not, I am unclear here? From what I understand it relates to registry files and we have recently been trying to fix the registry - I was wondering if it might be to do with combofix? Anyway just a thought.

3. I haven't run any other tools as instructed and have followed your instructions carefully.

4. Please could you just confirm what I do with response to windows/system32/appmgmts.dll if it appears again? (do I accept or reject it if it asks again?) and I'll run combofix.

thanks for your help.

thanks

[Advertisements]

Hi, I've checked spybot the version in the system tray and that is still off.

The newer version 2.1.18.0 is an icon on my desktop, would that be easier to uninstall? I wasn't able to follow your instructions at No: 16 for that, when I right click the icon, it gives me various options, I can run as admin, I can scan file, shred file, kill file, full system scan, I can open file etc.

When I went into spybot the panel has the advanced mode checked.

The tools are broken down into 3 sections:

Basic: e.g.system scan, stats file scan

Advanced tools: report checker, settings, start up tools, system repair, secure shredder, rootkit scan etc

Prof tools: phone scan, boot cd creator etc

I went into start up tools, there was a set of options at the top of the page e.g. autorun, advance services, winlockLSPs I tried posting a screen shot but it wouldn't work here.

I also just thought I would let you know that today AVG did a scheduled scan and it picked up "corrupted executable file" described this way c:\users\frances\applicationdata\local\microsoft\windows\temporaryinternetfiles\content.IES\wp8kekow\combofix(1).exe - AVG removed it.

I'm uncertain what to do now as I couldn't follow your instructions from no:16.

Please advise best options.

thanks

Edited by Feather24, 10 September 2013 - 05:35 AM.

[Feather24]

Hi, I've checked spybot the version in the system tray and that is still off.

The newer version 2.1.18.0 is an icon on my desktop, would that be easier to uninstall? I wasn't able to follow your instructions at No: 16 for that, when I right click the icon, it gives me various options, I can run as admin, I can scan file, shred file, kill file, full system scan, I can open file etc.

When I went into spybot the panel has the advanced mode checked.

The tools are broken down into 3 sections:

Basic: e.g.system scan, stats file scan

Advanced tools: report checker, settings, start up tools, system repair, secure shredder, rootkit scan etc

Prof tools: phone scan, boot cd creator etc

I went into start up tools, there was a set of options at the top of the page e.g. autorun, advance services, winlockLSPs I tried posting a screen shot but it wouldn't work here.

I also just thought I would let you know that today AVG did a scheduled scan and it picked up "corrupted executable file" described this way c:\users\frances\applicationdata\local\microsoft\windows\temporaryinternetfiles\content.IES\wp8kekow\combofix(1).exe - AVG removed it.

I'm uncertain what to do now as I couldn't follow your instructions from no:16.

Please advise best options.

thanks

Edited by Feather24, 10 September 2013 - 05:35 AM.

[godawgs]

Hi,

Please could you just confirm what I do with response to windows/system32/appmgmts.dll if it appears again? (do I accept or reject it if it asks again?)

Thanks for the clarification. Do not allow appmgmts.dll. It isn't part of ComboFix and we will remove it but I want to get a ComboFix log.

For the Spybot issue let's uninstall all versions of Spybot on the Computer for the present time.

For the 1.6.2 version:

Uninstall SpyBot S&D

• Run Spybot S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
  
• You may be presented with a warning dialog. If so, press Yes.
• In the Navigation Bar on the left click on SpyBot S&D and click on Immunize
• On the Immunize page click Undo at the top of the page.
• Click on in the Navigation Bar
• Click on
• Uncheck these boxes:
  
• Click IE Tweaks in the left Navigation Bar.
• On the IE Tweaks window you will see a group Recommended miscellaneous locks
• Click the checkboxes in front of both Lock IE… options to uncheck them
• Close Spybot S&D and Restart your computer.
  Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
• Click the Start Orb, click Control Panel. Under the Programs heading click Uninstall a program
• In the list of programs installed, locate the following program(s):
  
  SpyBot S&D 1.6.2
  SpyBot 2.0
  Spybot 2.1.18
  
• (Vista/7 users: right click each program and click Uninstall
• After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
• Reboot the computer.

Now let's disable AVG so it won't interfere with ComboFix

How to disable AVGInternet Security 2011 Resident Shield.

• Right click the AVG icon and click Open.
• Click the Overview panel. Double click on Resident Shield Uncheck the Resident Shield Active box
  To disable the Internet Explorer extensions, Double-click "LinkScanner" and uncheck the box next to "Enable AVG Search-Shield" and "Enable AVG Active Surf-Shield."
• Click Save Changes.

Now delete any versions of ComboFix you have on the computer. Just right click the file and click Delete

Now, go back to post #57 and complete the steps and post the log.

[Feather24]

Hi Godawgs thanks for the explanation and follow up details. I'd like to check somethings I'm unclear about, if that's ok, I have a few questions.

I'm clear about removing spybot, should I run as admin? although haven't done that yet!

I disabled my AVG 2013 version when I ran combo fix as directed the first time, so I'm not sure why it would interfere with combofix. The instructions you sent for AVG refer to 2011 version which is different to mine, I have found out how to disable the resident shield which is in advance options. However I'm wondering, if I just disable everything temporarily won't that work? I'm not questioning you I'm just not clear. That is what I did last time.

It was only after I went back into my computer from shutting it down that AVG went back on and found the problem file I mentioned.

I can't find Double-click "LinkScanner" and uncheck the box next to "Enable AVG Search-Shield" and "Enable AVG Active Surf-Shield." either on AVG 2013 version.

Can I also check: "Now delete any versions of ComboFix you have on the computer. Just right click the file and click Delete" - don't I need to uninstall it? Do you mean click on the icon and delete it? I thought that just deleted the icon rather than uninstalled the prog?

Just working through spybot - I think these things may take me a while.

I'll report anything else as I do it.

thanks

[godawgs]

I'm clear about removing spybot, should I run as admin? although haven't done that yet!

Yes, right click the programf file or icon and click Run as Administrator and them make sure the Immunization is undone and that the checkmarks are gone beside Resident Helper and Resident TeaTimes in the Resident section. But when you start to uninstall the programs you don't need to open the Control Panel as a administrtor. You should already be logged in as an administrator.

I disabled my AVG 2013 version when I ran combo fix as directed the first time, so I'm not sure why it would interfere with combofix. The instructions you sent for AVG refer to 2011 version which is different to mine, I have found out how to disable the resident shield which is in advance options. However I'm wondering, if I just disable everything temporarily won't that work? I'm not questioning you I'm just not clear. That is what I did last time.

The reason I included instructions to disable AVG Internet Security 2011 is because the Security check scan showed that AVG Internet Security 2011 is installed on the machine.

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
AVG Internet Security 2011
Antivirus up to date!

So now I'm confused. Maybe Security Check just reported the version incorrectly. But theoretically temporary disabling AVG should work.

I can't find Double-click "LinkScanner" and uncheck the box next to "Enable AVG Search-Shield" and "Enable AVG Active Surf-Shield." either on AVG 2013 version.

That's because those instructions were for AGV 2011.

Can I also check: "Now delete any versions of ComboFix you have on the computer. Just right click the file and click Delete" - don't I need to uninstall it? Do you mean click on the icon and delete it? I thought that just deleted the icon rather than uninstalled the prog?

Sorry, yes I meant the icon. When you delete the icon on the desktop that will delete the ComboFix.exe file. Then when you download the fresh ComboFix to the desktop that will put the icon back on the desktop. Basically we are just making sure that you have the most recent version of ComboFix as the tool is updated frequently.

[godawgs]

I'm clear about removing spybot, should I run as admin? although haven't done that yet!

Yes, right click the programf file or icon and click Run as Administrator and them make sure the Immunization is undone and that the checkmarks are gone beside Resident Helper and Resident TeaTimes in the Resident section. But when you start to uninstall the programs you don't need to open the Control Panel as a administrtor. You should already be logged in as an administrator.

I disabled my AVG 2013 version when I ran combo fix as directed the first time, so I'm not sure why it would interfere with combofix. The instructions you sent for AVG refer to 2011 version which is different to mine, I have found out how to disable the resident shield which is in advance options. However I'm wondering, if I just disable everything temporarily won't that work? I'm not questioning you I'm just not clear. That is what I did last time.

The reason I included instructions to disable AVG Internet Security 2011 is because the Security check scan showed that AVG Internet Security 2011 is installed on the machine.

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
AVG Internet Security 2011
Antivirus up to date!

So now I'm confused. Maybe Security Check just reported the version incorrectly. But theoretically temporary disabling AVG should work.

I can't find Double-click "LinkScanner" and uncheck the box next to "Enable AVG Search-Shield" and "Enable AVG Active Surf-Shield." either on AVG 2013 version.

That's because those instructions were for AGV 2011.

Can I also check: "Now delete any versions of ComboFix you have on the computer. Just right click the file and click Delete" - don't I need to uninstall it? Do you mean click on the icon and delete it? I thought that just deleted the icon rather than uninstalled the prog?

Sorry, yes I meant the icon. When you delete the icon on the desktop that will delete the ComboFix.exe file. Then when you download the fresh ComboFix to the desktop that will put the icon back on the desktop. Basically we are just making sure that you have the most recent version of ComboFix as the tool is updated frequently.

[Feather24]

thanks Godawgs I'll be responding tomorrow.

[Feather24]

Hi Godawgs,

Ok followed instructions for removing spybot hit a snag.

1. the resident shield was already unchecked so that was ok, however when going into IE Tweaks

On the IE Tweaks window you will see a group Recommended miscellaneous locks

- No there was only one checkbox available "Lock hosts file read only as protection against hijackers" - so do I uncheck that?

Click the checkboxes in front of both Lock IE… options to uncheck them - nothing to uncheck here on this:

IE Custom title:

Current user (blank space to fill in) APPLY BUTTON
All users (" " ) APPLY BUTTON

Can you confirm what to do next thanks.

[godawgs]

No there was only one checkbox available "Lock hosts file read only as protection against hijackers" - so do I uncheck that?

Yes, uncheck it.

IE Custom title:

Current user (blank space to fill in) APPLY BUTTON
All users (" " ) APPLY BUTTON

Don't do anything here. Just uncheck the lock hosts file box and then uninstall the Spybot programs. I haven't used SpyBot in years and so version 2.0 or 2.1 may may not have the other boxes to check.

Please just uninstall all versions of Spybot and then run ComboFix.

[Feather24]

Morning Godawgs,

Ok I've deleted all versions of spybot and combofix. when removing 1 of the spybot I did get this error message: "SBSD security centre failed to uninstall with the error "system error code 1060" the specified service doesn't exist as an installed service. However both spybot programms are now deleted from my install list so hopefully that is ok.

I noticed recently that I have been needing to reboot my computer more often to surf web and use youtube, as it seems to stall more often. Hopefully with combofix that may sort it out.

thanks

Edited by Feather24, 16 September 2013 - 03:28 AM.

[Feather24]

Here is the Combofix log:

ComboFix 13-09-14.01 - Frances 16/09/2013 10:05:38.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2037.1253 [GMT 1:00]
Running from: c:\users\Frances\Desktop\ComboFix.exe
AV: AVG Internet Security 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2013 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Blinkx
c:\program files\Blinkx\blinkx.ico
c:\program files\Blinkx\blinkxss.exe
c:\program files\Blinkx\blinkxstop.exe
c:\program files\Blinkx\lang.dll
c:\program files\Blinkx\templates\beat.ico
c:\program files\Blinkx\templates\index.html
c:\program files\Blinkx\templates\noflash.html
c:\program files\Blinkx\templates\offline.html
c:\program files\Blinkx\templates\offline.swf
c:\program files\Blinkx\templates\uninstall.exe
c:\users\Frances\AppData\Local\Google\Chrome\User Data\Default\preferences
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc168.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc223C.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D4F.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41C1.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4371.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc52C2.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc598C.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc61B7.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6927.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6E09.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7768.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9CBE.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9E28.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB06D.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB08A.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC1CD.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDF39.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE0E1.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEC2.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF6C3.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCD.tmp
c:\users\Frances\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFF51.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))
.
.
2013-09-16 09:12 . 2013-09-16 09:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-10 00:34 . 2013-09-10 00:34 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-05 00:43 . 2013-09-05 00:43 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-03 13:53 . 2013-09-03 13:53 187248 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-08-29 08:57 . 2013-08-29 08:57 -------- d-----w- c:\windows\ERUNT
2013-08-27 13:48 . 2013-08-29 08:23 -------- d-----w- C:\AdwCleaner
2013-08-25 20:58 . 2013-08-25 20:58 -------- d-----w- c:\program files\iPod
2013-08-25 20:58 . 2013-08-25 20:59 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-08-25 20:58 . 2013-08-25 20:59 -------- d-----w- c:\program files\iTunes
2013-08-21 11:04 . 2013-08-21 11:04 -------- d-----w- C:\_OTL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 13:49 . 2012-04-01 15:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-13 13:49 . 2011-06-29 10:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-25 08:57 . 2013-08-14 18:07 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-23 12:27 . 2013-07-23 12:26 36154 ----a-w- c:\program files\cc_20130723_132652.reg
2013-07-20 00:51 . 2013-07-20 00:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-07-20 00:50 . 2013-07-20 00:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-07-20 00:50 . 2013-07-20 00:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-20 00:50 . 2013-07-20 00:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-07-19 01:41 . 2013-08-14 18:07 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03 . 2013-08-14 18:07 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 05:03 . 2013-08-14 18:07 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 04:53 . 2013-08-14 18:07 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52 . 2013-08-14 18:07 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50 . 2013-08-14 18:07 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46 . 2013-08-14 18:07 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46 . 2013-08-14 18:07 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 18:07 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-06 05:05 . 2013-08-14 18:07 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-07-01 00:45 . 2013-07-01 00:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-06-27 22:29 . 2011-06-27 22:28 15044 ----a-w- c:\program files\cc_20110627_232823.reg
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Frances\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Frances\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Frances\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"visionboard"="c:\program files\VisionBoard\visionboardlauncher.exe" [2009-07-11 1176064]
"googletalk"="c:\users\Frances\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MP3 Skype Recorder"="c:\program files\MP3 Skype Recorder\MP3 Skype Recorder.exe" [2011-11-17 1975296]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-07-15 436800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"btbb_McciTrayApp"="c:\program files\Plusnet Assist\btbb\PlusnetHelpNotifier.exe" [2011-09-07 1841664]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
c:\users\Frances\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Frances\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-25 27776968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-21 162408]
R3 athrusb;Belkin Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-28 904192]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-04-11 41584]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-09 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-22 238696]
R4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [2011-09-22 370024]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2013-07-20 60216]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2013-07-20 246072]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2013-09-05 39224]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2012-09-04 50296]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-07-20 208184]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2013-09-10 22328]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2013-07-20 171320]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-03-21 182072]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2013\avgfws.exe [2013-09-04 1432080]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2013-07-04 4939312]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2013-07-23 283136]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-13 50688]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 12:05 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 13:49]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-27 12:37]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-27 12:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1EB4CFC4-7649-413F-870B-BB36D0D3979F}: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A79483D2-6796-4059-832A-41A709A2AAE1}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Frances\AppData\Roaming\Mozilla\Firefox\Profiles\bx768oe8.default\
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Amazon MP3 Downloader - c:\users\Frances\Desktop\Uninstall.exe
AddRemove-2531418515.d.seesmic.com - c:\program files\Microsoft Silverlight\4.0.60531.0\Silverlight.Configuration.exe
AddRemove-blinkx beat - c:\program files\Blinkx\templates\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3856)
c:\users\Frances\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2013\avgrsx.exe
c:\program files\AVG\AVG2013\avgcsrvx.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG2013\avgnsx.exe
c:\program files\AVG\AVG2013\avgemcx.exe
c:\program files\AVG\AVG2013\avgcsrvx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-09-16 10:19:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-16 09:19
.
Pre-Run: 161,452,269,568 bytes free
Post-Run: 161,334,128,640 bytes free
.
- - End Of File - - 7117544496880A50279082E2D0B3AEF1
A36C5E4F47E84449FF07ED3517B43A31

[godawgs]

Thanks for the log. If you haven't turned AVG back on yet, please do so.

I noticed recently that I have been needing to reboot my computer more often to surf web and use youtube, as it seems to stall more often.

Is it still doing this just on one web site and YouTube? Can you describe exactly what happens please.


Step-1.

OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:FILES
ipconfig /flushdns /c
C:\Users\Frances\Downloads\GraboidVideoSetup-3.28.exe

:COMMANDS
[emptytemp]

Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

2. Please re-open on your desktop. To do that:

• Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


Step-2.

Virustotal File Upload:

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• On the File Upload window, in the File name box, type, or copy and paste the following and click Open:
  NOTE.. Only one file per scan
  
  C:\Program Files\Windows Defender\MpSvc.dll.
  
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button.
• IF you get a message that the file has already been analyzed click the Reanalyze button and the file will be scanned.
• Please be patient while the file is scanned. It may take several minutes.
• Once the scan results appear, please copy and paste the Virustotal link(s) (URL) in your next reply.

Step-3.

Update Adobe Reader

Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy.

• Go to Start > Control Panel > Add/Remove Programs
• Windows Vista /7 Users: Click the Start Orb and click Control Panel. Under the Programs heading click Uninstall a program
• Remove ALL instances of Adobe Reader
  The versions I see on the computer are:
  • Adobe Reader 10.1.7
• Re-boot your computer as required.
• Once ALL versions of Adobe Reader have been uninstalled, download the latest version of Adobe Reader from Here.
• Remove the check mark next to Yes, install McAfee Security Scan Plus-optional box.
• Click the Download Now button to download Adobe Reader and follow the directions.

Alternative Option: After uninstalling Adobe Reader, you could try installing Foxit Reader from HERE. Foxit Reader is a much smaller program. It has fewer add-ons therefore loads more quickly.
NOTE: When installing FoxitReader, be careful not to install anything to do with AskBar or any other 3rd party programs.


Step-4.

Run Farbar Service Scanner

Please download Farbar Service Scanner to the desktop.

• Right click the FSS.exe file, click Run as Administrator and OK any UAC prompts.
  
  
  
• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

Step-5.

OTL Scan

Please re-open on the desktop. To do that:

• Right click the icon and click Run as Administrator.

Make sure all other windows are closed .

• You will see a console like the one below:
  
  
  
• At the top of the console, click the box beside Scan All Users
• Make sure the Output box at the top is set to Standard Output.
• In the Extra Registry section click the circle beside Use Safelist.<---Important
• Click the box beside LOP Check and Purity Check
• Click the button. Do not change any settings unless otherwise told to do so.
• Let the scan run uninterrupted.
• When the scan completes, it will open two notepad windows, OTL.Txt will open on the desktop and Extras.Txt will be minimized on the taskbar. These are saved in the same location as OTL.
• Please copy the contents of these files, one at a time, and paste them into your reply. To do that:
• On the .txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
• Right-click inside the forum post window then click Paste. This will paste the contents of the .txt file in the in the post window.

Step-6.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Answer my questions above.
2. Let me know if you were able to successfully update Adobe Reader.
3. The OTL fixes log
4. The VirusTotlal link
5. The new FSS.txt log
6. The new OTL.txt log
7. The new Extras.txt log

[Feather24]

Hi Godawgs thanks for the instructions,

I noticed today that I went to check here as I didn't get the usual email notice for some reason, that you had responded to my log.

I am currently noticing 2 things now:

1. If for e.g. I have been looking at a few youtube video's after a while the video stalls and even if I refresh the page it still won't work only rebooting it works. This happens most times, actually everyday that I use youtube.

2. Since combofix I have noticed problems with my web browsers, not getting all my emails, in IE and firefox saying that it has trouble reaching pages, or saying that pages cannot be displayed to known sites e.g. like google etc, and in firefox when I want to open it saying that firefox is already running when it isn't. Generally problems with internet connections for both email and web. It comes and goes though sometimes it seems ok then it hits problems.

I hope that helps, I work on the rest of the instructions you sent.

I was wondering if we have much more to do to clear things? What is left to check, scan etc? If you could give me an idea that would be great, I know it maybe difficult to tell me though, a bit like how long is a piece of string!

OK thanks for all your help Godawgs to date.

[godawgs]

You are welcome. I don't really know how long this is going to take. A lot depends on how quickly you run a scan or tool after I have asked for it and what you are doing with the computer during those periods. I have seen up to twelve days between the time I ask for something and the time it gets run. I'm not saying that you shouldn't ask for clarification if you don't understand something because you should. I'm just saying that I don't know what is going on with the computer during those times.

I have asked for the new scans so I can figure out where we are now.

[Feather24]

thanks Godawgs,

I thought it might be helpful to answer your question about what happens to my computer between scans.

1. Firstly I need my computer to run my work (and also for social use - although this isn't such a big deal) so I need to keep using it mainly for my work - I use MS office prog's, download files e.g. ebooks or listen to audios, use youtube, watch training videos and I also use Iplayer (which is UK based recorded TV supplied by BBC which is very safe).

I also use it for Skype too for work and sending and receiving emails. So most of that seems basic use.

This week for example I am actually working somewhere else for 4 days and have little time to run the scans. I agree it has taken me longer than I would have liked, at the same time I am being careful and I don't know how to run what you send most of the time so it's a bit of a learning curve and there are usually more than 1 step to perform (often several) AND I seem to have come across things not expected and have needed to check which I know you appreciate. With us having 5hr difference it slows things down a bit. So it was becoming a bit of a challenge for me!

I am very glad you have been understanding and patient - you have been very helpful.

Hopefully after the next set of scans it will become clearer, and this note helps to put things into context.

I'll respond today about progress.

thanks