Virus AGAIN!

John - Here's the new one, per your last instructions:

ComboFix 13-08-30.02 - JLS 08/30/2013 23:01:34.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2939.1919 [GMT -4:00]
Running from: c:\users\JLS\Desktop\ComboFix.exe
Command switches used :: c:\users\JLS\Desktop\cfscript.txt
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-07-28 to 2013-08-31 )))))))))))))))))))))))))))))))
.
.
2013-08-31 03:10 . 2013-08-31 03:11 -------- d-----w- c:\users\JLS\AppData\Local\temp
2013-08-31 03:10 . 2013-08-31 03:10 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-08-31 03:10 . 2013-08-31 03:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-08-31 03:10 . 2013-08-31 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-30 01:29 . 2013-08-30 01:30 -------- d-----w- c:\program files\Common Files\Adobe
2013-08-30 01:26 . 2013-08-30 01:26 -------- d-----w- c:\program files\Common Files\Java
2013-08-30 01:26 . 2013-08-30 01:26 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-30 01:26 . 2013-08-30 01:26 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-30 01:26 . 2013-08-30 01:26 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-30 01:25 . 2013-08-30 01:25 -------- d-----w- c:\programdata\McAfee
2013-08-29 23:50 . 2013-08-29 23:50 -------- d-----w- c:\windows\ERUNT
2013-08-29 01:42 . 2013-08-29 01:50 -------- d-----w- C:\AdwCleaner
2013-08-18 23:05 . 2013-08-18 23:07 -------- d-----w- c:\windows\system32\MRT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 19:11 . 2012-04-28 00:26 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-25 19:11 . 2011-06-30 11:49 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-15 23:05 . 2012-11-08 12:44 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-07-20 05:51 . 2013-07-20 05:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-07-20 05:50 . 2013-07-20 05:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-07-20 05:50 . 2013-07-20 05:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-20 05:50 . 2013-07-20 05:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-07-10 05:32 . 2013-07-10 05:32 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-07-01 05:45 . 2013-07-01 05:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-18 5703920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-13 6965792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1451304]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-03-17 304496]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-07-01 4411440]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-06-02 295512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-05-04 03:35 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartFaceVWatcher]
2009-03-25 02:33 163840 ----a-w- c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2009-04-15 00:57 1318912 ----a-w- c:\program files\TOSHIBA\TECO\TEco.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2009-04-01 22:11 1283384 ----a-w- c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosSENotify]
2009-03-24 18:34 1007616 ----a-w- c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPCHWMsg]
2009-04-09 23:01 570736 ----a-w- c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"359707014"=c:\program files\Toshiba Registration\Registration.exe /r "c:\program files\Toshiba Registration\Registration.rpd"
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"Radio365Agent"=c:\program files\Live365\Radio365\Radio365TrayAgent.exe
"ehTray.exe"=c:\windows\ehome\ehTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"<NO NAME>"=
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"ClickPotatoLiteSA"="c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe"
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-10-21 116608]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:11]
.
2013-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-17 04:05]
.
2013-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-17 04:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
TCP: DhcpNameServer = 10.0.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-30 23:10
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-08-30 23:18:37
ComboFix-quarantined-files.txt 2013-08-31 03:18
ComboFix2.txt 2013-08-30 12:43
ComboFix3.txt 2013-08-30 01:53
ComboFix4.txt 2013-08-30 00:45
ComboFix5.txt 2013-08-31 02:59
.
Pre-Run: 186,082,963,456 bytes free
Post-Run: 186,030,931,968 bytes free
.
- - End Of File - - 6591581714190ABCF8A06D81E21278FA
5B5E648D12FCADC244C1EC30318E1EB9
 
That one completed successfully. You are now set to go. Let me know if you have any more issues.
 
John - Thanks very much for all of your help. When one stops to think how much frustration you've relieved from people's lives by fixing their computer issues (in over 26,000 posts!), it's staggering. You truly are "The Man"! Thanks again.
P.S. - Don't ever retire from this - these things aren't getting any simpler!
 
You must log in or register to reply here.
Back
Top