• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Zyrus Campbell

My wife's laptop is running slow, showing viruses in MBAM

21 posts in this topic

Hello, I'm trying to fix my wife's laptop that's been acting sluggish lately. Not sure how the virus(es) got on the machine. I recommended she install MBAM and AVG. She said that it picked up a number of different Trojan viruses but each time she has them removed, they either come back or come back with more. It's running Windows 7. What do you need from me to be able to help us out? Should I copy/paste a MBAM log? I've downloaded DDS and Security Check as well. Should I run those?


Thanks a lot and Happy New Year!!



Please read the Instructions for posting requested logs topic and post the logs so we have the needed information for someone to start providing assistance.

Edited by cnm

Share this post

Link to post
Share on other sites

Thanks for responding! Ok, I ran MBAM another time, found and removed 1 Trojan. Here is its resulting log:


Malwarebytes Anti-Malware (Trial)



Database version: v2013.01.02.03


Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Owner :: OWNER-PC [administrator]


Protection: Enabled


1/2/2013 10:42:25 AM

mbam-log-2013-01-02 (10-42-25).txt


Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 325810

Time elapsed: 1 hour(s), 23 minute(s), 45 second(s)


Memory Processes Detected: 0

(No malicious items detected)


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 0

(No malicious items detected)


Registry Values Detected: 0

(No malicious items detected)


Registry Data Items Detected: 0

(No malicious items detected)


Folders Detected: 0

(No malicious items detected)


Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.





Then ran DDS...



DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2

Run by Owner at 12:09:59 on 2013-01-02

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1884.786 [GMT -5:00]


AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}


============== Running Processes ===============



C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe


C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE


C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe




C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe

C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Launch Manager\dsiwmis.exe

C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Acer\Registration\GREGsvc.exe

C:\Program Files (x86)\Launch Manager\LMworker.exe

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Program Files (x86)\Launch Manager\LMutilps32.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe


C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe

C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe

C:\Program Files (x86)\AVG\AVG2013\avgemca.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted



C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Ask.com\Updater\Updater.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\AVG\AVG2013\avgui.exe

C:\Program Files (x86)\AVG Secure Search\vprot.exe

C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe



C:\Program Files\iPod\bin\iPodService.exe


C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe




C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe



C:\Program Files\EgisTec IPS\PMMUpdate.exe

C:\Program Files\EgisTec IPS\EgisUpdate.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe


C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

\\.\globalroot\systemroot\svchost.exe -netsvcs





============== Pseudo HJT Report ===============


uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://acer.msn.com

mStart Page = hxxp://acer.msn.com

mDefault_Page_URL = hxxp://acer.msn.com

uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

mRun: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY

mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

dRunOnce: [isMyWinLockerReboot] msiexec.exe /qn /x{voidguid}

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACERVC~1.LNK - C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204


INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.


TCP: NameServer =

TCP: Interfaces\{E57D9AFF-7D9F-4D58-A2B5-CFE480333DDD} : DHCPNameServer =

TCP: Interfaces\{E57D9AFF-7D9F-4D58-A2B5-CFE480333DDD}\84F4D454D214135323 : DHCPNameServer =

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.3.2\ViProtocol.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-mStart Page = hxxp://acer.msn.com

x64-mDefault_Page_URL = hxxp://acer.msn.com

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>


============= SERVICES / DRIVERS ===============


R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]

R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]

R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-10-5 111456]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]

R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]

R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-12-30 30568]

R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2012-4-24 22648]

R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2012-4-24 20520]

R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2012-4-24 62776]

R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2012-5-4 81928]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-4-26 331264]

R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2012-2-9 440360]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-10-14 24176]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]


=============== Created Last 30 ================


2013-01-02 16:21:42 20480 ------w- C:\Windows\svchost.exe

2013-01-02 07:18:28 -------- d-----w- C:\Program Files (x86)\SpywareBlaster

2013-01-02 07:17:40 -------- d-----w- C:\Antivirus stuff

2012-12-30 18:24:58 -------- d-----w- C:\Users\Owner\AppData\Local\{53896C27-9864-4370-B29C-75A090D7F411}

2012-12-30 18:12:28 -------- d-----w- C:\Users\Owner\AppData\Roaming\AVG2013

2012-12-30 18:10:52 -------- d-----w- C:\Users\Owner\AppData\Roaming\TuneUp Software

2012-12-30 18:10:51 -------- d-----w- C:\Users\Owner\AppData\Local\AVG Secure Search

2012-12-30 18:10:49 -------- d-----w- C:\ProgramData\AVG Secure Search

2012-12-30 18:10:39 30568 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys

2012-12-30 18:10:30 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search

2012-12-30 18:10:30 -------- d-----w- C:\Program Files (x86)\AVG Secure Search

2012-12-30 18:09:26 -------- d--h--w- C:\$AVG

2012-12-30 18:09:26 -------- d-----w- C:\ProgramData\AVG2013

2012-12-30 18:08:22 -------- d-----w- C:\Program Files (x86)\AVG

2012-12-30 18:00:40 -------- d--h--w- C:\ProgramData\Common Files

2012-12-30 18:00:40 -------- d-----w- C:\Users\Owner\AppData\Local\MFAData

2012-12-30 18:00:40 -------- d-----w- C:\Users\Owner\AppData\Local\Avg2013

2012-12-30 18:00:40 -------- d-----w- C:\ProgramData\MFAData

2012-12-30 17:54:05 -------- d-----w- C:\Program Files\CCleaner

2012-12-30 14:40:30 -------- d-----w- C:\Users\Owner\AppData\Local\Programs

2012-12-30 14:38:40 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{10864E4D-3B73-4557-A9A2-28683D7E1F4E}\mpengine.dll

2012-12-28 19:12:08 -------- d-sh--w- C:\Windows\System32\%APPDATA%

2012-12-26 16:25:37 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-26 16:25:37 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-26 16:25:37 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-26 16:25:36 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-12 14:22:57 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2012-12-12 14:21:14 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-12-12 14:21:14 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-12-12 14:15:08 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-12-12 14:03:00 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-12-12 14:03:00 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

2012-12-12 13:23:27 -------- d-----w- C:\Users\Owner\AppData\Local\Apple Computer

2012-12-12 13:23:09 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-12-12 13:22:45 -------- d-----w- C:\Program Files\iPod

2012-12-12 13:22:44 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-12-12 13:22:44 -------- d-----w- C:\Program Files\iTunes

2012-12-12 13:22:44 -------- d-----w- C:\Program Files (x86)\iTunes

2012-12-06 03:40:24 -------- d-----w- C:\Users\Owner\AppData\Roaming\HpUpdate

2012-12-06 03:40:18 741480 ------w- C:\Windows\System32\HPDiscoPM5412.dll

2012-12-06 03:39:44 -------- d-----w- C:\Program Files\HP

2012-12-06 03:38:17 -------- d-----w- C:\Users\Owner\AppData\Local\HP


==================== Find3M ====================


2013-01-02 12:28:51 58288 ----a-w- C:\Windows\SysWow64\rpcnet.dll

2013-01-02 09:11:28 17920 ----a-w- C:\Windows\SysWow64\rpcnetp.exe

2012-12-14 21:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-12 13:15:18 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 13:15:18 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-22 18:02:44 154464 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-15 08:48:50 63328 ----a-w- C:\Windows\System32\drivers\avgidsha.sys

2012-10-13 16:28:10 0 ----a-w- C:\Windows\SysWow64\sho1A07.tmp

2012-10-12 12:50:44 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-10-12 12:50:43 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-10-12 12:50:43 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-10-09 19:54:41 13160 ----a-w- C:\Windows\SysWow64\Upgrd.exe

2012-10-09 19:54:35 58288 ------w- C:\Windows\SysWow64\rpcnet.exe

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-05 08:32:50 111456 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys

2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll


============= FINISH: 12:11:52.03 ===============


Edit: Sorry, didn't see the instruction not to include Attach unless asked. Removed from post...


Thanks for all your help! Let me know if you need anything else. We really appreciate it.

Edited by Zyrus Campbell

Share this post

Link to post
Share on other sites

And finally Security Check...



Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG Anti-Virus Free Edition 2013

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

SpywareBlaster 4.6

Malwarebytes Anti-Malware version

Java 7 Update 7

Java version out of Date!

Adobe Reader 10.1.0 Adobe Reader out of Date!

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

AVG avgwdsvc.exe


Malwarebytes' Anti-Malware mbamscheduler.exe

Symantec Norton Online Backup NOBuAgent.exe

Symantec Norton Online Backup NOBuClient.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4%

````````````````````End of Log``````````````````````


Thanks for all your help! Let me know if you need anything else. We really appreciate it.

Share this post

Link to post
Share on other sites

Hello Zyrus Campbell.


You have the Ask toolbar, which may have been installed unintentionally along with some other program.


More important, your DDS log shows C:\Windows\svchost.exe (Trojan.Agent) is still present. Did you allow MBAM to reboot?


Please scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    [*]Check "YES, I accept the Terms of Use."

    [*]Click the Start button.

    [*]Accept any security warnings from your browser.

    [*]Under scan settings, check "Scan Archives" and "Remove found threats"

    [*]Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, click List Threats

    [*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    [*]Click the Back button.

    [*]Click the Finish button.


After that:

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in another reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

Share this post

Link to post
Share on other sites

I guess I should've rebooted before sending the logs. I did reboot the computer afterwards though. I should go ahead and follow these directions anyway?

Share this post

Link to post
Share on other sites

Ok, just giving an update. Ran into a situation; tried running the ESET scan and I guess a mistimed Windows update/reboot happened during the scan so it never finished. Had to do a Windows Repair to get it back up again. Now, when trying to start the antivirus programs by double-clicking, it seems to do nothing. I even watched the process from Task Mgr; you'll see the process start and a few moments later, disappear with nothing actually happening.


I did some searching and found out about FixNCR, RKill and TDSSKiller. Ran from Safe Mode; still running into the same problem. Not able to run MBAM. ESET scanner, or ADW Cleaner either.


What can I do? Do you need me to run another log? I hope it can still run, the way things are going right now...


Thank you for your patience and help. It is greatly appreciated.

Share this post

Link to post
Share on other sites

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.


Download FixNCR.reg

Double-click on the FixNCR.reg file to fix the Registry on your infected computer. When asked if you want to continue, click Yes. You should now be able to run your normal executable programs and can proceed to the next step.


Please let me know if you have any problem with this. You say you "found out about it". Did you merge it into the Registry? After that do you still have trouble? If not, please run the ESET scan and post the log.

Share this post

Link to post
Share on other sites

FixNCR.reg definitely did the job once it merged. I was able to start and run the scans however ESET didn't post any logs after scanning, finding and removing a few infections. I've run it a couple times with the same result. How can I get it to print a log for you?



Share this post

Link to post
Share on other sites

Good. I don't understand why you didn't get the ESET log. However I don't need it unless it found the same malware on each run, i.e. if it didn't succeed in doing the removals, or if it detected a rootkit.


Please run AdwCleaner and post its log.

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in another reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

Share this post

Link to post
Share on other sites

After you do the above AdwCleaner,


Please do these important security updates:

Update Adobe Reader (uncheck the option box for McAfee scan)


Updating Java:

  • Go here and download the latest version of Java:
  • Go to Start -> Control Panel -> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • They should have this icon next to any that are there: javaicon.gif

    Select any found and choose Uninstall.

  • Then install the version you downloaded earlier.
Note however that even the latest version is vulnerable, so I would hold off installing it unless you really need Java.

Share this post

Link to post
Share on other sites

I apologize, my wife took her computer with her to DC for the inauguration so I won't be able to run the scans and post logs until probably next Wednesday/Thursday when she gets back. I'm sorry for the inconvenience. I will follow the above instructions and post the logs as soon as I get access to her computer again. If you need to close the thread for the time being, I totally understand.

Share this post

Link to post
Share on other sites

No problem at all. Thanks for letting me know when to expect you back. I'll keep the thread open.

Share this post

Link to post
Share on other sites

Here's the ADW Cleaner log... currently waiting for the ESET scan to finish.




# AdwCleaner v2.108 - Logfile created 01/24/2013 at 18:31:05
# Updated 24/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Antivirus stuff\adwcleaner.exe
# Option [search]
***** [services] *****
***** [Files / Folders] *****
***** [Registry] *****
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
-\\ Google Chrome v24.0.1312.52
File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
AdwCleaner[R1].txt - [7358 octets] - [13/01/2013 20:05:07]
AdwCleaner[R2].txt - [7418 octets] - [13/01/2013 20:06:31]
AdwCleaner[R3].txt - [7478 octets] - [13/01/2013 20:07:04]
AdwCleaner[R4].txt - [7538 octets] - [13/01/2013 20:08:34]
AdwCleaner[R5].txt - [1080 octets] - [13/01/2013 21:53:55]
AdwCleaner[R6].txt - [952 octets] - [24/01/2013 18:31:05]
AdwCleaner[s1].txt - [7457 octets] - [13/01/2013 20:08:52]
AdwCleaner[s2].txt - [1141 octets] - [13/01/2013 21:54:39]
########## EOF - C:\AdwCleaner[R6].txt - [1131 octets] ##########

Share this post

Link to post
Share on other sites


Here's the ADW Cleaner log... currently waiting for the ESET scan to finish.


I guess ESET is finished by now. :D


What is worrying is "each time she has them removed, they either come back or come back with more".

Is ESET finding the same things each time you run it?

Does MBAM find C:\Windows\svchost.exe if you run it again?.

If so: Open MBAM > click on More Tools > run File ASSASSIN by clicking Run Tool

Select the File you want to delete.

C:\Windows\svchost.exe <--NOTE: ONLY from this location

Share this post

Link to post
Share on other sites

LOL, you're gonna be mad. My wife got rid of the laptop. Sold it to a local student. I think this person is in IT so they'll likely be able to deal with it how ever they see fit. For the most part, my wife complained about it being sluggish but he should be fine initially. Wrong, I agree... but hey, it's off our backs now. You never know... he may contact y'all to help him clean it after all. I didn't have enough time to explain what I had done with it but we told him to feel free to contact us if he had any questions or needed any help with anything.


So you can finally close this thread. Again, I apologize for the inconvenience.


Best to you!!

Share this post

Link to post
Share on other sites

Not made at all. Happy to wrap this up. :)


I hope your wife didn't leave the family's private info on it...

A new PC gives you so much more for your money than we got three or four years ago that I think your wife is sensible.

Share this post

Link to post
Share on other sites

Glad we could help. :)


If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.