Hello…
My services.exe is infected with Sirefef-AHF [trj] which AVG picks up but not possible to remove.
Had at least for 3 weeks now, and this thing shut down my computer couple of times which one time
i had to run system recovery too be able to boot up the laptop.
Since i am a complete amateur, i got no idea what to do. Please help.
Hello and welcome to avast. 
http://forum.avast.com/index.php?topic=53253.0
Please read this guide. I need log reports from Malwarebytes, OTL and aswMBR.
Malwarebytes: Came out in norwegian, google translate workes on it
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Databaseversjon: v2012.09.01.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zlim :: ZLIM-HP [administrator]
01.09.2012 16:16:56
mbam-log-2012-09-01 (16-16-56).txt
Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 196969
Tid tilbakelagt: 3 minutt(er), 41 sekund(er)
Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)
Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)
Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)
Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)
Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)
Mapper oppdaget: 0
(Ingen skadelige objekter funnet)
Filer oppdaget 6
C:$Recycle.Bin\S-1-5-21-1008104762-4221902305-1862361787-1000$RWTUJJ3\epicbot_520(1).exe (PUP.BundleOffers.IIQ) → Satt i karantene og slettet vellykket.
C:\Users\Zlim\Downloads\epicbot_520.exe (PUP.BundleOffers.IIQ) → Satt i karantene og slettet vellykket.
C:\Windows\Installer{7ba12d95-5a21-c945-9f55-8c43c32cc061}\n (Rootkit.0Access) → Satt i karantene og slettet vellykket.
C:\Windows\Installer{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000008.@ (Trojan.BitMiner) → Satt i karantene og slettet vellykket.
C:\Windows\Installer{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@ (Trojan.Dropper.BCMiner) → Satt i karantene og slettet vellykket.
C:\Windows\Installer{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\000000cb.@ (Rootkit.0Access) → Satt i karantene og slettet vellykket.
(klar)
[b]
OTL. in attachment[/b]
MBR:
17:01:22.493 OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493 Number of processors: 4 586 0x2A07
17:01:22.493 ComputerName: ZLIM-HP UserName: Zlim
17:01:24.642 Initialize success
17:01:24.736 AVAST engine defs: 12090100
17:01:55.000 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
17:01:55.000 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047 Disk 0 MBR read successfully
17:01:55.047 Disk 0 MBR scan
17:01:55.047 Disk 0 Windows 7 default MBR code
17:01:55.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:01:55.093 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 692042 MB offset 409600
17:01:55.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 19099 MB offset 1417711616
17:01:55.156 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 4062 MB offset 1456826368
17:01:55.187 Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627 Service scanning
17:02:36.574 Modules scanning
17:02:36.590 Disk 0 trace - called modules:
17:02:37.136 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151 3 CLASSPNP.SYS[fffff88001a0143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040 AVAST engine scan C:\Windows
17:02:40.677 AVAST engine scan C:\Windows\system32
17:03:28.217 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
17:03:47.024 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
17:03:48.604 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
17:04:39.571 AVAST engine scan C:\Windows\system32\drivers
17:04:49.917 AVAST engine scan C:\Users\Zlim
17:11:40.604 AVAST engine scan C:\ProgramData
17:13:15.751 Scan finished successfully
17:14:58.119 Disk 0 MBR has been saved successfully to “C:\Users\Zlim\Desktop\MBR.dat”
17:14:58.123 The log file has been saved successfully to “C:\Users\Zlim\Desktop\aswMBR.txt”
17:01:22.493 OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493 Number of processors: 4 586 0x2A07
17:01:22.493 ComputerName: ZLIM-HP UserName: Zlim
17:01:24.642 Initialize success
17:01:24.736 AVAST engine defs: 12090100
17:01:55.000 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
17:01:55.000 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047 Disk 0 MBR read successfully
17:01:55.047 Disk 0 MBR scan
17:01:55.047 Disk 0 Windows 7 default MBR code
17:01:55.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:01:55.093 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 692042 MB offset 409600
17:01:55.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 19099 MB offset 1417711616
17:01:55.156 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 4062 MB offset 1456826368
17:01:55.187 Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627 Service scanning
17:02:36.574 Modules scanning
17:02:36.590 Disk 0 trace - called modules:
17:02:37.136 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151 3 CLASSPNP.SYS[fffff88001a0143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040 AVAST engine scan C:\Windows
17:02:40.677 AVAST engine scan C:\Windows\system32
17:03:28.217 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
17:03:47.024 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
17:03:48.604 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
17:04:39.571 AVAST engine scan C:\Windows\system32\drivers
17:04:49.917 AVAST engine scan C:\Users\Zlim
17:11:40.604 AVAST engine scan C:\ProgramData
17:13:15.751 Scan finished successfully
17:14:58.119 Disk 0 MBR has been saved successfully to “C:\Users\Zlim\Desktop\MBR.dat”
17:14:58.123 The log file has been saved successfully to “C:\Users\Zlim\Desktop\aswMBR.txt”
17:26:46.081 Disk 0 MBR has been saved successfully to “C:\Users\Zlim\Desktop\MBR.dat”
17:26:46.102 The log file has been saved successfully to “C:\Users\Zlim\Desktop\aswMBR.txt”
Ok
Vi trenger aswMBR.txt ikke dat filen
ja fiksa det nå 
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AV: AVAST Software
AV: AVG Technologies CZ
Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them.
Which one, is your decision.
Step#1
Temporarily disable your AntiVirus&AntiMalware program.
If you are unsure how to do this please read this or this Instruction.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:processes
killallprocesses
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
CHR - Extension: uTorrentBar = C:\Users\Zlim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.15.10_0\
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/09/01 16:37:41 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@
[2012/07/16 13:52:06 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000004.@
[2012/07/16 13:52:05 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000004.@
[2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@
[2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@
:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Zlim\AppData\Roaming\mozilla\Firefox\Profiles\jq9aom5h.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
C:\Users\Zlim\AppData\Roaming\Mozilla\Firefox\Profiles\jq9aom5h.default\searchplugins\askcom.xml
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
recycler /alldrives
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
C:\Windows\SysNative\services.exe|C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe /replace
:commands
[purity]
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Step#2
.
[*] Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*] Click on Scan All Users
[*] Paste this into Custom Scans/Fixes box at the bottom
drives
/md5start
services.exe
/md5stop
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_64\*.* /S /MD5
%systemroot%\Tasks\*.job /lockedfiles
c:\windows\installer\@ /s
c:\windows\installer\*.@ /s
dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[list]
[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*] Please attach them in this thread.
Oh didnt notice the antiviruses, forgot the laptop did a system recovery to its previous state. But fixed now.
here are the reports:
Scan
it is recomended to run the vendors removal tool to clear any leftover files that may conflict …da går alt så mye bedre
found here http://singularlabs.com/uninstallers/security-software/
Hi,
We need to use a higher power.
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
i Get an error with combifix :
Incompatible OS , combofix only works for workstations with windows 2000 and exp,
i have windows 7
That’s fresh copy of Combofix?
-Delete current Combofix.
-Restart your computer.
-Download fresh Combofix and try to run.
-If it fails to run, then again delete old Combofix, download fresh one and try to run in safe mode.
Does not work, and i assume its fresh yeah, i used the link you gave, not sure whats wrong
Deleted combofix, restarted ,downloaded, tried to run , same error
Deleted combofix, downloaded, ran in safe mode, same error
Deleted combofix, ran safemode, downloaded in safemode, tried to run same error.
Step#1.1
We need to use the RKill Tool by Grinler
Download and run rKill. rKill will try to Kill all malicious processes. Do not reboot your computer. Then you try immediately to re-run Combofix.
Here is full guide and download links:
Rkill.com <— Download site
Or:
BleepingComputer
[*] Please Download Rkill.com. Save it to your Desktop.
[*] Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
[*] NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
[*] Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
[*] Please be patient while the program looks for various malware programs and ends them.
[*] When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.
If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.
Step#1.2
Do not reboot your computer. Try now to run Combofix.
Step#2
If all fails…
Let’s use different approach to all of this. 8)
[*]Download FRST64 to a USB flash drive.
[*]Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment
[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …
http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png
[*]Select the Command Prompt option.
[*]A command window will open.
[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[]Close Notepad.[/list]
[*]Back in the command window …
[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next
[*]Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.
Frst Logs
PS: Avast stopped spamming me about threats btw, but when i scan i can still see the virus. Not sure if this is relevant, but just
feel i had to say 
Step#1.1
-Delete FRST.txt (notepad) from your USB flash drive if you have it.
Open new notepad.
[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.
Start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
HKU\Zlim\...\Policies\system: [DisableLockWorkstation] 0
HKU\Zlim\...\Policies\system: [DisableChangePassword] 0
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end
[*] Save it to your USB flashdrive as fixlist.txt
[/list]
Boot into Recovery Environment
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …
[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.
Step#1.2
While you still there…
[*] - Click on Scan button to run a fresh FRST.txt scan.
[*] - When finished, it will produce a fresh log FRST.txt on your USB flashdrive.
Exit out of Recovery Environment and post me the log please.
Attach fresh FRST.txt log.
Step#2
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#3
[*] Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*] Click on Scan All Users
[*] Paste this into Custom Scans/Fixes box at the bottom
drives
/md5start
services.exe
/md5stop
%systemroot%\assembly\GAC_32\*.ini /S /MD5
%systemroot%\assembly\GAC_64\*.ini /S /MD5
%systemroot%\Installer|@;true;true;true
%systemdrive%\$Recycle.Bin|@;true;true;true
%systemdrive%\$Recycle.Bin|n;true;true;true
C:\$Recycle.Bin\S-1-5-18 /s
C:\$Recycle.Bin\S-1-5-21-1862684139-277524484-329249885-1000 /s
c:\windows\installer\@ /s
c:\windows\installer\*.@ /s
dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[list]
[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*] Please attach them in this thread.
FRST logs
OTL and tds logs
Nice, logs looks good. I will remove some registry entries leftovers related to AVG.
Step#1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{FFF4641F-23D0-49B4-BE7E-36D4F871C109}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=89891337-95F1-401B-96F5-C4E83130DE16&apn_sauid=80968523-5D33-4E3F-BDF6-1DBD0AD08FD2
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/09/02 00:19:01 | 000,000,000 | ---D | M]
O2:[b]64bit:[/b] - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
:files
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[purity]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Step#2
Download Farbar Service Scanner (FSS) and run it on the computer with the issue.
[*]Check the following options:
[*]Internet Services
[*]Windows Update
[*]Other Services
[*]Press “Scan” button.
[*]It will create a log (FSS.txt).
[*]Attach here logreport.
Step#3
I’d love to see the Combofix log.
Download fresh Combofix. Disable your AntiVirus and try it now to run.