Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix detects Rootkit Zero Access


  • This topic is locked This topic is locked
28 replies to this topic

#16 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 June 2012 - 01:41 AM

I was hoping it would work but unfortunately it didn't. When I ran combofix, I still ran into the same issues. First, it detected that there was zero access rootkit in tc/ip (or something) stack. Then it goes back to scanning until the next message when it read that rootkit has been detected an that this may take a while. Finally, the third message popped up saying that I must restart the computer. After the computer restarts nothing happens. Combofix doesn't open up or anything. Let me know what you want me to try next. Thanks.

BC AdBot (Login to Remove)

 


#17 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 25 June 2012 - 07:36 AM

how long are you waiting for ComboFix to restart? Are you rebooting yourself or allowing ComboFix to do it for you? Generally, ComboFix will restart the computer itself


Retry it and do not do anything yourself, just allow ComboFix to complete onit's own, even when you think it has stalled, give it longer,

make certain your security programs are disabled as it sounds as though there may be some interference from your AV's that is preventing it from starting up again,

uninstall the AV if you feel you need to,

download a fresh copy of ComboFix

Edited by CatByte, 25 June 2012 - 07:36 AM.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#18 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 June 2012 - 10:52 AM

Okay. I will try ruagain. I never restarted the computer. Combofix always did on its own. During the process I only click "ok" when the messages pop up. Also after it restarts I leave it alone for five minutes to see if it will do anything but it doesn't. I will leave it longer this time. As far as security programs, I don't really have any other than the Avast antivirus I recently added. I will uninstall this before running the program just to be on the safe side. I'll update you afterwards. Thanks.

#19 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 June 2012 - 11:58 AM

Finally!!! A succes on the combofix. Here you go...

ComboFix 12-06-25.03 - MainPC 06/25/2012 9:31.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.239 [GMT -7:00]
Running from: c:\users\MainPC\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\svchost.exe
c:\svchost.exe\023.dat
c:\svchost.exe\023v.dat
c:\svchost.exe\ActiveDrv.vbs
c:\svchost.exe\AppData.folder.dat
c:\svchost.exe\appinit.bad
c:\svchost.exe\asp.str
c:\svchost.exe\Assoc.cmd
c:\svchost.exe\attr.dat
c:\svchost.exe\ATTRIB.3XE
c:\svchost.exe\autorun_inf.dat
c:\svchost.exe\autorun_infB.dat
c:\svchost.exe\av.cmd
c:\svchost.exe\av.vbs
c:\svchost.exe\AWF.cmd
c:\svchost.exe\badclsid
c:\svchost.exe\BFE.dat
c:\svchost.exe\Boot-Rk.cmd
c:\svchost.exe\Boot.bat
c:\svchost.exe\BootDrv.vbs
c:\svchost.exe\borlander_file.dat
c:\svchost.exe\borlander_folder.dat
c:\svchost.exe\c.bat
c:\svchost.exe\[email protected]
c:\svchost.exe\Cache.folder.dat
c:\svchost.exe\Catch-sub.cmd
c:\svchost.exe\catchme.3XE
c:\svchost.exe\Catchme.tmp
c:\svchost.exe\CCS.bat
c:\svchost.exe\CF-Script.cmd
c:\svchost.exe\CF31831.3XE
c:\svchost.exe\Cfiles.dat
c:\svchost.exe\Cfolders.dat
c:\svchost.exe\CHCP.bat
c:\svchost.exe\ClistB.dat
c:\svchost.exe\clsid.c
c:\svchost.exe\clsid.dat
c:\svchost.exe\Combobatch.bat
c:\svchost.exe\ComboFix-Download.3XE
c:\svchost.exe\ConEnv.sed
c:\svchost.exe\Cookies.folder.dat
c:\svchost.exe\Create.cmd
c:\svchost.exe\Creg.dat
c:\svchost.exe\CregC.cmd
c:\svchost.exe\CregC.dat
c:\svchost.exe\CregC_.dat
c:\svchost.exe\CSCRIPT.3XE
c:\svchost.exe\d-del_A.dat
c:\svchost.exe\d-delA.dat
c:\svchost.exe\dd.3XE
c:\svchost.exe\ddsDo.sed
c:\svchost.exe\DelClsid.bat
c:\svchost.exe\DelClsid64.bat
c:\svchost.exe\Desktop.folder.dat
c:\svchost.exe\DisclaimED.dat
c:\svchost.exe\dll_whitelist.dat
c:\svchost.exe\dnd.dat
c:\svchost.exe\DPF.str
c:\svchost.exe\Drive.folder.dat
c:\svchost.exe\DriveFile.dat
c:\svchost.exe\Drives.dat
c:\svchost.exe\DrvRun.vbs
c:\svchost.exe\dumphive.3XE
c:\svchost.exe\embedded.sed
c:\svchost.exe\en-US\ATTRIB.3XE.mui
c:\svchost.exe\en-US\CF31831.3XE.mui
c:\svchost.exe\en-US\cmd.3XE.mui
c:\svchost.exe\en-US\CSCRIPT.3XE.mui
c:\svchost.exe\en-US\iexplore.exe
c:\svchost.exe\en-US\PING.3XE.mui
c:\svchost.exe\en-US\REGT.3XE.mui
c:\svchost.exe\en-US\ROUTE.3XE.mui
c:\svchost.exe\Env.sed
c:\svchost.exe\ERDNT.e_e
c:\svchost.exe\ERDNTDOS.LOC
c:\svchost.exe\ERDNTWIN.LOC
c:\svchost.exe\ERUNT.3XE
c:\svchost.exe\erunt.dat
c:\svchost.exe\ERUNT.LOC
c:\svchost.exe\Exe.reg
c:\svchost.exe\Expired
c:\svchost.exe\extract.3XE
c:\svchost.exe\f_system
c:\svchost.exe\Favorites.folder.dat
c:\svchost.exe\FD-SV.cmd
c:\svchost.exe\FdsvOK
c:\svchost.exe\ffdefstr.dll
c:\svchost.exe\FileKill.3XE
c:\svchost.exe\files.pif
c:\svchost.exe\Fin.dat
c:\svchost.exe\FIND3M.bat
c:\svchost.exe\FIXLSP.bat
c:\svchost.exe\FKMGen.cmd
c:\svchost.exe\ForeignWht
c:\svchost.exe\GetHive.cmd
c:\svchost.exe\GOLDUN.DAT
c:\svchost.exe\grep.3XE
c:\svchost.exe\gsar.3XE
c:\svchost.exe\handle.3XE
c:\svchost.exe\hidec.3XE
c:\svchost.exe\history.bat
c:\svchost.exe\History.folder.dat
c:\svchost.exe\iexplore.exe
c:\svchost.exe\image001.gif
c:\svchost.exe\Imefile.dat
c:\svchost.exe\katch.cmd
c:\svchost.exe\Kill-All.cmd
c:\svchost.exe\kmd.dat
c:\svchost.exe\KNetSvcs.vbs
c:\svchost.exe\Lang.bat
c:\svchost.exe\List-B.bat
c:\svchost.exe\List-C.bat
c:\svchost.exe\lnkread.vbs
c:\svchost.exe\LocalAppData.folder.dat
c:\svchost.exe\LocalService.dat
c:\svchost.exe\LocalServiceNetworkRestricted.dat
c:\svchost.exe\LocalSettings.folder.dat
c:\svchost.exe\LocalSystemNetworkRestricted.dat
c:\svchost.exe\MainPC.user.cf
c:\svchost.exe\max_.dat
c:\svchost.exe\max_drivertocheck
c:\svchost.exe\mbr.3XE
c:\svchost.exe\mbr.chk
c:\svchost.exe\md5sum.pif
c:\svchost.exe\MoveIt.bat
c:\svchost.exe\MpsSvc.dat
c:\svchost.exe\mtee.3XE
c:\svchost.exe\MUI
c:\svchost.exe\Music.folder.dat
c:\svchost.exe\MWindows.dat
c:\svchost.exe\mynul.dat
c:\svchost.exe\N_\10126
c:\svchost.exe\N_\10208
c:\svchost.exe\N_\1032
c:\svchost.exe\N_\10344
c:\svchost.exe\N_\11073
c:\svchost.exe\N_\11191
c:\svchost.exe\N_\11672
c:\svchost.exe\N_\11800
c:\svchost.exe\N_\1181
c:\svchost.exe\N_\11837
c:\svchost.exe\N_\11847
c:\svchost.exe\N_\11928
c:\svchost.exe\N_\12331
c:\svchost.exe\N_\13202
c:\svchost.exe\N_\1338
c:\svchost.exe\N_\13415
c:\svchost.exe\N_\1349
c:\svchost.exe\N_\13533
c:\svchost.exe\N_\138
c:\svchost.exe\N_\13883
c:\svchost.exe\N_\14274
c:\svchost.exe\N_\14350
c:\svchost.exe\N_\14496
c:\svchost.exe\N_\14554
c:\svchost.exe\N_\14581
c:\svchost.exe\N_\15008
c:\svchost.exe\N_\15050
c:\svchost.exe\N_\15108
c:\svchost.exe\N_\15129
c:\svchost.exe\N_\15146
c:\svchost.exe\N_\15229
c:\svchost.exe\N_\15254
c:\svchost.exe\N_\15344
c:\svchost.exe\N_\15580
c:\svchost.exe\N_\15609
c:\svchost.exe\N_\15679
c:\svchost.exe\N_\15711
c:\svchost.exe\N_\15759
c:\svchost.exe\N_\15847
c:\svchost.exe\N_\16022
c:\svchost.exe\N_\16065
c:\svchost.exe\N_\16111
c:\svchost.exe\N_\16172
c:\svchost.exe\N_\16581
c:\svchost.exe\N_\16708
c:\svchost.exe\N_\17214
c:\svchost.exe\N_\17289
c:\svchost.exe\N_\17486
c:\svchost.exe\N_\1766
c:\svchost.exe\N_\17693
c:\svchost.exe\N_\17717
c:\svchost.exe\N_\17788
c:\svchost.exe\N_\1786
c:\svchost.exe\N_\17893
c:\svchost.exe\N_\18045
c:\svchost.exe\N_\18284
c:\svchost.exe\N_\18666
c:\svchost.exe\N_\1884
c:\svchost.exe\N_\18886
c:\svchost.exe\N_\18962
c:\svchost.exe\N_\19070
c:\svchost.exe\N_\19327
c:\svchost.exe\N_\19409
c:\svchost.exe\N_\19574
c:\svchost.exe\N_\1968
c:\svchost.exe\N_\19682
c:\svchost.exe\N_\19697
c:\svchost.exe\N_\2068
c:\svchost.exe\N_\20694
c:\svchost.exe\N_\2083
c:\svchost.exe\N_\21624
c:\svchost.exe\N_\21875
c:\svchost.exe\N_\22012
c:\svchost.exe\N_\22045
c:\svchost.exe\N_\22071
c:\svchost.exe\N_\22157
c:\svchost.exe\N_\22557
c:\svchost.exe\N_\22641
c:\svchost.exe\N_\22651
c:\svchost.exe\N_\2270
c:\svchost.exe\N_\22863
c:\svchost.exe\N_\23075
c:\svchost.exe\N_\23100
c:\svchost.exe\N_\23122
c:\svchost.exe\N_\23207
c:\svchost.exe\N_\23225
c:\svchost.exe\N_\23408
c:\svchost.exe\N_\2341
c:\svchost.exe\N_\23548
c:\svchost.exe\N_\2373
c:\svchost.exe\N_\23874
c:\svchost.exe\N_\23923
c:\svchost.exe\N_\23936
c:\svchost.exe\N_\23989
c:\svchost.exe\N_\24002
c:\svchost.exe\N_\24096
c:\svchost.exe\N_\24126
c:\svchost.exe\N_\24532
c:\svchost.exe\N_\24565
c:\svchost.exe\N_\24580
c:\svchost.exe\N_\24590
c:\svchost.exe\N_\24875
c:\svchost.exe\N_\24902
c:\svchost.exe\N_\24978
c:\svchost.exe\N_\25197
c:\svchost.exe\N_\25453
c:\svchost.exe\N_\2597
c:\svchost.exe\N_\26115
c:\svchost.exe\N_\26326
c:\svchost.exe\N_\26371
c:\svchost.exe\N_\26587
c:\svchost.exe\N_\2687
c:\svchost.exe\N_\27440
c:\svchost.exe\N_\27555
c:\svchost.exe\N_\27955
c:\svchost.exe\N_\28279
c:\svchost.exe\N_\28507
c:\svchost.exe\N_\28545
c:\svchost.exe\N_\28567
c:\svchost.exe\N_\28699
c:\svchost.exe\N_\28834
c:\svchost.exe\N_\28847
c:\svchost.exe\N_\2890
c:\svchost.exe\N_\28901
c:\svchost.exe\N_\29117
c:\svchost.exe\N_\29191
c:\svchost.exe\N_\29337
c:\svchost.exe\N_\2947
c:\svchost.exe\N_\2956
c:\svchost.exe\N_\3013
c:\svchost.exe\N_\30462
c:\svchost.exe\N_\30583
c:\svchost.exe\N_\30671
c:\svchost.exe\N_\30763
c:\svchost.exe\N_\31567
c:\svchost.exe\N_\31574
c:\svchost.exe\N_\31594
c:\svchost.exe\N_\31628
c:\svchost.exe\N_\31691
c:\svchost.exe\N_\31913
c:\svchost.exe\N_\32150
c:\svchost.exe\N_\32461
c:\svchost.exe\N_\32488
c:\svchost.exe\N_\32515
c:\svchost.exe\N_\333
c:\svchost.exe\N_\3402
c:\svchost.exe\N_\35
c:\svchost.exe\N_\3527
c:\svchost.exe\N_\3793
c:\svchost.exe\N_\3812
c:\svchost.exe\N_\4050
c:\svchost.exe\N_\4091
c:\svchost.exe\N_\4364
c:\svchost.exe\N_\4455
c:\svchost.exe\N_\4558
c:\svchost.exe\N_\4623
c:\svchost.exe\N_\4640
c:\svchost.exe\N_\4821
c:\svchost.exe\N_\5000
c:\svchost.exe\N_\5127
c:\svchost.exe\N_\5158
c:\svchost.exe\N_\516
c:\svchost.exe\N_\5172
c:\svchost.exe\N_\5501
c:\svchost.exe\N_\5702
c:\svchost.exe\N_\6197
c:\svchost.exe\N_\6261
c:\svchost.exe\N_\632
c:\svchost.exe\N_\6367
c:\svchost.exe\N_\6368
c:\svchost.exe\N_\6664
c:\svchost.exe\N_\6750
c:\svchost.exe\N_\7224
c:\svchost.exe\N_\741
c:\svchost.exe\N_\7632
c:\svchost.exe\N_\7696
c:\svchost.exe\N_\7754
c:\svchost.exe\N_\7834
c:\svchost.exe\N_\7976
c:\svchost.exe\N_\8126
c:\svchost.exe\N_\8955
c:\svchost.exe\N_\8998
c:\svchost.exe\N_\9119
c:\svchost.exe\N_\9208
c:\svchost.exe\N_\9341
c:\svchost.exe\N_\9407
c:\svchost.exe\N_\9934
c:\svchost.exe\N_\cfdummy00
c:\svchost.exe\N_\CmdLine00
c:\svchost.exe\ncmd.com
c:\svchost.exe\ND_.bat
c:\svchost.exe\ND_64.bat
c:\svchost.exe\ndis_combofix.dat
c:\svchost.exe\NetHood.folder.dat
c:\svchost.exe\netsvc.bad.dat
c:\svchost.exe\netsvc.dat
c:\svchost.exe\NetworkService.dat
c:\svchost.exe\NirCmd.3XE
c:\svchost.exe\NircmdB.exe
c:\svchost.exe\NirCmdC.3XE
c:\svchost.exe\NIRKMD.3XE
c:\svchost.exe\NlsLanguageDefault
c:\svchost.exe\notifykeys.dat
c:\svchost.exe\notifykeysB.dat
c:\svchost.exe\NT-OS.cmd
c:\svchost.exe\NULL
c:\svchost.exe\OsId.txt
c:\svchost.exe\OSid.vbs
c:\svchost.exe\pausep.3XE
c:\svchost.exe\pend.txt
c:\svchost.exe\Personal.folder.dat
c:\svchost.exe\pev.3XE
c:\svchost.exe\PEV.exe
c:\svchost.exe\pevb.3XE
c:\svchost.exe\Pictures.folder.dat
c:\svchost.exe\PING.3XE
c:\svchost.exe\Policies.dat
c:\svchost.exe\powp.dat
c:\svchost.exe\PreDIR
c:\svchost.exe\Prep.inf
c:\svchost.exe\PrintHood.folder.dat
c:\svchost.exe\Profiles.Folder.dat
c:\svchost.exe\Profiles.Folder.folder.dat
c:\svchost.exe\progfile.dat
c:\svchost.exe\Programs.folder.dat
c:\svchost.exe\Purity.dat
c:\svchost.exe\PV.3XE
c:\svchost.exe\pv.com
c:\svchost.exe\rar_sfx.cmd
c:\svchost.exe\RBoot.dat
c:\svchost.exe\RCLink.dat
c:\svchost.exe\RcVer00
c:\svchost.exe\Recent.folder.dat
c:\svchost.exe\REGDACL.sed
c:\svchost.exe\RegDo.sed
c:\svchost.exe\region.dat
c:\svchost.exe\RegScan.cmd
c:\svchost.exe\RegScan64.cmd
c:\svchost.exe\REGT.3XE
c:\svchost.exe\Resident.txt
c:\svchost.exe\restore_pt.dat
c:\svchost.exe\restore_pt.vbs
c:\svchost.exe\RkDetectA_HDCntrl.dat
c:\svchost.exe\Rkey.cmd
c:\svchost.exe\rmbr.3XE
c:\svchost.exe\rogues.dat
c:\svchost.exe\ROUTE.3XE
c:\svchost.exe\run.sed
c:\svchost.exe\run2.sed
c:\svchost.exe\Rust.str
c:\svchost.exe\s0rt.3XE
c:\svchost.exe\safeboot.dat
c:\svchost.exe\safeboot.def.dat
c:\svchost.exe\sed.3XE
c:\svchost.exe\SendTo.folder.dat
c:\svchost.exe\SetEnvmt.bat
c:\svchost.exe\setpath.3XE
c:\svchost.exe\SetPath.bat
c:\svchost.exe\setpath_N.cmd
c:\svchost.exe\SF.exe
c:\svchost.exe\sfx.cmd
c:\svchost.exe\ShAccess.dat
c:\svchost.exe\SnapShot.cmd
c:\svchost.exe\SRestore.cmd
c:\svchost.exe\srizbi.md5
c:\svchost.exe\Start_dat
c:\svchost.exe\StartMenu.folder.dat
c:\svchost.exe\StartUp.folder.dat
c:\svchost.exe\SuppScan.cmd
c:\svchost.exe\svc_wht.dat
c:\svchost.exe\SvcDrv.vbs
c:\svchost.exe\svchost.dat
c:\svchost.exe\swreg.3XE
c:\svchost.exe\swsc.3XE
c:\svchost.exe\swxcacls.3XE
c:\svchost.exe\SysPath.dat
c:\svchost.exe\system_ini.dat
c:\svchost.exe\tail.3XE
c:\svchost.exe\Temp.dat
c:\svchost.exe\Templates.folder.dat
c:\svchost.exe\Test4Max\fltMgr.sys_linked
c:\svchost.exe\toolbar.sed
c:\svchost.exe\unhand.dat
c:\svchost.exe\Update-CF.cmd
c:\svchost.exe\v_wht.dat
c:\svchost.exe\VBR.pif
c:\svchost.exe\VerCF.bat
c:\svchost.exe\VikPev00
c:\svchost.exe\Vikpev01
c:\svchost.exe\VInfo
c:\svchost.exe\VInfo2
c:\svchost.exe\VINFO3
c:\svchost.exe\Vipev.dat
c:\svchost.exe\ViPev00
c:\svchost.exe\ViPev01
c:\svchost.exe\Vista.krl
c:\svchost.exe\Vista.mac
c:\svchost.exe\vistaMcode.dat
c:\svchost.exe\vistareg.dat
c:\svchost.exe\vRun_DLL
c:\svchost.exe\vun.dat
c:\svchost.exe\vundonames.dat
c:\svchost.exe\VwinTemp.dacl
c:\svchost.exe\w_sock.dll
c:\svchost.exe\w7Mcode.dat
c:\svchost.exe\whiteAll.dat
c:\svchost.exe\whitedir.dat
c:\svchost.exe\whitedirCreated.dat
c:\svchost.exe\Wmi_rem.vbs
c:\svchost.exe\xpmcode.dat
c:\svchost.exe\XPSBoot.reg
c:\svchost.exe\zDomain.dat
c:\svchost.exe\zhsvc.dat
c:\svchost.exe\zip.3XE
c:\svchost.exe\Zlob01
c:\users\MainPC\AppData\Local\Google\Akamai\jrhrqrk.dll
c:\windows\$NtUninstallKB39797$
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 16:46 . 2012-06-25 16:48 -------- d-----w- c:\users\MainPC\AppData\Local\temp
2012-06-25 16:46 . 2012-06-25 16:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-06-25 16:46 . 2012-06-25 16:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-25 16:46 . 2012-06-25 16:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 16:46 . 2012-06-25 16:46 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-25 06:30 . 2012-06-25 06:35 -------- d-----w- C:\svchost.exe15403s
2012-06-25 06:19 . 2012-06-25 06:19 -------- d-----w- C:\_OTL
2012-06-25 06:08 . 2012-06-25 06:10 -------- d-----w- C:\svchost.exe13227s
2012-06-25 01:20 . 2012-06-25 02:11 -------- d-----w- C:\u
2012-06-24 21:32 . 2012-06-24 21:33 -------- d-----w- C:\FRST
2012-06-24 03:36 . 2012-06-25 01:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-22 07:51 . 2012-06-22 07:51 100736 ----a-w- C:\pwdiypog.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-12-09 03:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-11-17 14:58 3303000 ----a-w- c:\users\MainPC\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 22:56 981680 ----a-w- c:\program files\Edlyn\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
2011-06-02 22:56 114992 ----a-r- c:\program files\SweetIM\Messenger\SweetIM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-06-12 07:56 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
2012-06-25 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: DhcpNameServer = 10.0.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Akamai - c:\users\MainPC\AppData\Local\Google\Akamai\jrhrqrk.dll
MSConfigStartUp-ConnectionCenter - c:\program files\Citrix\ICA Client\concentr.exe
AddRemove-AIMON DriverInstaller for X86_is1 - c:\windows\unins001.exe
AddRemove-ChameleonTom - c:\program files\ChameleonTom\UninstallChamTom.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 09:47
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\sttray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-25 09:53:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-25 16:53
ComboFix2.txt 2011-12-29 00:34
.
Pre-Run: 214,712,270,848 bytes free
Post-Run: 214,738,063,360 bytes free
.
- - End Of File - - 5018D895C5104F110FBD16A22944779A

#20 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 25 June 2012 - 12:25 PM

very good, that looks much better,

please run the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
C:\svchost.exe15403s
C:\svchost.exe13227s
C:\u

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#21 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 June 2012 - 04:07 PM

Wow. The las scan really took long. Here are the results from the 3 scans, Combofix, Malware, ESET:

ComboFix 12-06-25.03 - MainPC 06/25/2012 10:41:24.5.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.369 [GMT -7:00]
Running from: c:\users\MainPC\Desktop\ComboFix.exe
Command switches used :: c:\users\MainPC\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\svchost.exe13227s
c:\svchost.exe13227s\023.dat
c:\svchost.exe13227s\023v.dat
c:\svchost.exe13227s\ActiveDrv.vbs
c:\svchost.exe13227s\AppData.folder.dat
c:\svchost.exe13227s\appinit.bad
c:\svchost.exe13227s\asp.str
c:\svchost.exe13227s\Assoc.cmd
c:\svchost.exe13227s\attr.dat
c:\svchost.exe13227s\ATTRIB.3XE
c:\svchost.exe13227s\autorun_inf.dat
c:\svchost.exe13227s\autorun_infB.dat
c:\svchost.exe13227s\av.cmd
c:\svchost.exe13227s\av.vbs
c:\svchost.exe13227s\AWF.cmd
c:\svchost.exe13227s\badclsid
c:\svchost.exe13227s\BFE.dat
c:\svchost.exe13227s\Boot-Rk.cmd
c:\svchost.exe13227s\Boot.bat
c:\svchost.exe13227s\BootDrv.vbs
c:\svchost.exe13227s\borlander_file.dat
c:\svchost.exe13227s\borlander_folder.dat
c:\svchost.exe13227s\c.bat
c:\svchost.exe13227s\c.mrk
c:\svchost.exe13227s\Cache.folder.dat
c:\svchost.exe13227s\Catch-sub.cmd
c:\svchost.exe13227s\catchme.3XE
c:\svchost.exe13227s\Catchme.tmp
c:\svchost.exe13227s\CCS.bat
c:\svchost.exe13227s\CF-Script.cmd
c:\svchost.exe13227s\CF12708.3XE
c:\svchost.exe13227s\Cfiles.dat
c:\svchost.exe13227s\Cfolders.dat
c:\svchost.exe13227s\CHCP.bat
c:\svchost.exe13227s\ClistB.dat
c:\svchost.exe13227s\clsid.c
c:\svchost.exe13227s\clsid.dat
c:\svchost.exe13227s\Combobatch.bat
c:\svchost.exe13227s\ComboFix-Download.3XE
c:\svchost.exe13227s\ConEnv.sed
c:\svchost.exe13227s\Cookies.folder.dat
c:\svchost.exe13227s\Create.cmd
c:\svchost.exe13227s\Creg.dat
c:\svchost.exe13227s\CregC.cmd
c:\svchost.exe13227s\CregC.dat
c:\svchost.exe13227s\CregC_.dat
c:\svchost.exe13227s\CSCRIPT.3XE
c:\svchost.exe13227s\d-del_A.dat
c:\svchost.exe13227s\d-delA.dat
c:\svchost.exe13227s\dd.3XE
c:\svchost.exe13227s\ddsDo.sed
c:\svchost.exe13227s\DelClsid.bat
c:\svchost.exe13227s\DelClsid64.bat
c:\svchost.exe13227s\Desktop.folder.dat
c:\svchost.exe13227s\desktop.ini
c:\svchost.exe13227s\DisclaimED.dat
c:\svchost.exe13227s\dll_whitelist.dat
c:\svchost.exe13227s\dnd.dat
c:\svchost.exe13227s\DPF.str
c:\svchost.exe13227s\Drive.folder.dat
c:\svchost.exe13227s\DriveFile.dat
c:\svchost.exe13227s\Drives.dat
c:\svchost.exe13227s\DrvRun.vbs
c:\svchost.exe13227s\dumphive.3XE
c:\svchost.exe13227s\embedded.sed
c:\svchost.exe13227s\en-US\ATTRIB.3XE.mui
c:\svchost.exe13227s\en-US\CF12708.3XE.mui
c:\svchost.exe13227s\en-US\cmd.3XE.mui
c:\svchost.exe13227s\en-US\CSCRIPT.3XE.mui
c:\svchost.exe13227s\en-US\iexplore.exe
c:\svchost.exe13227s\en-US\PING.3XE.mui
c:\svchost.exe13227s\en-US\REGT.3XE.mui
c:\svchost.exe13227s\en-US\ROUTE.3XE.mui
c:\svchost.exe13227s\Env.sed
c:\svchost.exe13227s\ERDNT.e_e
c:\svchost.exe13227s\ERDNTDOS.LOC
c:\svchost.exe13227s\ERDNTWIN.LOC
c:\svchost.exe13227s\ERUNT.3XE
c:\svchost.exe13227s\erunt.dat
c:\svchost.exe13227s\ERUNT.LOC
c:\svchost.exe13227s\Exe.reg
c:\svchost.exe13227s\extract.3XE
c:\svchost.exe13227s\f_system
c:\svchost.exe13227s\Favorites.folder.dat
c:\svchost.exe13227s\FD-SV.cmd
c:\svchost.exe13227s\FdsvOK
c:\svchost.exe13227s\ffdefstr.dll
c:\svchost.exe13227s\FileKill.3XE
c:\svchost.exe13227s\files.pif
c:\svchost.exe13227s\Fin.dat
c:\svchost.exe13227s\FIND3M.bat
c:\svchost.exe13227s\FIXLSP.bat
c:\svchost.exe13227s\FKMGen.cmd
c:\svchost.exe13227s\ForeignWht
c:\svchost.exe13227s\Gateway
c:\svchost.exe13227s\GetHive.cmd
c:\svchost.exe13227s\GOLDUN.DAT
c:\svchost.exe13227s\grep.3XE
c:\svchost.exe13227s\gsar.3XE
c:\svchost.exe13227s\handle.3XE
c:\svchost.exe13227s\hidec.3XE
c:\svchost.exe13227s\history.bat
c:\svchost.exe13227s\History.folder.dat
c:\svchost.exe13227s\iexplore.exe
c:\svchost.exe13227s\image001.gif
c:\svchost.exe13227s\Imefile.dat
c:\svchost.exe13227s\katch.cmd
c:\svchost.exe13227s\katchNT-OS
c:\svchost.exe13227s\KBJunctions00
c:\svchost.exe13227s\KBJunctions04
c:\svchost.exe13227s\Kill-All.cmd
c:\svchost.exe13227s\kmd.dat
c:\svchost.exe13227s\KNetSvcs.vbs
c:\svchost.exe13227s\Lang.bat
c:\svchost.exe13227s\LatestVer
c:\svchost.exe13227s\List-B.bat
c:\svchost.exe13227s\List-C.bat
c:\svchost.exe13227s\lnkread.vbs
c:\svchost.exe13227s\LocalAppData.folder.dat
c:\svchost.exe13227s\LocalService.dat
c:\svchost.exe13227s\LocalServiceNetworkRestricted.dat
c:\svchost.exe13227s\LocalSettings.folder.dat
c:\svchost.exe13227s\LocalSystemNetworkRestricted.dat
c:\svchost.exe13227s\MainPC.user.cf
c:\svchost.exe13227s\max_.dat
c:\svchost.exe13227s\max_00
c:\svchost.exe13227s\max_01
c:\svchost.exe13227s\max_02
c:\svchost.exe13227s\max_03
c:\svchost.exe13227s\max_04
c:\svchost.exe13227s\max_05
c:\svchost.exe13227s\max_06
c:\svchost.exe13227s\max_07
c:\svchost.exe13227s\max_08
c:\svchost.exe13227s\max_09
c:\svchost.exe13227s\max_0A
c:\svchost.exe13227s\max_0B
c:\svchost.exe13227s\max_0C
c:\svchost.exe13227s\max_0D
c:\svchost.exe13227s\max_drivertocheck
c:\svchost.exe13227s\mbr.3XE
c:\svchost.exe13227s\mbr.chk
c:\svchost.exe13227s\md5sum.pif
c:\svchost.exe13227s\Mirrors
c:\svchost.exe13227s\MoveIt.bat
c:\svchost.exe13227s\MpsSvc.dat
c:\svchost.exe13227s\mtee.3XE
c:\svchost.exe13227s\MUI
c:\svchost.exe13227s\Music.folder.dat
c:\svchost.exe13227s\MWindows.dat
c:\svchost.exe13227s\mynul.dat
c:\svchost.exe13227s\N_\10134
c:\svchost.exe13227s\N_\14090
c:\svchost.exe13227s\N_\1520
c:\svchost.exe13227s\N_\17720
c:\svchost.exe13227s\N_\18709
c:\svchost.exe13227s\N_\18928
c:\svchost.exe13227s\N_\19394
c:\svchost.exe13227s\N_\19956
c:\svchost.exe13227s\N_\22023
c:\svchost.exe13227s\N_\23201
c:\svchost.exe13227s\N_\24165
c:\svchost.exe13227s\N_\26006
c:\svchost.exe13227s\N_\26060
c:\svchost.exe13227s\N_\28259
c:\svchost.exe13227s\N_\28453
c:\svchost.exe13227s\N_\28904
c:\svchost.exe13227s\N_\29631
c:\svchost.exe13227s\N_\30386
c:\svchost.exe13227s\N_\3044
c:\svchost.exe13227s\N_\30855
c:\svchost.exe13227s\N_\30912
c:\svchost.exe13227s\N_\31138
c:\svchost.exe13227s\N_\32320
c:\svchost.exe13227s\N_\32482
c:\svchost.exe13227s\N_\3296
c:\svchost.exe13227s\N_\3944
c:\svchost.exe13227s\N_\4089
c:\svchost.exe13227s\N_\4527
c:\svchost.exe13227s\N_\563
c:\svchost.exe13227s\N_\8392
c:\svchost.exe13227s\N_\8679
c:\svchost.exe13227s\N_\9254
c:\svchost.exe13227s\N_\cfdummy00
c:\svchost.exe13227s\N_\CmdLine00
c:\svchost.exe13227s\ncmd.com
c:\svchost.exe13227s\ND_.bat
c:\svchost.exe13227s\ND_64.bat
c:\svchost.exe13227s\ndis_combofix.dat
c:\svchost.exe13227s\NetHood.folder.dat
c:\svchost.exe13227s\netsvc.bad.dat
c:\svchost.exe13227s\netsvc.dat
c:\svchost.exe13227s\NetworkService.dat
c:\svchost.exe13227s\NirCmd.3XE
c:\svchost.exe13227s\NircmdB.exe
c:\svchost.exe13227s\NirCmdC.3XE
c:\svchost.exe13227s\NIRKMD.3XE
c:\svchost.exe13227s\NlsLanguageDefault
c:\svchost.exe13227s\notifykeys.dat
c:\svchost.exe13227s\notifykeysB.dat
c:\svchost.exe13227s\NT-OS.cmd
c:\svchost.exe13227s\NULL
c:\svchost.exe13227s\OsId.txt
c:\svchost.exe13227s\OSid.vbs
c:\svchost.exe13227s\pausep.3XE
c:\svchost.exe13227s\pend.txt
c:\svchost.exe13227s\Personal.folder.dat
c:\svchost.exe13227s\pev.3XE
c:\svchost.exe13227s\PEV.exe
c:\svchost.exe13227s\pevb.3XE
c:\svchost.exe13227s\Pictures.folder.dat
c:\svchost.exe13227s\PING.3XE
c:\svchost.exe13227s\Policies.dat
c:\svchost.exe13227s\powp.dat
c:\svchost.exe13227s\PreDIR
c:\svchost.exe13227s\Prep.inf
c:\svchost.exe13227s\PrintHood.folder.dat
c:\svchost.exe13227s\Profiles.Folder.dat
c:\svchost.exe13227s\Profiles.Folder.folder.dat
c:\svchost.exe13227s\progfile.dat
c:\svchost.exe13227s\Programs.folder.dat
c:\svchost.exe13227s\Purity.dat
c:\svchost.exe13227s\PV.3XE
c:\svchost.exe13227s\pv.com
c:\svchost.exe13227s\rar_sfx.cmd
c:\svchost.exe13227s\RCLink.dat
c:\svchost.exe13227s\RcVer00
c:\svchost.exe13227s\Recent.folder.dat
c:\svchost.exe13227s\REGDACL.sed
c:\svchost.exe13227s\RegDo.sed
c:\svchost.exe13227s\region.dat
c:\svchost.exe13227s\RegScan.cmd
c:\svchost.exe13227s\RegScan64.cmd
c:\svchost.exe13227s\REGT.3XE
c:\svchost.exe13227s\Resident.txt
c:\svchost.exe13227s\restore_pt.dat
c:\svchost.exe13227s\restore_pt.vbs
c:\svchost.exe13227s\RkDetectA_HDCntrl.dat
c:\svchost.exe13227s\Rkey.cmd
c:\svchost.exe13227s\rmbr.3XE
c:\svchost.exe13227s\rogues.dat
c:\svchost.exe13227s\ROUTE.3XE
c:\svchost.exe13227s\run.sed
c:\svchost.exe13227s\run2.sed
c:\svchost.exe13227s\Rust.str
c:\svchost.exe13227s\s0rt.3XE
c:\svchost.exe13227s\safeboot.dat
c:\svchost.exe13227s\safeboot.def.dat
c:\svchost.exe13227s\sed.3XE
c:\svchost.exe13227s\SendTo.folder.dat
c:\svchost.exe13227s\SetEnvmt.bat
c:\svchost.exe13227s\setpath.3XE
c:\svchost.exe13227s\SetPath.bat
c:\svchost.exe13227s\setpath_N.cmd
c:\svchost.exe13227s\SF.exe
c:\svchost.exe13227s\sfx.cmd
c:\svchost.exe13227s\ShAccess.dat
c:\svchost.exe13227s\SnapShot.cmd
c:\svchost.exe13227s\SRestore.cmd
c:\svchost.exe13227s\srizbi.md5
c:\svchost.exe13227s\Start_dat
c:\svchost.exe13227s\StartMenu.folder.dat
c:\svchost.exe13227s\StartUp.folder.dat
c:\svchost.exe13227s\SuppScan.cmd
c:\svchost.exe13227s\svc_wht.dat
c:\svchost.exe13227s\SvcDrv.vbs
c:\svchost.exe13227s\svchost.dat
c:\svchost.exe13227s\swreg.3XE
c:\svchost.exe13227s\swsc.3XE
c:\svchost.exe13227s\swxcacls.3XE
c:\svchost.exe13227s\SysPath.dat
c:\svchost.exe13227s\system_ini.dat
c:\svchost.exe13227s\tail.3XE
c:\svchost.exe13227s\Temp.dat
c:\svchost.exe13227s\Templates.folder.dat
c:\svchost.exe13227s\toolbar.sed
c:\svchost.exe13227s\unhand.dat
c:\svchost.exe13227s\Update-CF.cmd
c:\svchost.exe13227s\v_wht.dat
c:\svchost.exe13227s\VBR.pif
c:\svchost.exe13227s\VerCF.bat
c:\svchost.exe13227s\version.txt
c:\svchost.exe13227s\VikPev00
c:\svchost.exe13227s\Vikpev01
c:\svchost.exe13227s\VInfo
c:\svchost.exe13227s\VInfo2
c:\svchost.exe13227s\VINFO3
c:\svchost.exe13227s\Vipev.dat
c:\svchost.exe13227s\ViPev00
c:\svchost.exe13227s\ViPev01
c:\svchost.exe13227s\Vista.krl
c:\svchost.exe13227s\Vista.mac
c:\svchost.exe13227s\vistaMcode.dat
c:\svchost.exe13227s\vistareg.dat
c:\svchost.exe13227s\vRun_DLL
c:\svchost.exe13227s\vun.dat
c:\svchost.exe13227s\vundonames.dat
c:\svchost.exe13227s\VwinTemp.dacl
c:\svchost.exe13227s\w_sock.dll
c:\svchost.exe13227s\w7Mcode.dat
c:\svchost.exe13227s\whiteAll.dat
c:\svchost.exe13227s\whitedir.dat
c:\svchost.exe13227s\whitedirCreated.dat
c:\svchost.exe13227s\Wmi_rem.vbs
c:\svchost.exe13227s\xpmcode.dat
c:\svchost.exe13227s\XPSBoot.reg
c:\svchost.exe13227s\zDomain.dat
c:\svchost.exe13227s\zhsvc.dat
c:\svchost.exe13227s\zip.3XE
c:\svchost.exe13227s\Zlob01
C:\svchost.exe15403s
c:\svchost.exe15403s\023.dat
c:\svchost.exe15403s\023v.dat
c:\svchost.exe15403s\ActiveDrv.vbs
c:\svchost.exe15403s\AppData.folder.dat
c:\svchost.exe15403s\appinit.bad
c:\svchost.exe15403s\asp.str
c:\svchost.exe15403s\Assoc.cmd
c:\svchost.exe15403s\attr.dat
c:\svchost.exe15403s\ATTRIB.3XE
c:\svchost.exe15403s\autorun_inf.dat
c:\svchost.exe15403s\autorun_infB.dat
c:\svchost.exe15403s\av.cmd
c:\svchost.exe15403s\av.vbs
c:\svchost.exe15403s\AWF.cmd
c:\svchost.exe15403s\badclsid
c:\svchost.exe15403s\BFE.dat
c:\svchost.exe15403s\Boot-Rk.cmd
c:\svchost.exe15403s\Boot.bat
c:\svchost.exe15403s\BootDrv.vbs
c:\svchost.exe15403s\borlander_file.dat
c:\svchost.exe15403s\borlander_folder.dat
c:\svchost.exe15403s\c.bat
c:\svchost.exe15403s\[email protected]
c:\svchost.exe15403s\Cache.folder.dat
c:\svchost.exe15403s\Catch-sub.cmd
c:\svchost.exe15403s\catchme.3XE
c:\svchost.exe15403s\Catchme.tmp
c:\svchost.exe15403s\CCS.bat
c:\svchost.exe15403s\CF-Script.cmd
c:\svchost.exe15403s\CF16973.3XE
c:\svchost.exe15403s\Cfiles.dat
c:\svchost.exe15403s\Cfolders.dat
c:\svchost.exe15403s\CHCP.bat
c:\svchost.exe15403s\ClistB.dat
c:\svchost.exe15403s\clsid.c
c:\svchost.exe15403s\clsid.dat
c:\svchost.exe15403s\Combobatch.bat
c:\svchost.exe15403s\ComboFix-Download.3XE
c:\svchost.exe15403s\ConEnv.sed
c:\svchost.exe15403s\Cookies.folder.dat
c:\svchost.exe15403s\Create.cmd
c:\svchost.exe15403s\Creg.dat
c:\svchost.exe15403s\CregC.cmd
c:\svchost.exe15403s\CregC.dat
c:\svchost.exe15403s\CregC_.dat
c:\svchost.exe15403s\CSCRIPT.3XE
c:\svchost.exe15403s\d-del_A.dat
c:\svchost.exe15403s\d-delA.dat
c:\svchost.exe15403s\dd.3XE
c:\svchost.exe15403s\ddsDo.sed
c:\svchost.exe15403s\DelClsid.bat
c:\svchost.exe15403s\DelClsid64.bat
c:\svchost.exe15403s\Desktop.folder.dat
c:\svchost.exe15403s\DisclaimED.dat
c:\svchost.exe15403s\dll_whitelist.dat
c:\svchost.exe15403s\dnd.dat
c:\svchost.exe15403s\DPF.str
c:\svchost.exe15403s\Drive.folder.dat
c:\svchost.exe15403s\DriveFile.dat
c:\svchost.exe15403s\Drives.dat
c:\svchost.exe15403s\DrvRun.vbs
c:\svchost.exe15403s\dumphive.3XE
c:\svchost.exe15403s\embedded.sed
c:\svchost.exe15403s\en-US\ATTRIB.3XE.mui
c:\svchost.exe15403s\en-US\CF16973.3XE.mui
c:\svchost.exe15403s\en-US\cmd.3XE.mui
c:\svchost.exe15403s\en-US\CSCRIPT.3XE.mui
c:\svchost.exe15403s\en-US\iexplore.exe
c:\svchost.exe15403s\en-US\PING.3XE.mui
c:\svchost.exe15403s\en-US\REGT.3XE.mui
c:\svchost.exe15403s\en-US\ROUTE.3XE.mui
c:\svchost.exe15403s\Env.sed
c:\svchost.exe15403s\ERDNT.e_e
c:\svchost.exe15403s\ERDNTDOS.LOC
c:\svchost.exe15403s\ERDNTWIN.LOC
c:\svchost.exe15403s\ERUNT.3XE
c:\svchost.exe15403s\erunt.dat
c:\svchost.exe15403s\ERUNT.LOC
c:\svchost.exe15403s\Exe.reg
c:\svchost.exe15403s\extract.3XE
c:\svchost.exe15403s\f_system
c:\svchost.exe15403s\Favorites.folder.dat
c:\svchost.exe15403s\FD-SV.cmd
c:\svchost.exe15403s\FdsvOK
c:\svchost.exe15403s\ffdefstr.dll
c:\svchost.exe15403s\FileKill.3XE
c:\svchost.exe15403s\files.pif
c:\svchost.exe15403s\Fin.dat
c:\svchost.exe15403s\FIND3M.bat
c:\svchost.exe15403s\FIXLSP.bat
c:\svchost.exe15403s\FKMGen.cmd
c:\svchost.exe15403s\ForeignWht
c:\svchost.exe15403s\Gateway
c:\svchost.exe15403s\GetHive.cmd
c:\svchost.exe15403s\GOLDUN.DAT
c:\svchost.exe15403s\grep.3XE
c:\svchost.exe15403s\gsar.3XE
c:\svchost.exe15403s\handle.3XE
c:\svchost.exe15403s\hidec.3XE
c:\svchost.exe15403s\history.bat
c:\svchost.exe15403s\History.folder.dat
c:\svchost.exe15403s\iexplore.exe
c:\svchost.exe15403s\image001.gif
c:\svchost.exe15403s\Imefile.dat
c:\svchost.exe15403s\katch.cmd
c:\svchost.exe15403s\Kill-All.cmd
c:\svchost.exe15403s\kmd.dat
c:\svchost.exe15403s\KNetSvcs.vbs
c:\svchost.exe15403s\Lang.bat
c:\svchost.exe15403s\LatestVer
c:\svchost.exe15403s\List-B.bat
c:\svchost.exe15403s\List-C.bat
c:\svchost.exe15403s\lnkread.vbs
c:\svchost.exe15403s\LocalAppData.folder.dat
c:\svchost.exe15403s\LocalService.dat
c:\svchost.exe15403s\LocalServiceNetworkRestricted.dat
c:\svchost.exe15403s\LocalSettings.folder.dat
c:\svchost.exe15403s\LocalSystemNetworkRestricted.dat
c:\svchost.exe15403s\MainPC.user.cf
c:\svchost.exe15403s\max_.dat
c:\svchost.exe15403s\max_drivertocheck
c:\svchost.exe15403s\mbr.3XE
c:\svchost.exe15403s\mbr.chk
c:\svchost.exe15403s\md5sum.pif
c:\svchost.exe15403s\Mirrors
c:\svchost.exe15403s\MoveIt.bat
c:\svchost.exe15403s\MpsSvc.dat
c:\svchost.exe15403s\mtee.3XE
c:\svchost.exe15403s\MUI
c:\svchost.exe15403s\Music.folder.dat
c:\svchost.exe15403s\MWindows.dat
c:\svchost.exe15403s\mynul.dat
c:\svchost.exe15403s\N_\10172
c:\svchost.exe15403s\N_\10458
c:\svchost.exe15403s\N_\10705
c:\svchost.exe15403s\N_\1100
c:\svchost.exe15403s\N_\11137
c:\svchost.exe15403s\N_\11533
c:\svchost.exe15403s\N_\11677
c:\svchost.exe15403s\N_\11732
c:\svchost.exe15403s\N_\11882
c:\svchost.exe15403s\N_\11925
c:\svchost.exe15403s\N_\12326
c:\svchost.exe15403s\N_\1246
c:\svchost.exe15403s\N_\12571
c:\svchost.exe15403s\N_\12645
c:\svchost.exe15403s\N_\12694
c:\svchost.exe15403s\N_\12856
c:\svchost.exe15403s\N_\12988
c:\svchost.exe15403s\N_\13097
c:\svchost.exe15403s\N_\1334
c:\svchost.exe15403s\N_\13526
c:\svchost.exe15403s\N_\13730
c:\svchost.exe15403s\N_\13739
c:\svchost.exe15403s\N_\13948
c:\svchost.exe15403s\N_\14373
c:\svchost.exe15403s\N_\14378
c:\svchost.exe15403s\N_\14433
c:\svchost.exe15403s\N_\14744
c:\svchost.exe15403s\N_\14893
c:\svchost.exe15403s\N_\15084
c:\svchost.exe15403s\N_\15141
c:\svchost.exe15403s\N_\15163
c:\svchost.exe15403s\N_\152
c:\svchost.exe15403s\N_\15369
c:\svchost.exe15403s\N_\15553
c:\svchost.exe15403s\N_\15625
c:\svchost.exe15403s\N_\15852
c:\svchost.exe15403s\N_\16005
c:\svchost.exe15403s\N_\16287
c:\svchost.exe15403s\N_\16315
c:\svchost.exe15403s\N_\16644
c:\svchost.exe15403s\N_\16683
c:\svchost.exe15403s\N_\16863
c:\svchost.exe15403s\N_\17114
c:\svchost.exe15403s\N_\17267
c:\svchost.exe15403s\N_\175
c:\svchost.exe15403s\N_\17641
c:\svchost.exe15403s\N_\17994
c:\svchost.exe15403s\N_\18244
c:\svchost.exe15403s\N_\18249
c:\svchost.exe15403s\N_\18327
c:\svchost.exe15403s\N_\18430
c:\svchost.exe15403s\N_\18461
c:\svchost.exe15403s\N_\18517
c:\svchost.exe15403s\N_\18800
c:\svchost.exe15403s\N_\18801
c:\svchost.exe15403s\N_\18806
c:\svchost.exe15403s\N_\19119
c:\svchost.exe15403s\N_\19132
c:\svchost.exe15403s\N_\19220
c:\svchost.exe15403s\N_\19519
c:\svchost.exe15403s\N_\19605
c:\svchost.exe15403s\N_\1962
c:\svchost.exe15403s\N_\19672
c:\svchost.exe15403s\N_\19690
c:\svchost.exe15403s\N_\20137
c:\svchost.exe15403s\N_\20371
c:\svchost.exe15403s\N_\20423
c:\svchost.exe15403s\N_\20747
c:\svchost.exe15403s\N_\20817
c:\svchost.exe15403s\N_\20961
c:\svchost.exe15403s\N_\21114
c:\svchost.exe15403s\N_\21217
c:\svchost.exe15403s\N_\21228
c:\svchost.exe15403s\N_\21316
c:\svchost.exe15403s\N_\21426
c:\svchost.exe15403s\N_\21739
c:\svchost.exe15403s\N_\21989
c:\svchost.exe15403s\N_\22176
c:\svchost.exe15403s\N_\22197
c:\svchost.exe15403s\N_\22203
c:\svchost.exe15403s\N_\22259
c:\svchost.exe15403s\N_\22262
c:\svchost.exe15403s\N_\22340
c:\svchost.exe15403s\N_\22400
c:\svchost.exe15403s\N_\22510
c:\svchost.exe15403s\N_\22727
c:\svchost.exe15403s\N_\22797
c:\svchost.exe15403s\N_\23131
c:\svchost.exe15403s\N_\23365
c:\svchost.exe15403s\N_\23404
c:\svchost.exe15403s\N_\23494
c:\svchost.exe15403s\N_\23635
c:\svchost.exe15403s\N_\23641
c:\svchost.exe15403s\N_\23791
c:\svchost.exe15403s\N_\2387
c:\svchost.exe15403s\N_\23897
c:\svchost.exe15403s\N_\2395
c:\svchost.exe15403s\N_\24051
c:\svchost.exe15403s\N_\24122
c:\svchost.exe15403s\N_\24153
c:\svchost.exe15403s\N_\24181
c:\svchost.exe15403s\N_\24529
c:\svchost.exe15403s\N_\24672
c:\svchost.exe15403s\N_\2484
c:\svchost.exe15403s\N_\24920
c:\svchost.exe15403s\N_\2494
c:\svchost.exe15403s\N_\25348
c:\svchost.exe15403s\N_\25445
c:\svchost.exe15403s\N_\25511
c:\svchost.exe15403s\N_\26108
c:\svchost.exe15403s\N_\26241
c:\svchost.exe15403s\N_\26333
c:\svchost.exe15403s\N_\26700
c:\svchost.exe15403s\N_\27178
c:\svchost.exe15403s\N_\27365
c:\svchost.exe15403s\N_\27562
c:\svchost.exe15403s\N_\28041
c:\svchost.exe15403s\N_\2829
c:\svchost.exe15403s\N_\28484
c:\svchost.exe15403s\N_\28939
c:\svchost.exe15403s\N_\29014
c:\svchost.exe15403s\N_\29317
c:\svchost.exe15403s\N_\29494
c:\svchost.exe15403s\N_\29601
c:\svchost.exe15403s\N_\29613
c:\svchost.exe15403s\N_\29769
c:\svchost.exe15403s\N_\29839
c:\svchost.exe15403s\N_\2987
c:\svchost.exe15403s\N_\30012
c:\svchost.exe15403s\N_\3003
c:\svchost.exe15403s\N_\30147
c:\svchost.exe15403s\N_\30190
c:\svchost.exe15403s\N_\30454
c:\svchost.exe15403s\N_\30590
c:\svchost.exe15403s\N_\30671
c:\svchost.exe15403s\N_\30794
c:\svchost.exe15403s\N_\3099
c:\svchost.exe15403s\N_\31033
c:\svchost.exe15403s\N_\31166
c:\svchost.exe15403s\N_\31264
c:\svchost.exe15403s\N_\31553
c:\svchost.exe15403s\N_\31679
c:\svchost.exe15403s\N_\317
c:\svchost.exe15403s\N_\3200
c:\svchost.exe15403s\N_\32106
c:\svchost.exe15403s\N_\32276
c:\svchost.exe15403s\N_\32435
c:\svchost.exe15403s\N_\32451
c:\svchost.exe15403s\N_\32609
c:\svchost.exe15403s\N_\3685
c:\svchost.exe15403s\N_\3853
c:\svchost.exe15403s\N_\4165
c:\svchost.exe15403s\N_\4312
c:\svchost.exe15403s\N_\4647
c:\svchost.exe15403s\N_\4780
c:\svchost.exe15403s\N_\4943
c:\svchost.exe15403s\N_\4975
c:\svchost.exe15403s\N_\5137
c:\svchost.exe15403s\N_\5322
c:\svchost.exe15403s\N_\5334
c:\svchost.exe15403s\N_\5428
c:\svchost.exe15403s\N_\5541
c:\svchost.exe15403s\N_\564
c:\svchost.exe15403s\N_\5880
c:\svchost.exe15403s\N_\6048
c:\svchost.exe15403s\N_\6436
c:\svchost.exe15403s\N_\6562
c:\svchost.exe15403s\N_\6579
c:\svchost.exe15403s\N_\6940
c:\svchost.exe15403s\N_\7104
c:\svchost.exe15403s\N_\7221
c:\svchost.exe15403s\N_\7260
c:\svchost.exe15403s\N_\7330
c:\svchost.exe15403s\N_\7633
c:\svchost.exe15403s\N_\7731
c:\svchost.exe15403s\N_\7978
c:\svchost.exe15403s\N_\7982
c:\svchost.exe15403s\N_\8022
c:\svchost.exe15403s\N_\8134
c:\svchost.exe15403s\N_\817
c:\svchost.exe15403s\N_\8185
c:\svchost.exe15403s\N_\8208
c:\svchost.exe15403s\N_\8343
c:\svchost.exe15403s\N_\8891
c:\svchost.exe15403s\N_\897
c:\svchost.exe15403s\N_\9197
c:\svchost.exe15403s\N_\9277
c:\svchost.exe15403s\N_\9533
c:\svchost.exe15403s\N_\cfdummy00
c:\svchost.exe15403s\N_\CmdLine00
c:\svchost.exe15403s\ncmd.com
c:\svchost.exe15403s\ND_.bat
c:\svchost.exe15403s\ND_64.bat
c:\svchost.exe15403s\ndis_combofix.dat
c:\svchost.exe15403s\NetHood.folder.dat
c:\svchost.exe15403s\netsvc.bad.dat
c:\svchost.exe15403s\netsvc.dat
c:\svchost.exe15403s\NetworkService.dat
c:\svchost.exe15403s\NirCmd.3XE
c:\svchost.exe15403s\NircmdB.exe
c:\svchost.exe15403s\NirCmdC.3XE
c:\svchost.exe15403s\NIRKMD.3XE
c:\svchost.exe15403s\NlsLanguageDefault
c:\svchost.exe15403s\notifykeys.dat
c:\svchost.exe15403s\notifykeysB.dat
c:\svchost.exe15403s\NT-OS.cmd
c:\svchost.exe15403s\NULL
c:\svchost.exe15403s\OsId.txt
c:\svchost.exe15403s\OSid.vbs
c:\svchost.exe15403s\pausep.3XE
c:\svchost.exe15403s\pend.txt
c:\svchost.exe15403s\Personal.folder.dat
c:\svchost.exe15403s\pev.3XE
c:\svchost.exe15403s\PEV.exe
c:\svchost.exe15403s\pevb.3XE
c:\svchost.exe15403s\Pictures.folder.dat
c:\svchost.exe15403s\PING.3XE
c:\svchost.exe15403s\Policies.dat
c:\svchost.exe15403s\powp.dat
c:\svchost.exe15403s\PreDIR
c:\svchost.exe15403s\Prep.inf
c:\svchost.exe15403s\PrintHood.folder.dat
c:\svchost.exe15403s\Profiles.Folder.dat
c:\svchost.exe15403s\Profiles.Folder.folder.dat
c:\svchost.exe15403s\progfile.dat
c:\svchost.exe15403s\Programs.folder.dat
c:\svchost.exe15403s\Purity.dat
c:\svchost.exe15403s\PV.3XE
c:\svchost.exe15403s\pv.com
c:\svchost.exe15403s\rar_sfx.cmd
c:\svchost.exe15403s\RBoot.dat
c:\svchost.exe15403s\RCLink.dat
c:\svchost.exe15403s\RcVer00
c:\svchost.exe15403s\Recent.folder.dat
c:\svchost.exe15403s\REGDACL.sed
c:\svchost.exe15403s\RegDo.sed
c:\svchost.exe15403s\region.dat
c:\svchost.exe15403s\RegScan.cmd
c:\svchost.exe15403s\RegScan64.cmd
c:\svchost.exe15403s\REGT.3XE
c:\svchost.exe15403s\Resident.txt
c:\svchost.exe15403s\restore_pt.dat
c:\svchost.exe15403s\restore_pt.vbs
c:\svchost.exe15403s\RkDetectA_HDCntrl.dat
c:\svchost.exe15403s\Rkey.cmd
c:\svchost.exe15403s\rmbr.3XE
c:\svchost.exe15403s\rogues.dat
c:\svchost.exe15403s\ROUTE.3XE
c:\svchost.exe15403s\run.sed
c:\svchost.exe15403s\run2.sed
c:\svchost.exe15403s\Rust.str
c:\svchost.exe15403s\s0rt.3XE
c:\svchost.exe15403s\safeboot.dat
c:\svchost.exe15403s\safeboot.def.dat
c:\svchost.exe15403s\sed.3XE
c:\svchost.exe15403s\SendTo.folder.dat
c:\svchost.exe15403s\SetEnvmt.bat
c:\svchost.exe15403s\setpath.3XE
c:\svchost.exe15403s\SetPath.bat
c:\svchost.exe15403s\setpath_N.cmd
c:\svchost.exe15403s\SF.exe
c:\svchost.exe15403s\sfx.cmd
c:\svchost.exe15403s\ShAccess.dat
c:\svchost.exe15403s\SnapShot.cmd
c:\svchost.exe15403s\SRestore.cmd
c:\svchost.exe15403s\srizbi.md5
c:\svchost.exe15403s\Start_dat
c:\svchost.exe15403s\StartMenu.folder.dat
c:\svchost.exe15403s\StartUp.folder.dat
c:\svchost.exe15403s\SuppScan.cmd
c:\svchost.exe15403s\svc_wht.dat
c:\svchost.exe15403s\SvcDrv.vbs
c:\svchost.exe15403s\svchost.dat
c:\svchost.exe15403s\swreg.3XE
c:\svchost.exe15403s\swsc.3XE
c:\svchost.exe15403s\swxcacls.3XE
c:\svchost.exe15403s\SysPath.dat
c:\svchost.exe15403s\system_ini.dat
c:\svchost.exe15403s\tail.3XE
c:\svchost.exe15403s\Temp.dat
c:\svchost.exe15403s\Templates.folder.dat
c:\svchost.exe15403s\Test4Max\fltMgr.sys_linked
c:\svchost.exe15403s\toolbar.sed
c:\svchost.exe15403s\unhand.dat
c:\svchost.exe15403s\Update-CF.cmd
c:\svchost.exe15403s\v_wht.dat
c:\svchost.exe15403s\VBR.pif
c:\svchost.exe15403s\VerCF.bat
c:\svchost.exe15403s\version.txt
c:\svchost.exe15403s\VikPev00
c:\svchost.exe15403s\Vikpev01
c:\svchost.exe15403s\VInfo
c:\svchost.exe15403s\VInfo2
c:\svchost.exe15403s\VINFO3
c:\svchost.exe15403s\Vipev.dat
c:\svchost.exe15403s\ViPev00
c:\svchost.exe15403s\ViPev01
c:\svchost.exe15403s\Vista.krl
c:\svchost.exe15403s\Vista.mac
c:\svchost.exe15403s\vistaMcode.dat
c:\svchost.exe15403s\vistareg.dat
c:\svchost.exe15403s\vRun_DLL
c:\svchost.exe15403s\vun.dat
c:\svchost.exe15403s\vundonames.dat
c:\svchost.exe15403s\VwinTemp.dacl
c:\svchost.exe15403s\w_sock.dll
c:\svchost.exe15403s\w7Mcode.dat
c:\svchost.exe15403s\whiteAll.dat
c:\svchost.exe15403s\whitedir.dat
c:\svchost.exe15403s\whitedirCreated.dat
c:\svchost.exe15403s\Wmi_rem.vbs
c:\svchost.exe15403s\xpmcode.dat
c:\svchost.exe15403s\XPSBoot.reg
c:\svchost.exe15403s\zDomain.dat
c:\svchost.exe15403s\zhsvc.dat
c:\svchost.exe15403s\zip.3XE
c:\svchost.exe15403s\Zlob01
C:\u
c:\u\Test4Max\fltMgr.sys_linked
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 17:55 . 2012-06-25 17:55 -------- d-----w- c:\users\MainPC\AppData\Local\temp
2012-06-25 17:55 . 2012-06-25 17:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-06-25 17:55 . 2012-06-25 17:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-25 17:55 . 2012-06-25 17:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 17:55 . 2012-06-25 17:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-25 06:19 . 2012-06-25 06:19 -------- d-----w- C:\_OTL
2012-06-24 21:32 . 2012-06-24 21:33 -------- d-----w- C:\FRST
2012-06-24 03:36 . 2012-06-25 01:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-22 07:51 . 2012-06-22 07:51 100736 ----a-w- C:\pwdiypog.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-12-09 03:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-11-17 14:58 3303000 ----a-w- c:\users\MainPC\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 22:56 981680 ----a-w- c:\program files\Edlyn\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
2011-06-02 22:56 114992 ----a-r- c:\program files\SweetIM\Messenger\SweetIM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-06-12 07:56 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
2012-06-25 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: DhcpNameServer = 10.0.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 10:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-25 10:58:45
ComboFix-quarantined-files.txt 2012-06-25 17:58
ComboFix2.txt 2012-06-25 16:53
ComboFix3.txt 2011-12-29 00:34
.
Pre-Run: 214,729,863,168 bytes free
Post-Run: 214,758,211,584 bytes free
.
- - End Of File - - 124AFCF38F34E126BE47A3C7D6C84872


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.25.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
MainPC :: MAINPC-PC [administrator]

6/25/2012 11:02:15 AM
mbam-log-2012-06-25 (11-02-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213060
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET SCAN

C:\Documents and Settings\MainPC\Shared\baba b-chevy.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\baba b-hawaiian-get u in my be.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\basshunter-megamix HIT TOP50.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\big mountain-carribean blue.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\bowow lets get down.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\chevy-baba b.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\hawaiian-baba b-guam.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\l&s-get laid [256k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\mariah carey break down.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\motorhead tripple h song new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\muse-ghost.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\n sync drive myself crazy.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\nikki mckibbin- black velvet.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\odb shimmy baby come on new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\the day you said goodbye hale.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\tvxq- 0.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\wwe jeff hardy theme song.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\MainPC\Shared\wwe tripple h theme song hot new track.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.LH trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\23.06.2012_20.34.33\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.LH trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\24.06.2012_18.41.07\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\Users\MainPC\Shared\baba b-chevy.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\baba b-hawaiian-get u in my be.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\basshunter-megamix HIT TOP50.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\big mountain-carribean blue.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\bowow lets get down.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\chevy-baba b.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\hawaiian-baba b-guam.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\l&s-get laid [256k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\mariah carey break down.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\motorhead tripple h song new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\muse-ghost.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\n sync drive myself crazy.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\nikki mckibbin- black velvet.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\odb shimmy baby come on new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\the day you said goodbye hale.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\tvxq- 0.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\wwe jeff hardy theme song.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\MainPC\Shared\wwe tripple h theme song hot new track.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 11.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 24.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 25.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 26.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 27.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 32.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 35.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 36.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan

#22 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 25 June 2012 - 04:20 PM

Hi,

You will need to run a full set of backups once we are done here.

please allow combofix to update if it asks to do so

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\MainPC\Shared\baba b-chevy.mp3 
C:\Documents and Settings\MainPC\Shared\baba b-hawaiian-get u in my be.mp3 
C:\Documents and Settings\MainPC\Shared\basshunter-megamix HIT TOP50.mp3 
C:\Documents and Settings\MainPC\Shared\big mountain-carribean blue.mp3 
C:\Documents and Settings\MainPC\Shared\bowow lets get down.mp3 
C:\Documents and Settings\MainPC\Shared\chevy-baba b.mp3 
C:\Documents and Settings\MainPC\Shared\hawaiian-baba b-guam.mp3 
C:\Documents and Settings\MainPC\Shared\l&s-get laid [256k quality].mp3 
C:\Documents and Settings\MainPC\Shared\mariah carey break down.mp3 
C:\Documents and Settings\MainPC\Shared\motorhead tripple h song new single.mp3 
C:\Documents and Settings\MainPC\Shared\muse-ghost.mp3 
C:\Documents and Settings\MainPC\Shared\n sync drive myself crazy.mp3 
C:\Documents and Settings\MainPC\Shared\nikki mckibbin- black velvet.mp3 
C:\Documents and Settings\MainPC\Shared\odb shimmy baby come on new single.mp3 
C:\Documents and Settings\MainPC\Shared\the day you said goodbye hale.mp3 
C:\Documents and Settings\MainPC\Shared\tvxq- 0.mp3 
C:\Documents and Settings\MainPC\Shared\wwe jeff hardy theme song.mp3 
C:\Documents and Settings\MainPC\Shared\wwe tripple h theme song hot new track.mp3 
C:\Users\MainPC\Shared\baba b-chevy.mp3 
C:\Users\MainPC\Shared\baba b-hawaiian-get u in my be.mp3 
C:\Users\MainPC\Shared\basshunter-megamix HIT TOP50.mp3 
C:\Users\MainPC\Shared\big mountain-carribean blue.mp3 
C:\Users\MainPC\Shared\bowow lets get down.mp3 
C:\Users\MainPC\Shared\chevy-baba b.mp3 
C:\Users\MainPC\Shared\hawaiian-baba b-guam.mp3 
C:\Users\MainPC\Shared\l&s-get laid [256k quality].mp3 
C:\Users\MainPC\Shared\mariah carey break down.mp3 
C:\Users\MainPC\Shared\motorhead tripple h song new single.mp3 
C:\Users\MainPC\Shared\muse-ghost.mp3 
C:\Users\MainPC\Shared\n sync drive myself crazy.mp3 
C:\Users\MainPC\Shared\nikki mckibbin- black velvet.mp3 
C:\Users\MainPC\Shared\odb shimmy baby come on new single.mp3 
C:\Users\MainPC\Shared\the day you said goodbye hale.mp3 
C:\Users\MainPC\Shared\tvxq- 0.mp3 
C:\Users\MainPC\Shared\wwe jeff hardy theme song.mp3 
C:\Users\MainPC\Shared\wwe tripple h theme song hot new track.mp3 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 11.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 24.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 25.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 26.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 27.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 32.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 35.zip 
D:\MAINPC-PC\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 36.zip 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#23 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 June 2012 - 05:10 PM

Computer seems to be back to normal. The internet doesn't redirect me to sites any longer and that's a really good thing. There was one site however (just did a random google search) that I tried to click but it told me that windows cannot connect to it. I tried to click on the site again and it worked. I'd like to see how the computer (internet mostly) runs for today until tomorrow just to make sure that there are no more problems. I'll update you tomorrow. By the way, I did remove the old java and installed a new one. Also, the combofix log is below. Anyways, I just wanted to thank you for all your help and patience. I really thought that that virus would be the end of my desktop pc. Thank you again...very much.


ComboFix 12-06-25.03 - MainPC 06/25/2012 14:26:22.6.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.357 [GMT -7:00]
Running from: c:\users\MainPC\Desktop\ComboFix.exe
Command switches used :: c:\users\MainPC\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\documents and settings\MainPC\Shared\baba b-chevy.mp3"
"c:\documents and settings\MainPC\Shared\baba b-hawaiian-get u in my be.mp3"
"c:\documents and settings\MainPC\Shared\basshunter-megamix HIT TOP50.mp3"
"c:\documents and settings\MainPC\Shared\big mountain-carribean blue.mp3"
"c:\documents and settings\MainPC\Shared\bowow lets get down.mp3"
"c:\documents and settings\MainPC\Shared\chevy-baba b.mp3"
"c:\documents and settings\MainPC\Shared\hawaiian-baba b-guam.mp3"
"c:\documents and settings\MainPC\Shared\l&s-get laid [256k quality].mp3"
"c:\documents and settings\MainPC\Shared\mariah carey break down.mp3"
"c:\documents and settings\MainPC\Shared\motorhead tripple h song new single.mp3"
"c:\documents and settings\MainPC\Shared\muse-ghost.mp3"
"c:\documents and settings\MainPC\Shared\n sync drive myself crazy.mp3"
"c:\documents and settings\MainPC\Shared\nikki mckibbin- black velvet.mp3"
"c:\documents and settings\MainPC\Shared\odb shimmy baby come on new single.mp3"
"c:\documents and settings\MainPC\Shared\the day you said goodbye hale.mp3"
"c:\documents and settings\MainPC\Shared\tvxq- 0.mp3"
"c:\documents and settings\MainPC\Shared\wwe jeff hardy theme song.mp3"
"c:\documents and settings\MainPC\Shared\wwe tripple h theme song hot new track.mp3"
"c:\users\MainPC\Shared\baba b-chevy.mp3"
"c:\users\MainPC\Shared\baba b-hawaiian-get u in my be.mp3"
"c:\users\MainPC\Shared\basshunter-megamix HIT TOP50.mp3"
"c:\users\MainPC\Shared\big mountain-carribean blue.mp3"
"c:\users\MainPC\Shared\bowow lets get down.mp3"
"c:\users\MainPC\Shared\chevy-baba b.mp3"
"c:\users\MainPC\Shared\hawaiian-baba b-guam.mp3"
"c:\users\MainPC\Shared\l&s-get laid [256k quality].mp3"
"c:\users\MainPC\Shared\mariah carey break down.mp3"
"c:\users\MainPC\Shared\motorhead tripple h song new single.mp3"
"c:\users\MainPC\Shared\muse-ghost.mp3"
"c:\users\MainPC\Shared\n sync drive myself crazy.mp3"
"c:\users\MainPC\Shared\nikki mckibbin- black velvet.mp3"
"c:\users\MainPC\Shared\odb shimmy baby come on new single.mp3"
"c:\users\MainPC\Shared\the day you said goodbye hale.mp3"
"c:\users\MainPC\Shared\tvxq- 0.mp3"
"c:\users\MainPC\Shared\wwe jeff hardy theme song.mp3"
"c:\users\MainPC\Shared\wwe tripple h theme song hot new track.mp3"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 11.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 24.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 25.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 26.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 27.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 32.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 35.zip"
"d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 36.zip"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MainPC\Shared\baba b-chevy.mp3
c:\users\MainPC\Shared\baba b-hawaiian-get u in my be.mp3
c:\users\MainPC\Shared\basshunter-megamix HIT TOP50.mp3
c:\users\MainPC\Shared\big mountain-carribean blue.mp3
c:\users\MainPC\Shared\bowow lets get down.mp3
c:\users\MainPC\Shared\chevy-baba b.mp3
c:\users\MainPC\Shared\hawaiian-baba b-guam.mp3
c:\users\MainPC\Shared\l&s-get laid [256k quality].mp3
c:\users\MainPC\Shared\mariah carey break down.mp3
c:\users\MainPC\Shared\motorhead tripple h song new single.mp3
c:\users\MainPC\Shared\muse-ghost.mp3
c:\users\MainPC\Shared\n sync drive myself crazy.mp3
c:\users\MainPC\Shared\nikki mckibbin- black velvet.mp3
c:\users\MainPC\Shared\odb shimmy baby come on new single.mp3
c:\users\MainPC\Shared\the day you said goodbye hale.mp3
c:\users\MainPC\Shared\wwe jeff hardy theme song.mp3
c:\users\MainPC\Shared\wwe tripple h theme song hot new track.mp3
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 11.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 24.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 25.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 26.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 27.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 32.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 35.zip
d:\mainpc-pc\Backup Set 2010-12-15 182856\Backup Files 2010-12-15 182856\Backup files 36.zip
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 21:39 . 2012-06-25 21:39 -------- d-----w- c:\users\MainPC\AppData\Local\temp
2012-06-25 21:39 . 2012-06-25 21:39 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-06-25 21:39 . 2012-06-25 21:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-25 21:39 . 2012-06-25 21:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 21:39 . 2012-06-25 21:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-25 18:37 . 2012-06-25 18:37 -------- d-----w- c:\program files\ESET
2012-06-25 06:19 . 2012-06-25 06:19 -------- d-----w- C:\_OTL
2012-06-24 21:32 . 2012-06-24 21:33 -------- d-----w- C:\FRST
2012-06-24 03:36 . 2012-06-25 01:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-22 07:51 . 2012-06-22 07:51 100736 ----a-w- C:\pwdiypog.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-12-09 03:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-11-17 14:58 3303000 ----a-w- c:\users\MainPC\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 22:56 981680 ----a-w- c:\program files\Edlyn\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
2011-06-02 22:56 114992 ----a-r- c:\program files\SweetIM\Messenger\SweetIM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-06-12 07:56 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 03:36]
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
2012-06-25 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: DhcpNameServer = 10.0.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 14:39
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,f7,fe,40,75,97,2f,43,99,93,a2,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-25 14:47:29
ComboFix-quarantined-files.txt 2012-06-25 21:47
ComboFix2.txt 2012-06-25 17:58
ComboFix3.txt 2012-06-25 16:53
ComboFix4.txt 2011-12-29 00:34
.
Pre-Run: 213,444,198,400 bytes free
Post-Run: 210,123,096,064 bytes free
.
- - End Of File - - 6144F97D929334E5D5EFCFB5B1F1DF62

#24 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 25 June 2012 - 05:16 PM

good to hear

let me know if there are any outstanding issues

we have a tool cleanup routine to perform if all is OK
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#25 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 June 2012 - 11:57 PM

So far so good. I haven't heard any complains about the computer acting up. I think it's ready for the cleanup. Let me know how to go about that.

#26 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 27 June 2012 - 05:08 PM

Hi,

here are the housekeeping instructions


You can delete the FRST logs and program from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT



Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#27 nylde.star

nylde.star
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 28 June 2012 - 01:08 AM

Thank you so much. I've done the cleanup and also downloaded and ran the TFC. Thanks again. I couldn't be more grateful for your (and the rest of the bleeping computer staff's) help. Many thanks!

#28 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 28 June 2012 - 05:06 PM

you are welcome

stay safe :hello:

~CB
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#29 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,437 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:10 AM

Posted 28 June 2012 - 05:08 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users