Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost2.exe has stop working


  • This topic is locked This topic is locked
10 replies to this topic

#1 dPhantom

dPhantom

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 22 August 2012 - 09:06 PM

I am currently running 64-bit version of Windows 7. However, a couple of day ago I keep getting a pop-up window every 30 minutes or so that states "svchost2.exe has stop working".
Once I close it, another one appears within 30 minutes. It is getting rather annoying and I would like for it to stop. Please help!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0
Run by Dan at 21:42:31 on 2012-08-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12286.10041 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Users\Dan\AppData\Roaming\9 1\rundll32.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
"C:\Users\Dan\AppData\Roaming\9 1\svchost.exe" "1B8wQLGFeYi4BWqyyKLKB3yMLvExB131ZL:[email protected]:8337" "--device=0" "-f" "60"
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\system32\conhost.exe
D:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\Explorer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Winamp\winampa.exe
D:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\splwow64.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
uRun: [Windows] C:\Users\Dan\AppData\Roaming\svchost.exe
uRun: [adobeupdate] "C:\Users\Dan\AppData\Roaming\9 1\l3.lnk"
uRun: [adobeupdater] "C:\Users\Dan\AppData\Roaming\9 1\rundll32.exe"
uRun: [Google Update] "C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [{3351E4C5-40E3-4541-BD35-31DB98A61B66}] "D:\- Downloads\DecipherVoiceMail.exe" /cmdloc "HKCU\Software\Decipher Media AiTemp\{3351E4C5-40E3-4541-BD35-31DB98A61B66}"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D0012D75-34AB-40E5-8C81-7F5B49756B6D} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;D:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe --> D:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [?]
S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-5-17 1258856]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-5-6 135584]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-22 04:04:01 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{842B9C44-5ECE-486E-A285-98F8C687055F}\offreg.dll
2012-08-21 10:39:16 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{842B9C44-5ECE-486E-A285-98F8C687055F}\mpengine.dll
2012-08-21 10:37:44 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-08-20 01:01:40 -------- d-----w- C:\Users\Dan\AppData\Roaming\Topckit
2012-08-19 19:22:06 65602 ----a-w- C:\Windows\SysWow64\cook3260.dll
2012-08-19 19:22:06 626688 ----a-w- C:\Windows\SysWow64\vp7vfw.dll
2012-08-19 19:22:06 217127 ----a-w- C:\Windows\SysWow64\drv43260.dll
2012-08-19 19:22:06 208935 ----a-w- C:\Windows\SysWow64\drv33260.dll
2012-08-19 19:22:06 176165 ----a-w- C:\Windows\SysWow64\drv23260.dll
2012-08-19 19:22:06 1184984 ----a-w- C:\Windows\SysWow64\wvc1dmod.dll
2012-08-19 19:22:06 102439 ----a-w- C:\Windows\SysWow64\sipr3260.dll
2012-08-19 19:22:05 -------- d-----w- C:\Program Files (x86)\VSO
2012-08-18 21:24:06 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-11 17:24:07 -------- d-----w- C:\Users\Dan\AppData\Local\35CBA840-C636-4568-9932-0F45725FBC3A.aplzod
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-08-11 04:24:07 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-08-08 04:19:12 -------- d-----w- C:\ProgramData\LightScribe
2012-08-08 04:14:44 -------- d-----w- C:\ProgramData\Nero
2012-08-07 05:19:48 -------- d-----w- C:\Users\Dan\AppData\Roaming\Decipher Media
2012-08-07 05:19:48 -------- d-----w- C:\Users\Dan\.swt
2012-08-05 07:15:01 364352 ----a-w- C:\Windows\System32\nvdecodemft.dll
2012-08-05 07:15:01 301376 ----a-w- C:\Windows\SysWow64\nvdecodemft.dll
2012-08-05 04:42:21 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2012-07-26 02:33:19 -------- d-----w- C:\ProgramData\NVIDIA Corporation
.
==================== Find3M ====================
.
2012-08-19 18:40:52 350288 ----a-w- C:\Users\Dan\AppData\Roaming\svchost.exe
2012-08-19 18:40:49 44115322 ----a-w- C:\Users\Dan\AppData\Roaming\X-DVD-CREATOR7.EXE
2012-08-19 18:40:49 350288 ----a-w- C:\Users\Dan\AppData\Roaming\SETUP.EXE
2012-08-18 21:24:06 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-09 02:00:02 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-07-09 02:00:02 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-07-09 01:59:56 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-07-05 03:45:59 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-28 23:56:15 2667062 ----a-w- C:\Windows\System32\nvcoproc.bin
2012-06-28 23:55:57 3266408 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-06-28 23:55:46 6193000 ----a-w- C:\Windows\System32\nvcpl.dll
2012-06-28 23:55:40 118120 ----a-w- C:\Windows\System32\nvmctray.dll
2012-06-28 23:55:39 891240 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-06-28 23:55:39 63336 ----a-w- C:\Windows\System32\nvshext.dll
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-05-31 16:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 21:42:40.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 24 August 2012 - 04:17 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 dPhantom

dPhantom
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 24 August 2012 - 07:15 PM

Here's the ComboFix log


ComboFix 12-08-24.02 - Dan 08/24/2012 20:09:32.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12286.10235 [GMT -4:00]
Running from: c:\users\Dan\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Adobe\Reader.exe
c:\users\Dan\AppData\Roaming\2 9
c:\users\Dan\AppData\Roaming\2 9\_ctypes.pyd
c:\users\Dan\AppData\Roaming\2 9\_hashlib.pyd
c:\users\Dan\AppData\Roaming\2 9\_socket.pyd
c:\users\Dan\AppData\Roaming\2 9\_ssl.pyd
c:\users\Dan\AppData\Roaming\2 9\5b824e292c9492a60a3471ff439c7f7e.elf
c:\users\Dan\AppData\Roaming\2 9\bat.bat
c:\users\Dan\AppData\Roaming\2 9\boost_python-vc90-mt-1_39.dll
c:\users\Dan\AppData\Roaming\2 9\bt.lnk
c:\users\Dan\AppData\Roaming\2 9\bz2.pyd
c:\users\Dan\AppData\Roaming\2 9\j.exe
c:\users\Dan\AppData\Roaming\2 9\l3.lnk
c:\users\Dan\AppData\Roaming\2 9\library.zip
c:\users\Dan\AppData\Roaming\2 9\msvcp90.dll
c:\users\Dan\AppData\Roaming\2 9\numpy.core._dotblas.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.core._sort.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.core.multiarray.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.core.scalarmath.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.core.umath.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.fft.fftpack_lite.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.lib._compiled_base.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.linalg.lapack_lite.pyd
c:\users\Dan\AppData\Roaming\2 9\numpy.random.mtrand.pyd
c:\users\Dan\AppData\Roaming\2 9\phatk.cl
c:\users\Dan\AppData\Roaming\2 9\pyopencl._cl.pyd
c:\users\Dan\AppData\Roaming\2 9\python26.dll
c:\users\Dan\AppData\Roaming\2 9\rundll32.exe
c:\users\Dan\AppData\Roaming\2 9\select.pyd
c:\users\Dan\AppData\Roaming\2 9\settings.txt
c:\users\Dan\AppData\Roaming\2 9\svchost.exe
c:\users\Dan\AppData\Roaming\2 9\svchost2.exe
c:\users\Dan\AppData\Roaming\2 9\unicodedata.pyd
c:\users\Dan\AppData\Roaming\2 9\w9xpopen.exe
c:\users\Dan\AppData\Roaming\3 5
c:\users\Dan\AppData\Roaming\3 5\bat.bat
c:\users\Dan\AppData\Roaming\3 5\bt.lnk
c:\users\Dan\AppData\Roaming\3 5\rundll32.exe
c:\users\Dan\AppData\Roaming\3 5\settings.txt
c:\users\Dan\AppData\Roaming\3 5\svchost2.exe
c:\users\Dan\AppData\Roaming\7 9
c:\users\Dan\AppData\Roaming\7 9\_ctypes.pyd
c:\users\Dan\AppData\Roaming\7 9\_hashlib.pyd
c:\users\Dan\AppData\Roaming\7 9\_socket.pyd
c:\users\Dan\AppData\Roaming\7 9\_ssl.pyd
c:\users\Dan\AppData\Roaming\7 9\5b824e292c9492a60a3471ff439c7f7e.elf
c:\users\Dan\AppData\Roaming\7 9\bat.bat
c:\users\Dan\AppData\Roaming\7 9\boost_python-vc90-mt-1_39.dll
c:\users\Dan\AppData\Roaming\7 9\bt.lnk
c:\users\Dan\AppData\Roaming\7 9\bz2.pyd
c:\users\Dan\AppData\Roaming\7 9\j.exe
c:\users\Dan\AppData\Roaming\7 9\l3.lnk
c:\users\Dan\AppData\Roaming\7 9\library.zip
c:\users\Dan\AppData\Roaming\7 9\msvcp90.dll
c:\users\Dan\AppData\Roaming\7 9\numpy.core._dotblas.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.core._sort.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.core.multiarray.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.core.scalarmath.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.core.umath.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.fft.fftpack_lite.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.lib._compiled_base.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.linalg.lapack_lite.pyd
c:\users\Dan\AppData\Roaming\7 9\numpy.random.mtrand.pyd
c:\users\Dan\AppData\Roaming\7 9\phatk.cl
c:\users\Dan\AppData\Roaming\7 9\pyopencl._cl.pyd
c:\users\Dan\AppData\Roaming\7 9\python26.dll
c:\users\Dan\AppData\Roaming\7 9\rundll32.exe
c:\users\Dan\AppData\Roaming\7 9\select.pyd
c:\users\Dan\AppData\Roaming\7 9\settings.txt
c:\users\Dan\AppData\Roaming\7 9\svchost.exe
c:\users\Dan\AppData\Roaming\7 9\svchost2.exe
c:\users\Dan\AppData\Roaming\7 9\unicodedata.pyd
c:\users\Dan\AppData\Roaming\7 9\w9xpopen.exe
c:\users\Dan\AppData\Roaming\9 1
c:\users\Dan\AppData\Roaming\9 1\_ctypes.pyd
c:\users\Dan\AppData\Roaming\9 1\_hashlib.pyd
c:\users\Dan\AppData\Roaming\9 1\_socket.pyd
c:\users\Dan\AppData\Roaming\9 1\_ssl.pyd
c:\users\Dan\AppData\Roaming\9 1\5b824e292c9492a60a3471ff439c7f7e.elf
c:\users\Dan\AppData\Roaming\9 1\bat.bat
c:\users\Dan\AppData\Roaming\9 1\boost_python-vc90-mt-1_39.dll
c:\users\Dan\AppData\Roaming\9 1\bt.lnk
c:\users\Dan\AppData\Roaming\9 1\bz2.pyd
c:\users\Dan\AppData\Roaming\9 1\c3e0e03776073e1fe29628d1c2a3f416.elf
c:\users\Dan\AppData\Roaming\9 1\j.exe
c:\users\Dan\AppData\Roaming\9 1\l3.lnk
c:\users\Dan\AppData\Roaming\9 1\library.zip
c:\users\Dan\AppData\Roaming\9 1\msvcp90.dll
c:\users\Dan\AppData\Roaming\9 1\numpy.core._dotblas.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.core._sort.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.core.multiarray.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.core.scalarmath.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.core.umath.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.fft.fftpack_lite.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.lib._compiled_base.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.linalg.lapack_lite.pyd
c:\users\Dan\AppData\Roaming\9 1\numpy.random.mtrand.pyd
c:\users\Dan\AppData\Roaming\9 1\phatk.cl
c:\users\Dan\AppData\Roaming\9 1\pyopencl._cl.pyd
c:\users\Dan\AppData\Roaming\9 1\python26.dll
c:\users\Dan\AppData\Roaming\9 1\rundll32.exe
c:\users\Dan\AppData\Roaming\9 1\select.pyd
c:\users\Dan\AppData\Roaming\9 1\settings.txt
c:\users\Dan\AppData\Roaming\9 1\svchost.exe
c:\users\Dan\AppData\Roaming\9 1\svchost2.exe
c:\users\Dan\AppData\Roaming\9 1\unicodedata.pyd
c:\users\Dan\AppData\Roaming\9 1\w9xpopen.exe
c:\users\Dan\AppData\Roaming\9 9
c:\users\Dan\AppData\Roaming\9 9\_ctypes.pyd
c:\users\Dan\AppData\Roaming\9 9\_hashlib.pyd
c:\users\Dan\AppData\Roaming\9 9\_socket.pyd
c:\users\Dan\AppData\Roaming\9 9\_ssl.pyd
c:\users\Dan\AppData\Roaming\9 9\5b824e292c9492a60a3471ff439c7f7e.elf
c:\users\Dan\AppData\Roaming\9 9\bz2.pyd
c:\users\Dan\AppData\Roaming\9 9\library.zip
c:\users\Dan\AppData\Roaming\9 9\numpy.core._dotblas.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.core._sort.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.core.multiarray.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.core.scalarmath.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.core.umath.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.fft.fftpack_lite.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.lib._compiled_base.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.linalg.lapack_lite.pyd
c:\users\Dan\AppData\Roaming\9 9\numpy.random.mtrand.pyd
c:\users\Dan\AppData\Roaming\9 9\pyopencl._cl.pyd
c:\users\Dan\AppData\Roaming\9 9\select.pyd
c:\users\Dan\AppData\Roaming\9 9\settings.txt
c:\users\Dan\AppData\Roaming\9 9\unicodedata.pyd
c:\users\Dan\AppData\Roaming\Setup.exe
c:\users\Dan\AppData\Roaming\svchost.exe
c:\users\Dan\AppData\Roaming\vso_ts_preview.xml
c:\users\Dan\AppData\Roaming\X-DVD-CREATOR7.EXE
c:\windows\SysWow64\SET5F3A.tmp
c:\windows\SysWow64\SET6130.tmp
c:\windows\SysWow64\SET63F2.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
.
.
2012-08-21 10:39 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{842B9C44-5ECE-486E-A285-98F8C687055F}\mpengine.dll
2012-08-21 10:37 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-20 01:01 . 2012-08-20 01:01 -------- d-----w- c:\users\Dan\AppData\Roaming\Topckit
2012-08-19 19:25 . 2012-08-19 23:33 -------- d-----w- c:\users\Dan\AppData\Roaming\Vso
2012-08-19 19:22 . 2009-09-02 17:44 65602 ----a-w- c:\windows\SysWow64\cook3260.dll
2012-08-19 19:22 . 2009-09-02 17:44 626688 ----a-w- c:\windows\SysWow64\vp7vfw.dll
2012-08-19 19:22 . 2009-09-02 17:44 217127 ----a-w- c:\windows\SysWow64\drv43260.dll
2012-08-19 19:22 . 2009-09-02 17:44 208935 ----a-w- c:\windows\SysWow64\drv33260.dll
2012-08-19 19:22 . 2009-09-02 17:44 176165 ----a-w- c:\windows\SysWow64\drv23260.dll
2012-08-19 19:22 . 2009-09-02 17:44 1184984 ----a-w- c:\windows\SysWow64\wvc1dmod.dll
2012-08-19 19:22 . 2009-09-02 17:44 102439 ----a-w- c:\windows\SysWow64\sipr3260.dll
2012-08-19 19:22 . 2012-08-19 19:22 -------- d-----w- c:\program files (x86)\VSO
2012-08-18 21:24 . 2012-08-18 21:24 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-18 21:24 . 2012-08-18 21:24 -------- d-----w- c:\windows\system32\Macromed
2012-08-11 17:24 . 2012-08-25 00:07 -------- d-----w- c:\users\Dan\AppData\Local\35CBA840-C636-4568-9932-0F45725FBC3A.aplzod
2012-08-11 06:55 . 2012-08-23 00:08 -------- d-----w- c:\users\Dan\AppData\Roaming\vlc
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-08-11 04:24 . 2012-08-11 04:24 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-08-11 04:24 . 2012-08-11 04:24 -------- d-----w- c:\program files (x86)\QuickTime
2012-08-08 04:19 . 2012-08-08 05:16 -------- d-----w- c:\programdata\LightScribe
2012-08-08 04:19 . 2012-08-08 04:19 -------- d-----w- c:\users\Dan\AppData\Roaming\Nero
2012-08-08 04:14 . 2012-08-08 04:18 -------- d-----w- c:\programdata\Nero
2012-08-08 04:01 . 2012-08-08 04:01 -------- d-----w- c:\program files (x86)\Common Files\LightScribe
2012-08-07 05:19 . 2012-08-09 12:22 -------- d-----w- c:\users\Dan\AppData\Roaming\Decipher Media
2012-08-07 05:19 . 2012-08-07 05:19 -------- d-----w- c:\users\Dan\.swt
2012-08-05 07:15 . 2012-05-15 10:48 364352 ----a-w- c:\windows\system32\nvdecodemft.dll
2012-08-05 07:15 . 2012-05-15 10:48 301376 ----a-w- c:\windows\SysWow64\nvdecodemft.dll
2012-08-05 04:42 . 2012-08-05 04:42 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 21:24 . 2012-05-13 22:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-03 08:27 . 2012-05-05 16:13 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-09 02:00 . 2012-05-13 17:22 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-07-09 02:00 . 2012-05-05 18:32 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-07-09 01:59 . 2012-05-05 18:32 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-07-05 03:45 . 2012-05-05 18:32 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-06-29 03:37 . 2012-05-18 00:19 1758056 ----a-w- c:\windows\system32\nvdispco64.dll
2012-06-29 03:37 . 2012-05-18 00:19 969064 ----a-w- c:\windows\system32\nvumdshimx.dll
2012-06-29 03:37 . 2012-05-18 00:19 7699304 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-06-29 03:37 . 2012-05-18 00:18 2723688 ----a-w- c:\windows\system32\nvapi64.dll
2012-06-29 03:37 . 2012-05-18 00:18 2422120 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-06-29 03:37 . 2012-04-06 02:32 60776 ----a-w- c:\windows\system32\OpenCL.dll
2012-06-29 03:37 . 2012-04-06 02:32 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-06-28 23:56 . 2012-05-18 00:19 2667062 ----a-w- c:\windows\system32\nvcoproc.bin
2012-06-28 23:55 . 2012-05-18 00:19 3266408 ----a-w- c:\windows\system32\nvsvc64.dll
2012-06-28 23:55 . 2012-05-18 00:19 6193000 ----a-w- c:\windows\system32\nvcpl.dll
2012-06-28 23:55 . 2012-05-18 00:19 118120 ----a-w- c:\windows\system32\nvmctray.dll
2012-06-28 23:55 . 2012-05-18 00:19 891240 ----a-w- c:\windows\system32\nvvsvc.exe
2012-06-28 23:55 . 2012-05-18 00:19 63336 ----a-w- c:\windows\system32\nvshext.dll
2012-06-06 03:27 . 2012-06-06 03:27 1409 ----a-w- c:\windows\Fonts\TAXLDRAW.FOT
2012-06-06 03:27 . 2012-06-06 03:27 1409 ----a-w- c:\windows\Fonts\PTOCR-B.FOT
2012-06-06 03:27 . 2012-06-06 03:27 1409 ----a-w- c:\windows\Fonts\PTOCR-A.FOT
2012-06-02 22:19 . 2012-07-04 18:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-07-04 18:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-07-04 18:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-07-04 18:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-07-04 18:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-07-04 18:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-07-04 18:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-07-04 18:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-07-04 18:51 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 16:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2012-06-20 74752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;d:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [x]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-06-29 1258856]
R3 ALSysIO;ALSysIO;c:\users\Dan\AppData\Local\Temp\ALSysIO64.sys [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 135584]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-04 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-03-04 16:29 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4219366632-3039800736-3179006017-1001Core.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-04 06:49]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4219366632-3039800736-3179006017-1001UA.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-04 06:49]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-{3351E4C5-40E3-4541-BD35-31DB98A61B66} - d:\- downloads\DecipherVoiceMail.exe
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
AddRemove-BattlEye for A2 - d:\program files (x86)\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-Steam App 34330 - c:\program files (x86)\Steam\steam.exe
AddRemove-{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC} - d:\program files (x86)\Hi-Rez Studios\HiRezGamesDiagAndSupport.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4219366632-3039800736-3179006017-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4219366632-3039800736-3179006017-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4219366632-3039800736-3179006017-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.**ˆ]
@Allowed: (Read) (RestrictedCode)
"0"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,54,6f,72,72,65,6e,74,73,2f,43,6f,6d,
70,6c,65,74,65,64,2f,47,61,6d,65,2e,6f,66,2e,54,68,72,6f,6e,65,73,2e,53,30,\
"MRUListEx"=hex:05,00,00,00,04,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,00,
00,00,00,ff,ff,ff,ff
"1"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,53,74,6f,72,61,67,65,5f,44,2f,4d,75,
6c,74,69,6d,65,64,69,61,5f,44,2f,6a,69,67,67,6c,79,2d,72,61,62,72,6f,77,6e,\
"2"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,54,6f,72,72,65,6e,74,73,2f,43,6f,6d,
70,6c,65,74,65,64,2f,47,61,6d,65,2e,6f,66,2e,54,68,72,6f,6e,65,73,2e,53,30,\
"3"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,54,6f,72,72,65,6e,74,73,2f,43,6f,6d,
70,6c,65,74,65,64,2f,47,61,6d,65,2e,6f,66,2e,54,68,72,6f,6e,65,73,2e,53,30,\
"4"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,54,6f,72,72,65,6e,74,73,2f,43,6f,6d,
70,6c,65,74,65,64,2f,47,61,6d,65,2e,6f,66,2e,54,68,72,6f,6e,65,73,2e,53,30,\
"5"=hex:66,69,6c,65,3a,2f,2f,2f,44,3a,2f,53,74,6f,72,61,67,65,5f,44,2f,4d,75,
6c,74,69,6d,65,64,69,61,5f,44,2f,4d,69,73,63,65,6c,6c,61,6e,65,6f,75,73,2f,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-08-24 20:13:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-25 00:13
.
Pre-Run: 51,301,212,160 bytes free
Post-Run: 54,454,870,016 bytes free
.
- - End Of File - - 02FFAA57222816186309BBD9A5ECEA51

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 24 August 2012 - 07:53 PM

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#5 dPhantom

dPhantom
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 25 August 2012 - 08:00 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.25.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Dan :: DAN-I7 [administrator]

8/24/2012 9:29:18 PM
mbam-log-2012-08-24 (21-29-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215466
Time elapsed: 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\Topckit (PUP.Topckit) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\Setup.exe.vir a variant of Win32/Injector.SXN trojan
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\svchost.exe.vir a variant of Win32/Injector.SXN trojan
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\2 9\rundll32.exe.vir Win32/KillProc.NBE trojan
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\2 9\svchost2.exe.vir a variant of Win32/BitCoinMiner application
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\3 5\rundll32.exe.vir Win32/KillProc.NBE trojan
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\3 5\svchost2.exe.vir a variant of Win32/BitCoinMiner application
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\7 9\rundll32.exe.vir Win32/KillProc.NBE trojan
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\7 9\svchost2.exe.vir a variant of Win32/BitCoinMiner application
C:\Qoobox\Quarantine\C\Users\Dan\AppData\Roaming\9 1\rundll32.exe.vir Win32/CoinMiner.V trojan

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 25 August 2012 - 08:22 AM

all those detections are in the ComboFix quarantine, which we will be cleaning up shortly, they can't harm the computer from that location.

please run the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#7 dPhantom

dPhantom
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 25 August 2012 - 09:43 AM

Computer is running great. I no longer see the popup for the last 12 hours. Here are the remaining logs below:


MiniToolBox by Farbar Version: 23-07-2012
Ran by Dan (administrator) on 25-08-2012 at 10:37:15
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

µTorrent (Version: 3.1.3)
2010 Tax Program (Version: 2010.00)
2011 Tax Program (Version: 2011.00)
3DMark 11 (Version: 1.0.3)
3DMark Vantage (Version: 1.1.0)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader X (10.1.3) (Version: 10.1.3)
AMD Catalyst Install Manager (Version: 8.0.873.0)
Apple Application Support (Version: 2.1.9)
Apple Mobile Device Support (Version: 5.2.0.6)
Apple Software Update (Version: 2.1.3.127)
ARMA 2
ARMA 2: Operation Arrowhead
Batman: Arkham Asylum GOTY Edition
Battlefield 3™ (Version: 1.0.0.0)
Battlelog Web Plugins (Version: 1.122.0)
BattlEye for OA Uninstall
BattlEye Uninstall
Bonjour (Version: 3.0.0.10)
Brother HL-5250DN (Version: 1.00)
Canon CanoScan LiDE 110 User Registration
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 4.0
Canon Solution Menu EX
CanoScan LiDE 110 Scanner Driver
Company of Heroes: Tales of Valor
ConvertXtoDVD 4.1.19.365 (Version: 4.1.19.365)
Core Temp 1.0 RC3 (Version: 1.0)
CPUID CPU-Z 1.60.1
CPUID HWMonitor 1.19
Crusader Kings II
Crysis
Decipher TextMessage (Version: 5.1.0)
Decipher VoiceMail (Version: 4.4.0)
Diablo III (Version: 1.0.2.9749)
Divine Wind version 5.1 (Version: 5.1)
Download Updater (AOL Inc.)
Endless Space
ESN Sonar (Version: 0.70.4)
Europa Universalis III
EVGA Precision X 3.0.2 (Version: 3.0.2)
Fraps (remove only)
Futuremark SystemInfo (Version: 4.6.0)
Galactic Civilizations II: Ultimate Edition
GIMP 2.8.0 (Version: 2.8.0)
Google Chrome (Version: 21.0.1180.83)
GPU Temp version 1.0 (Version: 1.0)
Grand Theft Auto IV
Hard Disk Sentinel PRO
Hearts of Iron III Collection version 3.05 (Version: 3.05)
Heaven DX11 Benchmark version 3.0 (Version: 3.0)
Hi-Rez Studios Authenticate and Update Service (Version: 3.0.0.0)
iCloud (Version: 1.1.0.40)
iTunes (Version: 10.6.3.25)
Java Auto Updater (Version: 2.1.6.0)
Java™ 7 Update 4 (Version: 7.0.40)
LightScribe System Software (Version: 1.18.22.2)
Magicka
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Metro 2033
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (Version: 3.5.30730.0)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft VC9 runtime libraries (Version: 2.0.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mirror's Edge
MSI Afterburner 2.2.1 (Version: 2.2.1)
NVIDIA 3D Vision Controller Driver 301.42 (Version: 301.42)
NVIDIA Control Panel 304.79 (Version: 304.79)
NVIDIA Graphics Driver 304.79 (Version: 304.79)
NVIDIA HD Audio Driver 1.3.16.0 (Version: 1.3.16.0)
NVIDIA Install Application (Version: 2.1002.78.480)
NVIDIA PhysX (Version: 9.12.0213)
NVIDIA PhysX System Software 9.12.0213 (Version: 9.12.0213)
NVIDIA Update 1.8.12 (Version: 1.8.12)
NVIDIA Update Components (Version: 1.8.12)
Origin (Version: 8.5.2.23)
Portal 2
PowerISO (Version: 4.6)
PS3 Media Server (Version: 1.53.0)
PunkBuster Services (Version: 0.992)
QuickTime (Version: 7.72.80.56)
S.T.A.L.K.E.R.: Shadow of Chernobyl
Sid Meier's Civilization V
Sins of a Solar Empire: Trinity
Speccy (Version: 1.16)
SpeedFan (remove only)
StarCraft II (Version: 1.4.3.21029)
Steam (Version: 1.0.0.0)
TechPowerUp GPU-Z
The Witcher 2 - Assassins of Kings Enhanced Edition
Total War: SHOGUN 2
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Victoria 2
VLC media player 2.0.3 (Version: 2.0.3)
Winamp (Version: 5.63 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Winamp Toolbar
Wings of Prey
WinRAR 4.11 (64-bit) (Version: 4.11.0)

**** End of log ****


Farbar Service Scanner Version: 06-08-2012
Ran by Dan (administrator) on 25-08-2012 at 10:39:57
Running from "D:\- Documents\Malware Fix"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 25 August 2012 - 03:01 PM

We just have some housekeeping to do now, please do the following:


P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and Features.


NEXT


You can delete the DDS and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#9 dPhantom

dPhantom
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 25 August 2012 - 07:26 PM

Thanks for the help. You guys are the best!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 25 August 2012 - 07:27 PM

You are welcome

stay safe :hello:

~CB
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:49 AM

Posted 25 August 2012 - 07:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users