Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Medfos.B - and some other oddities.


  • This topic is locked This topic is locked
21 replies to this topic

#1 Dr_Jim

Dr_Jim

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 02:53 PM

Greetings,
And much thanks in advance.

Home machine. 2 years old. Used not a lot. Basic surfing. No games. Some work.
No protection in place. Windows firewall sometimes used, and the occasional TM Housecall sweep would yield nothing.

About a month ago I noticed redirects in google. Maybe 1 out of 5 search clicks would redirect.
Yesterday, Win7 suddenly 'shut down' (invoked proper shutdown procedure, without my initiating it).
Upon reboot,...it wouldnt boot: Insert boot media..etc.
Windows startup repair yielded nothing. Found nothing wrong.
Eventually used Bootrec.exe to fix through shell. Resolved problem instantly.
This got me heading towards taking a deeper look.

TM Housecall found some nasties. Removed.
ADaware found some as well. Removed.
MBAM - found some. Removed.

Noticed 4-6 instances of IExplore.exe running in Taskmanager. I NEVER use IE. Only FF. If I killed them. They pop right back up!

Installed and updated MSE. Scanned. Found Medfos.B. Removed.
This resolved all instances of IExplore.exe in TM. None.

Finally...Now MSE keeps finding new instances of Medfos,..every 5 minutes or so. It removes them....but they keep coming.
Thats where I am now. (of course, there could be more that I cannot see.)

DDS Logs below.
__________________________________________________________________
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16700
Run by G-Bear at 14:38:51 on 2012-12-31
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8174.6005 [GMT -5:00]
.
AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files (x86)\AFLICS\AfterFLICS.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe
C:\Program Files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [AdobeBridge] <no file>
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{733DCD27-FA77-403E-AECC-721336FB6E7C} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{733DCD27-FA77-403E-AECC-721336FB6E7C}\44C496E6B6657525 : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{8F6DC95D-449C-4BF9-B070-FB3067D44DC6} : DHCPNameServer = 192.168.15.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RunDLLEntry_THXCfg] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [RunDLLEntry_EptMon] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\EptMon64.dll,RunDLLEntry EptMon64
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-Run: [snles] "C:\Windows\System32\rundll32.exe" "C:\Users\G-Bear\AppData\Roaming\snles.dll",vGetFile
x64-Run: [imdxs] "C:\Windows\System32\rundll32.exe" "C:\Users\G-Bear\AppData\Roaming\imdxs.dll",_getsig
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - ExtSQL: 2012-12-30 13:32; jid1-yZwVFzbsyfMrqQ@jetpack; C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF - ExtSQL: 2012-12-31 13:07; {dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}; C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\{dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc -
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2012-12-30 14456]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-3-9 55856]
R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-12-14 1236968]
R2 AfterFLICS v3;AfterFLICS v3;C:\Program Files (x86)\AFLICS\AfterFLICS.exe [2011-11-20 135170]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-9 203264]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-9 13336]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;C:\Program Files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 mi-raysat_3dsmax2012_64;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit;C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [2011-2-22 86016]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-9-20 3677000]
R2 sbapifs;sbapifs;C:\Windows\System32\drivers\sbapifs.sys [2012-9-12 82872]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-3-9 689472]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-5-20 378472]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-3-9 317440]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-3-9 406056]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2009-12-2 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2009-12-2 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2009-12-2 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2009-12-2 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/03/09 10:21:40;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-31 398184]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-31 682344]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-11-20 1431888]
S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2012-12-30 38096]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-3-9 158976]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-31 24176]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-17 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2012-12-31 19:04:26 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{00CA61A3-F876-4679-8C9B-0E9CA33C9429}\offreg.dll
2012-12-31 19:02:15 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{00CA61A3-F876-4679-8C9B-0E9CA33C9429}\mpengine.dll
2012-12-31 18:17:12 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E90BEA77-5EC8-4A83-B29B-A2CA99101699}\gapaengine.dll
2012-12-31 18:13:49 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A1BE9D18-7053-447A-945E-CF9585CC1A06}\gapaengine.dll
2012-12-31 18:11:34 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5FD03E73-5B0D-424F-8A76-9BF90404927A}\gapaengine.dll
2012-12-31 18:10:20 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-12-31 18:10:12 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{25E0638F-BC35-4B91-A1AE-73AA03EEA0E5}\gapaengine.dll
2012-12-31 18:06:20 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63808CB9-6C2E-4E66-98E4-9FBADA6197AD}\gapaengine.dll
2012-12-31 18:04:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-12-31 18:04:13 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-12-31 18:04:07 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-12-31 18:04:07 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-12-31 17:55:49 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-12-31 17:55:46 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-12-31 17:55:39 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-12-31 13:51:28 -------- d-----w- C:\Users\G-Bear\AppData\Roaming\Malwarebytes
2012-12-31 13:51:17 -------- d-----w- C:\ProgramData\Malwarebytes
2012-12-31 13:51:15 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-31 13:51:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-31 13:50:41 -------- d-----w- C:\Users\G-Bear\AppData\Local\Programs
2012-12-30 20:26:53 38096 ----a-w- C:\Windows\System32\drivers\gfiark.sys
2012-12-30 20:18:15 -------- d-sh--w- C:\Boot
2012-12-30 20:14:35 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2012-12-30 20:14:33 -------- d-----w- C:\Program Files (x86)\Steam
2012-12-30 19:04:22 -------- d-----w- C:\ProgramData\Ad-Aware Antivirus
2012-12-30 18:36:43 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus
2012-12-30 18:36:27 47496 ----a-w- C:\Windows\System32\sbbd.exe
2012-12-30 18:36:27 14456 ----a-w- C:\Windows\System32\drivers\gfibto.sys
2012-12-30 18:32:56 -------- d-----w- C:\Users\G-Bear\AppData\Local\adawarebp
2012-12-30 18:32:56 -------- d-----w- C:\ProgramData\blekko toolbars
2012-12-30 18:32:56 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection
2012-12-30 18:32:52 -------- d-----w- C:\Program Files (x86)\adawaretb
2012-12-30 18:32:51 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
2012-12-30 18:31:38 -------- d-----w- C:\Users\G-Bear\AppData\Roaming\LavasoftStatistics
2012-12-30 18:31:05 -------- d-----w- C:\Users\G-Bear\AppData\Roaming\Ad-Aware Antivirus
2012-12-30 18:18:32 307712 ----a-w- C:\Users\G-Bear\AppData\Roaming\imdxs.dll
2012-12-30 18:17:55 596992 ----a-w- C:\Users\G-Bear\AppData\Roaming\snles.dll
2012-12-30 18:15:36 22064 ----a-w- C:\Windows\DCEBoot64.exe
2012-12-27 13:49:19 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-12-27 13:49:13 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-27 13:49:13 -------- d-----w- C:\Program Files\iTunes
2012-12-27 13:49:13 -------- d-----w- C:\Program Files\iPod
2012-12-27 13:49:13 -------- d-----w- C:\Program Files (x86)\iTunes
.
==================== Find3M ====================
.
.
============= FINISH: 14:39:19.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 03:07 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 03:27 PM

Thanks for the prompt reply Gringo.


____________________________________________________

Results of screen317's Security Check version 0.99.56
Windows 7 x64 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Lavasoft Ad-Aware
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Malwarebytes Anti-Malware version 1.70.0.1100
Java™ 6 Update 23
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Ad-Aware Antivirus AdAwareService.exe
Ad-Aware Antivirus SBAMSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````


________________________________________________________________________________________


# AdwCleaner v2.104 - Logfile created 12/31/2012 at 15:21:06
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Professional (64 bits)
# User : G-Bear - G-BEAR-PC
# Boot Mode : Normal
# Running from : C:\Users\G-Bear\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\adawaretb
Deleted on reboot : C:\ProgramData\blekko toolbars
Deleted on reboot : C:\ProgramData\boost_interprocess
Deleted on reboot : C:\Users\G-Bear\AppData\LocalLow\adawaretb
Deleted on reboot : C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\adawaretb

***** [Registry] *****

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16700

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\prefs.js

C:\Users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1203 octets] - [31/12/2012 15:21:06]

########## EOF - C:\AdwCleaner[S1].txt - [1263 octets] ##########


______________________________________________________________________________________________________

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : G-Bear [Admin rights]
Mode : Scan -- Date : 12/31/2012 15:24:09

¤¤¤ Bad processes : 4 ¤¤¤
[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\G-Bear\AppData\Roaming\snles.dll -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\G-Bear\AppData\Roaming\snles.dll -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\G-Bear\AppData\Roaming\imdxs.dll -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\G-Bear\AppData\Roaming\imdxs.dll -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : snles ("C:\Windows\System32\rundll32.exe" "C:\Users\G-Bear\AppData\Roaming\snles.dll",vGetFile) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : imdxs ("C:\Windows\System32\rundll32.exe" "C:\Users\G-Bear\AppData\Roaming\imdxs.dll",_getsig) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$aa94d7bb95146d6bf6fe288726cf372c\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3660319037-876466563-1020969638-1000\$aa94d7bb95146d6bf6fe288726cf372c\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$aa94d7bb95146d6bf6fe288726cf372c\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3660319037-876466563-1020969638-1000\$aa94d7bb95146d6bf6fe288726cf372c\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103SJ +++++
--- User ---
[MBR] e4109614f33b32d71259f984d5af3a04
[BSP] ee38b7bbfa1faabf982525f16b08c8ad : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12542 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25767936 | Size: 941286 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12312012_02d1524.txt >>
RKreport[1]_S_12312012_02d1524.txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 03:38 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 04:01 PM

Thanks again!

No problems with CF.
I properly disabled all AV/AM software.

Now that CF is completely finished, I DID turn MSE back on. I am running a Quick scan to see if it finds anything. (found nothing)
As far as 'how the computer is doing'....that usually take a bit of time,...as the only symptom is the MSE finding the Medfos every 5-10 minutes....





ComboFix 12-12-31.01 - G-Bear 12/31/2012 15:50:17.1.8 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8174.6442 [GMT -5:00]
Running from: c:\users\G-Bear\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\G-Bear\AppData\Roaming\imdxs.dll
c:\users\G-Bear\AppData\Roaming\snles.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-31 )))))))))))))))))))))))))))))))
.
.
2012-12-31 20:55 . 2012-12-31 20:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-31 20:22 . 2012-12-31 20:22 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00CA61A3-F876-4679-8C9B-0E9CA33C9429}\offreg.dll
2012-12-31 19:02 . 2012-11-08 14:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00CA61A3-F876-4679-8C9B-0E9CA33C9429}\mpengine.dll
2012-12-31 18:17 . 2012-10-23 11:04 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E90BEA77-5EC8-4A83-B29B-A2CA99101699}\gapaengine.dll
2012-12-31 18:10 . 2012-10-23 11:04 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-12-31 18:04 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-12-31 18:04 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-12-31 18:04 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-12-31 18:04 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-12-31 18:04 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-12-31 18:04 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-12-31 18:04 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-12-31 18:04 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-12-31 18:04 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-12-31 17:55 . 2012-12-31 17:55 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-12-31 17:55 . 2012-12-31 17:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-31 17:55 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\users\G-Bear\AppData\Roaming\Malwarebytes
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\programdata\Malwarebytes
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-31 13:51 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-31 13:50 . 2012-12-31 13:50 -------- d-----w- c:\users\G-Bear\AppData\Local\Programs
2012-12-30 20:26 . 2012-12-17 11:43 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys
2012-12-30 20:18 . 2012-12-30 20:18 -------- d-----w- C:\Boot
2012-12-30 20:14 . 2012-12-30 20:14 -------- d-----w- c:\program files (x86)\Common Files\Steam
2012-12-30 20:14 . 2012-12-31 20:06 -------- d-----w- c:\program files (x86)\Steam
2012-12-30 19:04 . 2012-12-30 19:04 -------- d-----w- c:\programdata\Ad-Aware Antivirus
2012-12-30 18:36 . 2012-12-30 20:26 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
2012-12-30 18:36 . 2012-12-30 18:36 -------- d-----w- c:\programdata\Lavasoft
2012-12-30 18:36 . 2012-12-30 18:36 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys
2012-12-30 18:36 . 2012-09-20 10:40 47496 ----a-w- c:\windows\system32\sbbd.exe
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\users\G-Bear\AppData\Local\adawarebp
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2012-12-30 18:31 . 2012-12-30 18:31 -------- d-----w- c:\users\G-Bear\AppData\Roaming\LavasoftStatistics
2012-12-30 18:31 . 2012-12-30 19:16 -------- d-----w- c:\users\G-Bear\AppData\Roaming\Ad-Aware Antivirus
2012-12-30 18:15 . 2012-12-30 18:15 22064 ----a-w- c:\windows\DCEBoot64.exe
2012-12-27 13:49 . 2012-08-21 18:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files\iTunes
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files (x86)\iTunes
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-03-10 237568]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-12-01 963584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" [2010-07-21 18240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *SBBD.exe /d \Device\HarddiskVolume3\Program Files (x86)\Ad-Aware Antivirus\Definitions
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
R2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-12-15 1236968]
R2 AfterFLICS v3;AfterFLICS v3;c:\program files (x86)\AFLICS\AfterFLICS.exe [2011-04-15 135170]
R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/03/09 10:21;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-27 236016]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016]
R2 mi-raysat_3dsmax2012_64;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit;c:\program files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [2011-02-23 86016]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-20 3677000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-11-20 1431888]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-17 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-30 14456]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-17 203264]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-13 82872]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-16 317440]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2010-06-08 406056]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_9EC60124
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-12-31 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"RunDLLEntry_THXCfg"="c:\windows\system32\THXCfg64.dll" [2009-10-15 17920]
"RunDLLEntry_EptMon"="c:\windows\system32\EptMon64.dll" [2009-10-15 21504]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\
FF - ExtSQL: 2012-12-30 13:32; jid1-yZwVFzbsyfMrqQ@jetpack; c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF - ExtSQL: 2012-12-31 15:22; {dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}; c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\{dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
AddRemove-V-Ray for 3dsmax 2010 for x86 - c:\program files (x86)\Chaos Group\V-Ray\3dsmax 2011 for x86\uninstall\wininstaller.exe-uninstall=c:\program files (x86)\Chaos Group\V-Ray\3dsmax 2011 for x86\uninstall\install.log
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:42,89,75,19,99,b5,07,a9,2e,9f,d4,c0,89,a2,76,33,50,c9,86,02,29,
0a,3a,67,a9,69,2a,84,41,b8,84,eb,01,94,2e,c1,76,82,d8,04,c3,2b,26,8e,29,3b,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:42,89,75,19,99,b5,07,a9,2e,9f,d4,c0,89,a2,76,33,50,c9,86,02,29,
0a,3a,67,a9,69,2a,84,41,b8,84,eb,01,94,2e,c1,76,82,d8,04,c3,2b,26,8e,29,3b,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-31 15:57:06
ComboFix-quarantined-files.txt 2012-12-31 20:57
.
Pre-Run: 801,317,130,240 bytes free
Post-Run: 801,673,625,600 bytes free
.
- - End Of File - - 983892E891ACEA27688A7A008956A152

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 04:12 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 04:31 PM

Heya Gringo,

Did as you said. Report below.

No problems executing the tasks.

Restarted MSE. Scanning. All appears well.
Again,..as for How is machine going?...It "appears" to be doing good. No Medfos is popping up...




ComboFix 12-12-31.01 - G-Bear 12/31/2012 16:16:35.2.8 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8174.6168 [GMT -5:00]
Running from: c:\users\G-Bear\Desktop\ComboFix.exe
Command switches used :: c:\users\G-Bear\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-31 )))))))))))))))))))))))))))))))
.
.
2012-12-31 21:24 . 2012-12-31 21:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-31 20:58 . 2012-12-31 20:58 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3E2AC4F-8C90-4126-BFAE-8067CE69BFBD}\offreg.dll
2012-12-31 20:58 . 2012-11-08 14:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3E2AC4F-8C90-4126-BFAE-8067CE69BFBD}\mpengine.dll
2012-12-31 18:17 . 2012-10-23 11:04 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E90BEA77-5EC8-4A83-B29B-A2CA99101699}\gapaengine.dll
2012-12-31 18:10 . 2012-10-23 11:04 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-12-31 18:04 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-12-31 18:04 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-12-31 18:04 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-12-31 18:04 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-12-31 18:04 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-12-31 18:04 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-12-31 18:04 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-12-31 18:04 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-12-31 18:04 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-12-31 17:55 . 2012-12-31 17:55 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-12-31 17:55 . 2012-12-31 17:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-31 17:55 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\users\G-Bear\AppData\Roaming\Malwarebytes
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\programdata\Malwarebytes
2012-12-31 13:51 . 2012-12-31 13:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-31 13:51 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-31 13:50 . 2012-12-31 13:50 -------- d-----w- c:\users\G-Bear\AppData\Local\Programs
2012-12-30 20:26 . 2012-12-17 11:43 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys
2012-12-30 20:18 . 2012-12-30 20:18 -------- d-----w- C:\Boot
2012-12-30 20:14 . 2012-12-30 20:14 -------- d-----w- c:\program files (x86)\Common Files\Steam
2012-12-30 20:14 . 2012-12-31 20:06 -------- d-----w- c:\program files (x86)\Steam
2012-12-30 19:04 . 2012-12-30 19:04 -------- d-----w- c:\programdata\Ad-Aware Antivirus
2012-12-30 18:36 . 2012-12-30 20:26 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
2012-12-30 18:36 . 2012-12-30 18:36 -------- d-----w- c:\programdata\Lavasoft
2012-12-30 18:36 . 2012-12-30 18:36 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys
2012-12-30 18:36 . 2012-09-20 10:40 47496 ----a-w- c:\windows\system32\sbbd.exe
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\users\G-Bear\AppData\Local\adawarebp
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-12-30 18:32 . 2012-12-30 18:32 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2012-12-30 18:31 . 2012-12-30 18:31 -------- d-----w- c:\users\G-Bear\AppData\Roaming\LavasoftStatistics
2012-12-30 18:31 . 2012-12-30 19:16 -------- d-----w- c:\users\G-Bear\AppData\Roaming\Ad-Aware Antivirus
2012-12-30 18:15 . 2012-12-30 18:15 22064 ----a-w- c:\windows\DCEBoot64.exe
2012-12-27 13:49 . 2012-08-21 18:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files\iTunes
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files (x86)\iTunes
2012-12-27 13:49 . 2012-12-27 13:49 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-03-10 237568]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-12-01 963584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" [2010-07-21 18240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *SBBD.exe /d \Device\HarddiskVolume3\Program Files (x86)\Ad-Aware Antivirus\Definitions
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
R2 AfterFLICS v3;AfterFLICS v3;c:\program files (x86)\AFLICS\AfterFLICS.exe [2011-04-15 135170]
R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/03/09 10:21;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-27 236016]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016]
R2 mi-raysat_3dsmax2012_64;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit;c:\program files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [2011-02-23 86016]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-20 3677000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-11-20 1431888]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-17 1255736]
R4 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-12-15 1236968]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-30 14456]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-17 203264]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-13 82872]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-16 317440]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2010-06-08 406056]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_9EC60124
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-12-31 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"RunDLLEntry_THXCfg"="c:\windows\system32\THXCfg64.dll" [2009-10-15 17920]
"RunDLLEntry_EptMon"="c:\windows\system32\EptMon64.dll" [2009-10-15 21504]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\
FF - ExtSQL: 2012-12-30 13:32; jid1-yZwVFzbsyfMrqQ@jetpack; c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF - ExtSQL: 2012-12-31 15:22; {dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}; c:\users\G-Bear\AppData\Roaming\Mozilla\Firefox\Profiles\iujntzq9.default\extensions\{dfa23d17-4e64-4e4f-9b5a-a699dbba8ae5}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-V-Ray for 3dsmax 2010 for x86 - c:\program files (x86)\Chaos Group\V-Ray\3dsmax 2011 for x86\uninstall\wininstaller.exe-uninstall=c:\program files (x86)\Chaos Group\V-Ray\3dsmax 2011 for x86\uninstall\install.log
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:42,89,75,19,99,b5,07,a9,2e,9f,d4,c0,89,a2,76,33,50,c9,86,02,29,
0a,3a,67,a9,69,2a,84,41,b8,84,eb,01,94,2e,c1,76,82,d8,04,c3,2b,26,8e,29,3b,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:42,89,75,19,99,b5,07,a9,2e,9f,d4,c0,89,a2,76,33,50,c9,86,02,29,
0a,3a,67,a9,69,2a,84,41,b8,84,eb,01,94,2e,c1,76,82,d8,04,c3,2b,26,8e,29,3b,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-31 16:25:58
ComboFix-quarantined-files.txt 2012-12-31 21:25
.
Pre-Run: 801,565,331,456 bytes free
Post-Run: 801,498,505,216 bytes free
.
- - End Of File - - 82E6EB0657B6ADBAEF568762B356332E

#8 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 04:38 PM

1 odd thing I noticed,...and this may have nothing to do with Malware.
When I create a TXT file in Wordpad or such,...and save it to the desktop it doesnt show up.
If I "refresh" the desktop...it then appears.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 05:10 PM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 05:31 PM

No problems performing that.

If I might ask you? How we doing so far?




Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012
Ran by SYSTEM at 31-12-2012 17:25:16
Running from J:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10920552 2010-06-22] (Realtek Semiconductor)
HKLM\...\Run: [RunDLLEntry_THXCfg] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64 [17920 2009-10-15] (Creative Technology Ltd.)
HKLM\...\Run: [RunDLLEntry_EptMon] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64 [21504 2009-10-15] (Creative Technology Ltd.)
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-05-30] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-03-10] (Alcor Micro Corp.)
HKLM-x32\...\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r [963584 2009-12-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks)
HKLM-x32\...\RunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

4 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1236968 2012-12-14] (Lavasoft Limited)
2 AfterFLICS v3; C:\Program Files (x86)\AFLICS\AfterFLICS.exe [135170 2011-04-14] ()
2 DCPFLICS; C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe [139268 2007-10-24] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 mi-raysat_3dsmax2010_32; "C:\Program Files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe" [86016 2009-03-12] ()
2 mi-raysat_3dsmax2012_64; "C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe" [86016 2011-02-22] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3677000 2012-09-20] (GFI Software)

==================== Drivers (Whitelisted) =====================

3 gfiark; C:\Windows\System32\Drivers\gfiark.sys [38096 2012-12-17] (GFI Software)
0 gfibto; C:\Windows\System32\Drivers\gfibto.sys [14456 2012-12-30] (GFI Software)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-31 17:25 - 2012-12-31 17:25 - 00000000 ____D C:\FRST
2012-12-31 14:12 - 2012-12-31 14:12 - 01464235 ____A (Farbar) C:\Users\G-Bear\Desktop\FRST64.exe
2012-12-31 13:25 - 2012-12-31 13:25 - 00019422 ____A C:\Users\G-Bear\Desktop\ComboFix CFScript.txt
2012-12-31 12:57 - 2012-12-31 12:57 - 00019463 ____A C:\Users\G-Bear\Desktop\ComboFix.txt
2012-12-31 12:49 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-12-31 12:49 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-12-31 12:49 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-12-31 12:49 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-12-31 12:49 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-12-31 12:49 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-12-31 12:49 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-12-31 12:49 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-12-31 12:46 - 2012-12-31 13:25 - 00000000 ____D C:\Qoobox
2012-12-31 12:46 - 2012-12-31 13:24 - 00000000 ____D C:\Windows\erdnt
2012-12-31 12:40 - 2012-12-31 12:41 - 05016388 ____R (Swearware) C:\Users\G-Bear\Desktop\ComboFix.exe
2012-12-31 12:24 - 2012-12-31 12:24 - 00003008 ____A C:\Users\G-Bear\Desktop\RKreport[1]_S_12312012_02d1524.txt
2012-12-31 12:23 - 2012-12-31 12:25 - 00000000 ____D C:\Users\G-Bear\Desktop\RK_Quarantine
2012-12-31 12:22 - 2012-12-31 12:22 - 00001332 ____A C:\Users\G-Bear\Desktop\AdwCleaner[S1].txt
2012-12-31 12:21 - 2012-12-31 12:21 - 00001332 ____A C:\AdwCleaner[S1].txt
2012-12-31 12:19 - 2012-12-31 12:19 - 00001456 ____A C:\Users\G-Bear\Desktop\checkup.txt
2012-12-31 12:15 - 2012-12-31 12:16 - 00761856 ____A C:\Users\G-Bear\Desktop\RogueKiller.exe
2012-12-31 12:14 - 2012-12-31 12:15 - 00551997 ____A C:\Users\G-Bear\Desktop\adwcleaner.exe
2012-12-31 12:14 - 2012-12-31 12:14 - 00856731 ____A C:\Users\G-Bear\Desktop\SecurityCheck.exe
2012-12-31 11:39 - 2012-12-31 11:39 - 00020891 ____A C:\Users\G-Bear\Desktop\dds.txt
2012-12-31 11:39 - 2012-12-31 11:39 - 00015741 ____A C:\Users\G-Bear\Desktop\attach.txt
2012-12-31 11:38 - 2012-12-31 11:38 - 00000851 ____A C:\Users\G-Bear\Desktop\Downloads.lnk
2012-12-31 11:37 - 2012-12-31 11:37 - 00688992 ____R (Swearware) C:\Users\G-Bear\Downloads\dds.com
2012-12-31 10:04 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-12-31 10:04 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-12-31 10:04 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-12-31 10:04 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-12-31 10:04 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-12-31 10:04 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-12-31 10:04 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-12-31 10:04 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-12-31 10:04 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-12-31 10:00 - 2012-12-31 10:00 - 00002154 ____A C:\Windows\epplauncher.mif
2012-12-31 09:55 - 2012-12-31 09:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-12-31 09:55 - 2012-12-31 09:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-12-31 09:55 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-12-31 09:52 - 2012-12-31 09:54 - 13529576 ____A (Microsoft Corporation) C:\Users\G-Bear\Downloads\mseinstall.exe
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\Malwarebytes
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-31 05:51 - 2012-12-14 13:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-31 05:48 - 2012-12-31 05:48 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\G-Bear\Downloads\mbam-setup-1.70.0.1100.exe
2012-12-30 13:02 - 2012-12-30 14:14 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II.url
2012-12-30 13:02 - 2012-12-30 13:02 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II - Zombies.url
2012-12-30 13:02 - 2012-12-30 13:02 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II - Multiplayer.url
2012-12-30 12:26 - 2012-12-17 03:43 - 00038096 ____A (GFI Software) C:\Windows\System32\Drivers\gfiark.sys
2012-12-30 12:14 - 2012-12-31 14:02 - 00000000 ____D C:\Program Files (x86)\Steam
2012-12-30 11:04 - 2012-12-30 11:04 - 00000000 ____D C:\Users\All Users\Ad-Aware Antivirus
2012-12-30 10:36 - 2012-12-30 12:26 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2012-12-30 10:36 - 2012-12-30 10:36 - 00014456 ____A (GFI Software) C:\Windows\System32\Drivers\gfibto.sys
2012-12-30 10:36 - 2012-12-30 10:36 - 00000000 ____D C:\Users\All Users\Lavasoft
2012-12-30 10:36 - 2012-09-20 02:40 - 00047496 ____A (GFI Software) C:\Windows\System32\sbbd.exe
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Users\G-Bear\AppData\Local\adawarebp
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Program Files (x86)\Toolbar Cleaner
2012-12-30 10:31 - 2012-12-30 11:16 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\Ad-Aware Antivirus
2012-12-30 10:31 - 2012-12-30 10:31 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\LavasoftStatistics
2012-12-30 10:28 - 2012-12-30 10:30 - 06133368 ____A (Lavasoft Limited) C:\Users\G-Bear\Downloads\Adaware_Installer.exe
2012-12-30 10:16 - 2012-12-30 10:16 - 00000714 ____A C:\Windows\DCEBOOT.RST
2012-12-30 10:16 - 2012-12-30 10:16 - 00000000 ____A C:\Windows\DCEBOOT.LOG
2012-12-30 10:15 - 2012-12-30 21:35 - 07080385 ____A C:\Users\G-Bear\AppData\Local\census.cache
2012-12-30 10:15 - 2012-12-30 21:27 - 00114506 ____A C:\Users\G-Bear\AppData\Local\ars.cache
2012-12-30 10:15 - 2012-12-30 10:15 - 00022064 ____A C:\Windows\DCEBoot64.exe
2012-12-30 09:33 - 2012-12-30 09:33 - 02406064 ____A (Trend Micro Inc.) C:\Users\G-Bear\Downloads\HousecallLauncher64(1).exe
2012-12-29 14:21 - 2012-12-29 14:27 - 00000000 ____D C:\Users\G-Bear\Desktop\Vicki_Iphone_12-12-12
2012-12-29 05:36 - 2012-12-29 05:41 - 00000000 ____D C:\Users\G-Bear\Desktop\Desktop_Categories
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files\iTunes
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files\iPod
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-27 05:49 - 2012-08-21 10:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-12-06 04:31 - 2012-12-22 03:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2012-12-31 14:18 - 2009-07-13 21:10 - 01216004 ____A C:\Windows\WindowsUpdate.log
2012-12-31 14:14 - 2009-07-13 21:13 - 00779080 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-31 14:12 - 2012-12-31 14:12 - 01464235 ____A (Farbar) C:\Users\G-Bear\Desktop\FRST64.exe
2012-12-31 14:02 - 2012-12-30 12:14 - 00000000 ____D C:\Program Files (x86)\Steam
2012-12-31 13:25 - 2012-12-31 13:25 - 00019422 ____A C:\Users\G-Bear\Desktop\ComboFix CFScript.txt
2012-12-31 13:25 - 2012-12-31 12:46 - 00000000 ____D C:\Qoobox
2012-12-31 13:24 - 2012-12-31 12:46 - 00000000 ____D C:\Windows\erdnt
2012-12-31 13:24 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-12-31 12:57 - 2012-12-31 12:57 - 00019463 ____A C:\Users\G-Bear\Desktop\ComboFix.txt
2012-12-31 12:57 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2012-12-31 12:41 - 2012-12-31 12:40 - 05016388 ____R (Swearware) C:\Users\G-Bear\Desktop\ComboFix.exe
2012-12-31 12:30 - 2009-07-13 20:45 - 00019392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-31 12:30 - 2009-07-13 20:45 - 00019392 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-31 12:25 - 2012-12-31 12:23 - 00000000 ____D C:\Users\G-Bear\Desktop\RK_Quarantine
2012-12-31 12:24 - 2012-12-31 12:24 - 00003008 ____A C:\Users\G-Bear\Desktop\RKreport[1]_S_12312012_02d1524.txt
2012-12-31 12:22 - 2012-12-31 12:22 - 00001332 ____A C:\Users\G-Bear\Desktop\AdwCleaner[S1].txt
2012-12-31 12:22 - 2011-11-20 07:24 - 00002277 ____A C:\AFlics.log
2012-12-31 12:22 - 2011-07-04 08:14 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-12-31 12:22 - 2011-03-16 07:50 - 00000000 ____D C:\Users\G-Bear\AppData\Local\SoftThinks
2012-12-31 12:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-31 12:22 - 2009-07-13 20:51 - 00038862 ____A C:\Windows\setupact.log
2012-12-31 12:21 - 2012-12-31 12:21 - 00001332 ____A C:\AdwCleaner[S1].txt
2012-12-31 12:19 - 2012-12-31 12:19 - 00001456 ____A C:\Users\G-Bear\Desktop\checkup.txt
2012-12-31 12:16 - 2012-12-31 12:15 - 00761856 ____A C:\Users\G-Bear\Desktop\RogueKiller.exe
2012-12-31 12:15 - 2012-12-31 12:14 - 00551997 ____A C:\Users\G-Bear\Desktop\adwcleaner.exe
2012-12-31 12:14 - 2012-12-31 12:14 - 00856731 ____A C:\Users\G-Bear\Desktop\SecurityCheck.exe
2012-12-31 11:39 - 2012-12-31 11:39 - 00020891 ____A C:\Users\G-Bear\Desktop\dds.txt
2012-12-31 11:39 - 2012-12-31 11:39 - 00015741 ____A C:\Users\G-Bear\Desktop\attach.txt
2012-12-31 11:38 - 2012-12-31 11:38 - 00000851 ____A C:\Users\G-Bear\Desktop\Downloads.lnk
2012-12-31 11:37 - 2012-12-31 11:37 - 00688992 ____R (Swearware) C:\Users\G-Bear\Downloads\dds.com
2012-12-31 10:01 - 2011-03-09 08:30 - 00000000 ____D C:\Users\All Users\Sonic
2012-12-31 10:00 - 2012-12-31 10:00 - 00002154 ____A C:\Windows\epplauncher.mif
2012-12-31 09:55 - 2012-12-31 09:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-12-31 09:55 - 2012-12-31 09:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-12-31 09:54 - 2012-12-31 09:52 - 13529576 ____A (Microsoft Corporation) C:\Users\G-Bear\Downloads\mseinstall.exe
2012-12-31 09:38 - 2011-03-09 10:07 - 00018416 ____A C:\Windows\PFRO.log
2012-12-31 09:01 - 2011-03-16 07:52 - 00000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\Malwarebytes
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-12-31 05:51 - 2012-12-31 05:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-31 05:48 - 2012-12-31 05:48 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\G-Bear\Downloads\mbam-setup-1.70.0.1100.exe
2012-12-30 21:35 - 2012-12-30 10:15 - 07080385 ____A C:\Users\G-Bear\AppData\Local\census.cache
2012-12-30 21:27 - 2012-12-30 10:15 - 00114506 ____A C:\Users\G-Bear\AppData\Local\ars.cache
2012-12-30 14:21 - 2011-03-09 08:23 - 00241614 ____A C:\Windows\DirectX.log
2012-12-30 14:14 - 2012-12-30 13:02 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II.url
2012-12-30 13:02 - 2012-12-30 13:02 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II - Zombies.url
2012-12-30 13:02 - 2012-12-30 13:02 - 00000222 ____A C:\Users\G-Bear\Desktop\Call of Duty Black Ops II - Multiplayer.url
2012-12-30 12:26 - 2012-12-30 10:36 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2012-12-30 11:16 - 2012-12-30 10:31 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\Ad-Aware Antivirus
2012-12-30 11:04 - 2012-12-30 11:04 - 00000000 ____D C:\Users\All Users\Ad-Aware Antivirus
2012-12-30 10:36 - 2012-12-30 10:36 - 00014456 ____A (GFI Software) C:\Windows\System32\Drivers\gfibto.sys
2012-12-30 10:36 - 2012-12-30 10:36 - 00000000 ____D C:\Users\All Users\Lavasoft
2012-12-30 10:36 - 2011-11-19 14:38 - 00000000 ____D C:\Users\G-Bear\AppData\Local\Downloaded Installations
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Users\G-Bear\AppData\Local\adawarebp
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
2012-12-30 10:32 - 2012-12-30 10:32 - 00000000 ____D C:\Program Files (x86)\Toolbar Cleaner
2012-12-30 10:31 - 2012-12-30 10:31 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\LavasoftStatistics
2012-12-30 10:30 - 2012-12-30 10:28 - 06133368 ____A (Lavasoft Limited) C:\Users\G-Bear\Downloads\Adaware_Installer.exe
2012-12-30 10:16 - 2012-12-30 10:16 - 00000714 ____A C:\Windows\DCEBOOT.RST
2012-12-30 10:16 - 2012-12-30 10:16 - 00000000 ____A C:\Windows\DCEBOOT.LOG
2012-12-30 10:15 - 2012-12-30 10:15 - 00022064 ____A C:\Windows\DCEBoot64.exe
2012-12-30 09:33 - 2012-12-30 09:33 - 02406064 ____A (Trend Micro Inc.) C:\Users\G-Bear\Downloads\HousecallLauncher64(1).exe
2012-12-30 09:31 - 2011-03-16 07:50 - 00000000 ____D C:\users\G-Bear
2012-12-30 08:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-12-29 14:27 - 2012-12-29 14:21 - 00000000 ____D C:\Users\G-Bear\Desktop\Vicki_Iphone_12-12-12
2012-12-29 05:41 - 2012-12-29 05:36 - 00000000 ____D C:\Users\G-Bear\Desktop\Desktop_Categories
2012-12-27 05:50 - 2012-05-19 15:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-12-27 05:50 - 2012-01-14 14:01 - 00000000 ____D C:\Users\G-Bear\AppData\Roaming\SoftGrid Client
2012-12-27 05:50 - 2011-03-09 08:17 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files\iTunes
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files\iPod
2012-12-27 05:49 - 2012-12-27 05:49 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-22 03:21 - 2012-12-06 04:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-17 03:43 - 2012-12-30 12:26 - 00038096 ____A (GFI Software) C:\Windows\System32\Drivers\gfiark.sys
2012-12-14 13:49 - 2012-12-31 05:51 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-07 09:00 - 2011-03-16 07:52 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-30 12:14:26
Restore point made on: 2012-12-30 14:20:31
Restore point made on: 2012-12-31 09:55:37
Restore point made on: 2012-12-31 10:04:04
Restore point made on: 2012-12-31 11:02:10

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 8174.45 MB
Available physical RAM: 7146.01 MB
Total Pagefile: 8172.59 MB
Available Pagefile: 7135.28 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:919.22 GB) (Free:746.48 GB) NTFS
2 Drive e: (WIN_7_HOMEPREMIUM) (CDROM) (Total:5.75 GB) (Free:0 GB) UDF
7 Drive j: (JEFF) (Removable) (Total:1.93 GB) (Free:1.85 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:5.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 1983 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 12 GB 40 MB
Partition 3 Primary 919 GB 12 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 12 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 919 GB Healthy

=========================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1983 MB 16 KB

==================================================================================

Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J JEFF FAT32 Removable 1983 MB Healthy

=========================================================

Last Boot: 2012-12-24 21:15

==================== End Of Log =============================





Farbar Recovery Scan Tool (x64) Version: 31-12-2012
Ran by SYSTEM at 2012-12-31 17:27:07
Running from J:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\services.exe
[2012-12-31 12:56] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 08:49 PM

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove


Adobe Reader 9.1.2
Java™ 6 Update 23

[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Update Adobe reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close



Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.



: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 31 December 2012 - 09:45 PM

Thx Gringo,
It's 9:30PM EST....and I am retiring for the evening.
I will continue with this tomorrow, Jan 1, 2013

Thanks for all your help so far, and have a happy new year!

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 31 December 2012 - 09:48 PM

no problem and see you then
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Dr_Jim

Dr_Jim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 01 January 2013 - 07:40 AM

Good morning,

Log files below.
Machine is running fine. Medfos is no longer popping up in MSE at all...not since yesterday afternoon.

No problems executing the tasks.




Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.01.02

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
G-Bear :: G-BEAR-PC [administrator]

Protection: Enabled

1/1/2013 7:34:42 AM
mbam-log-2013-01-01 (07-34-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213310
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




________________________________________________________________________________




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:38:09 AM, on 1/1/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\G-Bear\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
O4 - HKLM\..\RunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AfterFLICS v3 - Unknown owner - C:\Program Files (x86)\AFLICS\AfterFLICS.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Product - 2011/03/09 10:21:40 (CLKMSVC10_9EC60124) - CyberLink - C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit (mi-raysat_3dsmax2012_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12060 bytes

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 134,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 PM

Posted 01 January 2013 - 05:14 PM

Hello

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    • O4 - HKLM\..\Run: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
      O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
      O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
      O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
      O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users