BleepingComputer.com: Possibly still infected

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Possibly still infected any help would be great

#16 User is offline   JustaNoob 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 13-October 11

Posted 21 October 2011 - 10:35 PM

ok Gringo that worked here is the log.

ComboFix 11-10-20.08 - casper 10/21/2011 23:15:48.7.1 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1978.1137 [GMT -4:00]
Running from: c:\users\casper\Videos\Desktop\ComboFix.exe
Command switches used :: c:\users\casper\Videos\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\SysWow64\ConduitEngine.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Yontoo Layers Runtime
.
---- Previous Run -------
.
c:\program files (x86)\uTorrentBar\GottenAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\ldrtbuTor.dll
c:\program files (x86)\uTorrentBar\OtherAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\prxtbuTor.dll
c:\program files (x86)\uTorrentBar\SharedAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\tbuTor.dll
c:\program files (x86)\uTorrentBar\toolbar.cfg
c:\program files (x86)\uTorrentBar\ToolbarContextMenu.xml
c:\program files (x86)\uTorrentBar\uninstall.exe
c:\program files (x86)\uTorrentBar\uTorrentBarToolbarHelper.exe
c:\windows\SysWow64\ConduitEngine.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-22 03:22 . 2011-10-22 03:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-22 03:22 . 2011-10-22 03:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-20 04:54 . 2011-10-20 04:54 -------- d-----w- c:\program files (x86)\AVG Secure Search
2011-10-16 05:25 . 2011-10-16 05:44 -------- d-----w- c:\users\casper\AppData\Roaming\AVG
2011-10-15 06:43 . 2011-10-15 08:30 -------- d-----w- c:\users\casper\AppData\Local\Solid State Networks
2011-10-14 03:21 . 2011-09-01 05:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-14 03:21 . 2011-09-01 02:22 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-14 03:08 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-14 03:08 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-14 03:08 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-14 03:08 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 11:23 . 2011-09-06 03:03 3138048 ----a-w- c:\windows\system32\win32k.sys
2011-10-13 11:23 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 11:23 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-10-13 11:23 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-10-13 11:23 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-03 22:26 . 2011-10-03 22:26 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-03 16:12 . 2011-10-03 20:54 -------- d-----w- c:\program files (x86)\AutoIt3
2011-10-03 05:25 . 2011-10-03 05:25 -------- d-----w- c:\program files (x86)\AC Tool
2011-10-02 11:14 . 2011-10-02 11:14 -------- d-----w- c:\users\casper\AppData\Roaming\SUPERAntiSpyware.com
2011-10-02 11:14 . 2011-10-20 05:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-02 11:14 . 2011-10-02 11:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-02 10:36 . 2011-10-02 10:36 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-02 09:49 . 2011-10-02 09:50 -------- d-----w- C:\2SUPER-ANTI SPYWARE
2011-10-02 08:45 . 2011-10-02 11:11 -------- d-----w- C:\1HijackThis
2011-09-25 23:03 . 2011-06-13 16:07 4121080 ----a-w- c:\windows\SysWow64\GameMon.des
2011-09-25 23:03 . 2005-01-04 00:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys
2011-09-25 23:00 . 2003-07-20 09:17 5174 ----a-w- c:\windows\SysWow64\NPPT9X.VXD
2011-09-25 23:00 . 2011-09-25 23:00 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-09-25 02:30 . 2011-09-25 02:30 -------- d-----w- c:\program files (x86)\Stellarium
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-15 08:30 . 2011-05-18 15:33 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-17 05:57 . 2011-09-17 05:58 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-17 05:45 . 2011-05-28 03:51 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-13 10:30 . 2011-09-13 10:30 37456 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2011-09-03 01:54 . 2011-09-03 01:54 993 ----a-w- c:\windows\gvimdiff.bat
2011-09-03 01:54 . 2011-09-03 01:54 993 ----a-w- c:\windows\gview.bat
2011-09-03 01:54 . 2011-09-03 01:54 993 ----a-w- c:\windows\evim.bat
2011-09-03 01:54 . 2011-09-03 01:54 985 ----a-w- c:\windows\gvim.bat
2011-09-03 01:54 . 2011-09-03 01:54 694 ----a-w- c:\windows\vimtutor.bat
2011-09-03 01:54 . 2011-09-03 01:54 668 ----a-w- c:\windows\vimdiff.bat
2011-09-03 01:54 . 2011-09-03 01:54 668 ----a-w- c:\windows\view.bat
2011-09-03 01:54 . 2011-09-03 01:54 664 ----a-w- c:\windows\vim.bat
2011-08-31 21:00 . 2011-02-22 21:19 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-20 23:49 . 2011-08-20 23:49 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2011-08-16 12:48 . 2011-09-16 09:55 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{96A4A2E2-066D-40C7-A807-25BD901FFEB9}\mpengine.dll
2011-08-08 10:08 . 2011-08-08 10:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2011-08-07 01:02 . 2011-08-07 01:02 18944 ----a-r- c:\users\casper\AppData\Roaming\Microsoft\Installer\{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}\IconBB6A16301.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-21_14.50.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-10-20 05:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-10-21 15:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-10-20 05:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-21 15:13 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-20 05:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-21 15:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-25 05:42 . 2011-10-22 03:07 44692 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-10-21 14:30 49714 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-10-22 03:07 49714 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-25 04:51 . 2011-10-22 03:07 24068 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-689871122-2132395542-1557245056-1000_UserData.bin
- 2011-01-25 03:46 . 2011-10-18 16:48 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-25 03:46 . 2011-10-22 01:04 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-25 03:46 . 2011-10-18 16:48 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-25 03:46 . 2011-10-22 01:04 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-22 01:04 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-18 16:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-27 00:50 . 2011-10-22 00:58 8312 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-01-26 23:08 . 2011-10-22 00:26 1628 c:\windows\system32\wdi\{b171ab1c-60e9-4301-a338-beab1c70b3e9}.bin
+ 2011-10-22 03:23 . 2011-10-22 03:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-21 14:49 . 2011-10-21 14:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-21 14:49 . 2011-10-21 14:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-22 03:23 . 2011-10-22 03:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2011-10-22 03:12 316292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-10-21 14:48 316292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-01 20:04 . 2011-10-22 03:12 9236056 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689871122-2132395542-1557245056-1000-8192.dat
- 2011-05-31 19:28 . 2011-10-20 05:03 3930880 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689871122-2132395542-1557245056-1000-12288.dat
+ 2011-05-31 19:28 . 2011-10-22 02:58 3930880 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689871122-2132395542-1557245056-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-10-20 04:54 1451336 ----a-w- c:\program files (x86)\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [BU]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll" [2011-10-20 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-20 5500800]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2011-10-20 218440]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
R1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 2329480]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-09-20 246600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\alt1games\TROY\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-15 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-15 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-15 365592]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.elitepvpers.com/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\casper\AppData\Roaming\Mozilla\Firefox\Profiles\dldvzajw.default\
FF - prefs.js: browser.startup.homepage - www.virustotal.com
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B7ddabc94-b094-454c-b7ea-526b4c24a57c%7D&mid=b831d2b81fde47d69e4959e75be65a83-e8b7d7fc6c8b7f9b9b814385e23d996c9611cf25&ds=AVG&v=8.0.0.34.1&lang=en&pr=pr&d=2011-09-19%2022%3A33%3A20&sap=ku&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, a3215b97-93a4-45e6-bc3b-fd027a15fd09
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\prxtbuTor.dll
AddRemove-uTorrentBar Toolbar - c:\program files (x86)\uTorrentBar\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-21 23:27:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-22 03:27
ComboFix2.txt 2011-10-21 14:56
ComboFix3.txt 2011-02-22 21:06
ComboFix4.txt 2011-02-22 20:51
ComboFix5.txt 2011-10-22 00:14
.
Pre-Run: 150,410,067,968 bytes free
Post-Run: 150,335,840,256 bytes free
.
- - End Of File - - D11CC261C51510571CA33B0C0ED1740D

#17 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 22 October 2011 - 03:03 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

  • click ok


copy and paste the report into this topic for me to review

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#18 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 26 October 2011 - 09:56 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#19 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 30 October 2011 - 02:43 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users