BleepingComputer.com: Cleaning up after Google redirect Virus, and likely various other Trojans

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Cleaning up after Google redirect Virus, and likely various other Trojans

#1 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 30 January 2012 - 08:18 PM

Hello! Trying to follow the forum guide as closely as I can.

First, apologies for running a few steps ahead as per this post on another forum.

Hitman worked like a champ and seems to have taken down the redirect together with combofix.

DDS reports:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 8.0.7601.17514
Run by Mom at 20:12:03 on 2012-01-30
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.1550 [GMT -5:00]
.
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\lxdxcoms.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{652837AE-932A-4A54-84D9-2E8B919FAA3E} : DhcpNameServer = 192.168.100.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO-X64:     Norton Vulnerability Protection - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64:     URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 SMR210;Symantec SMR Utility Service 2.1.0;C:\Windows\system32\drivers\SMR210.SYS --> C:\Windows\system32\drivers\SMR210.SYS [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1302000.00A\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1302000.00A\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1302000.00A\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1302000.00A\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120121.002\BHDrvx64.sys [2011-11-30 1157240]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\system32\drivers\NAVx64\1302000.00A\ccSetx64.sys --> C:\Windows\system32\drivers\NAVx64\1302000.00A\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120128.002\IDSviA64.sys [2012-1-30 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1302000.00A\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1302000.00A\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NAVx64\1302000.00A\SYMNETS.SYS --> C:\Windows\system32\Drivers\NAVx64\1302000.00A\SYMNETS.SYS [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-5-6 13336]
R2 lxdx_device;lxdx_device;C:\Windows\system32\lxdxcoms.exe -service --> C:\Windows\system32\lxdxcoms.exe -service [?]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [2011-12-22 138760]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-1-30 1153368]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-5-6 1692480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-12-21 138360]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxdxserv.exe [2011-5-15 29184]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-01-30 23:50:06	98816	----a-w-	C:\Windows\sed.exe
2012-01-30 23:50:06	518144	----a-w-	C:\Windows\SWREG.exe
2012-01-30 23:50:06	256000	----a-w-	C:\Windows\PEV.exe
2012-01-30 23:50:06	208896	----a-w-	C:\Windows\MBR.exe
2012-01-30 22:09:32	--------	d-----w-	C:\_OTL
2012-01-30 21:19:52	--------	d-----w-	C:\Program Files (x86)\ESET
2012-01-30 17:46:33	--------	d-sh--w-	C:\Windows\SysWow64\%APPDATA%
2012-01-30 17:27:07	--------	d-----w-	C:\Users\Mom\AppData\Local\Secunia PSI
2012-01-30 17:25:05	--------	d-----w-	C:\Program Files (x86)\Secunia
2012-01-30 17:23:50	--------	d-----w-	C:\Program Files\CCleaner
2012-01-30 17:23:08	472808	----a-w-	C:\Windows\SysWow64\deployJava1.dll
2012-01-30 16:28:27	--------	d-----w-	C:\ProgramData\Spybot - Search & Destroy
2012-01-30 16:28:27	--------	d-----w-	C:\Program Files (x86)\Spybot - Search & Destroy
2012-01-30 16:26:45	12872	----a-w-	C:\Windows\System32\bootdelete.exe
2012-01-30 16:23:11	25160	----a-w-	C:\Windows\System32\drivers\hitmanpro36.sys
2012-01-30 16:22:51	--------	d-----w-	C:\Program Files\HitmanPro
2012-01-30 15:09:37	--------	d-----w-	C:\ProgramData\HitmanPro
2012-01-30 14:58:58	--------	d-----w-	C:\Users\Mom\AppData\Roaming\Malwarebytes
2012-01-30 14:58:53	23152	----a-w-	C:\Windows\System32\drivers\mbam.sys
2012-01-30 14:58:53	--------	d-----w-	C:\ProgramData\Malwarebytes
2012-01-30 14:58:52	--------	d-----w-	C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2012-01-30 17:30:16	525544	----a-w-	C:\Windows\System32\deployJava1.dll
2011-12-22 03:45:34	96376	----a-w-	C:\Windows\System32\drivers\SMR210.SYS
2011-12-22 01:57:16	174200	----a-w-	C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-12-21 21:58:46	414368	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09	3145216	----a-w-	C:\Windows\System32\win32k.sys
2011-11-19 14:58:00	77312	----a-w-	C:\Windows\System32\packager.dll
2011-11-19 14:01:00	67072	----a-w-	C:\Windows\SysWow64\packager.dll
2011-11-17 06:49:14	95600	----a-w-	C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14	152432	----a-w-	C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43	459232	----a-w-	C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18	1731920	----a-w-	C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28	395776	----a-w-	C:\Windows\System32\webio.dll
2011-11-17 06:35:26	29184	----a-w-	C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26	136192	----a-w-	C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25	340992	----a-w-	C:\Windows\System32\schannel.dll
2011-11-17 06:35:25	28160	----a-w-	C:\Windows\System32\secur32.dll
2011-11-17 06:35:19	1447936	----a-w-	C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55	31232	----a-w-	C:\Windows\System32\lsass.exe
2011-11-17 05:38:39	1292080	----a-w-	C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02	314880	----a-w-	C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52	224768	----a-w-	C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52	22016	----a-w-	C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48	96768	----a-w-	C:\Windows\SysWow64\sspicli.dll
2011-11-05 05:41:43	1188864	----a-w-	C:\Windows\System32\wininet.dll
2011-11-05 05:32:50	2048	----a-w-	C:\Windows\System32\tzres.dll
2011-11-05 04:35:00	981504	----a-w-	C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03	2048	----a-w-	C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47	1638912	----a-w-	C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51	1638912	----a-w-	C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 20:12:31.12 ===============


My concern is from aswMBR. Do Malware/adware gen indicate I still have a rootkit?

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:36:16.211    Verifying
18:36:26.242    Disk 0 Windows 601 MBR fixed successfully
18:36:37.318    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:36:37.318    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"

#2 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 03 February 2012 - 09:43 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 04 February 2012 - 01:27 PM

The original symptoms (slowed computer, google redirect) are cleared. I won't post those old logs unless you need them.

My understanding of various trojans that allowed this behavior was that they could come back from an infiltrated boot record, which is why I was checking the MBR. I just want to make sure this won't bounce back in a short while even though the symptoms are gone for now. Could I be in 'remission?'

ComboFix 12-02-05.01 - Mom 02/04/2012  11:54:48.4.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.2020 [GMT -5:00]
Running from: c:\users\Mom\Desktop\mevio virus\combo fix\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-04 to 2012-02-04  )))))))))))))))))))))))))))))))
.
.
2012-02-04 16:59 . 2012-02-04 16:59	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-01-30 16:28 . 2012-01-30 21:08	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-01-30 16:28 . 2012-01-30 16:29	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy
2012-01-30 16:26 . 2012-01-30 17:16	12872	----a-w-	c:\windows\system32\bootdelete.exe
2012-01-30 16:23 . 2012-01-30 17:54	25160	----a-w-	c:\windows\system32\drivers\hitmanpro36.sys
2012-01-30 16:22 . 2012-01-30 16:22	--------	d-----w-	c:\program files\HitmanPro
2012-01-30 15:09 . 2012-01-30 16:26	--------	d-----w-	c:\programdata\HitmanPro
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\users\Mom\AppData\Roaming\Malwarebytes
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\programdata\Malwarebytes
2012-01-30 14:58 . 2011-12-10 20:24	23152	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 17:30 . 2011-05-07 04:36	525544	----a-w-	c:\windows\system32\deployJava1.dll
2011-12-22 03:45 . 2011-12-22 03:45	96376	----a-w-	c:\windows\system32\drivers\SMR210.SYS
2011-12-22 01:57 . 2011-12-22 01:57	174200	----a-w-	c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-12-21 21:58 . 2011-12-21 21:58	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52 . 2011-12-14 02:16	3145216	----a-w-	c:\windows\system32\win32k.sys
2011-11-21 11:40 . 2011-12-20 11:33	8822856	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{93DE565F-CEDF-4E77-B4D2-6BDECACB910C}\mpengine.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-01-30_23.54.48   )))))))))))))))))))))))))))))))))))))))))
.
- 2012-01-30 17:53 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-01-30 17:53 . 2012-02-04 16:51	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-04 16:51	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-04 16:51	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-04 16:51	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-07 04:36 . 2012-02-04 16:53	29432              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-04 16:53	36796              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-14 19:50 . 2012-02-04 16:53	10040              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2216533725-3130270411-608460433-1001_UserData.bin
- 2012-01-30 23:21 . 2012-01-30 23:21	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-30 23:21 . 2012-01-31 00:58	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 16:55 . 2012-01-30 23:22	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 16:55 . 2012-02-04 16:58	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 16:55 . 2012-01-30 23:22	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-14 16:55 . 2012-02-04 16:58	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-30 23:18 . 2012-01-30 23:18	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-04 16:51 . 2012-02-04 16:51	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-30 23:18 . 2012-01-30 23:18	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-04 16:51 . 2012-02-04 16:51	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-14 14:07 . 2012-01-30 23:21	245760              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 14:07 . 2012-01-31 00:58	245760              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-31 00:58	540672              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:21	540672              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:01 . 2012-01-30 21:17	357500              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-31 01:20	357500              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-16 29184]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\System32\drivers\SMR210.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1302000.00A\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1302000.00A\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120121.002\BHDrvx64.sys [2011-12-01 1157240]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1302000.00A\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120128.002\IDSvia64.sys [2012-01-26 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1302000.00A\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1302000.00A\SYMNETS.SYS [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 1044648]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe [2011-08-10 138760]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-12-22 138360]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 365592]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-01-25 1802472]
"lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2008-06-13 107176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ppa3
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.100.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-04  12:01:24
ComboFix-quarantined-files.txt  2012-02-04 17:01
ComboFix2.txt  2012-01-30 23:56
ComboFix3.txt  2012-01-30 19:29
.
Pre-Run: 449,218,158,592 bytes free
Post-Run: 449,149,566,976 bytes free
.
- - End Of File - - 3790AF92BA654344167B29F4B5B0DABC

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 04 February 2012 - 04:03 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 04 February 2012 - 04:55 PM

[co]
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996 OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996 Number of processors: 2 586 0x170A
18:27:26.996 ComputerName: MOM-PC UserName: Mom
18:27:27.714 Initialize success
18:28:15.247 AVAST engine defs: 12012600
18:28:29.849 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849 Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864 Disk 0 MBR read successfully
18:28:29.864 Disk 0 MBR scan
18:28:29.864 Disk 0 Windows VISTA default MBR code
18:28:29.880 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
18:28:29.880 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14142 MB offset 81920
18:28:29.895 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462757 MB offset 29044736
18:28:29.895 Service scanning
18:28:34.591 Modules scanning
18:28:34.591 Disk 0 trace - called modules:
18:28:34.607 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
18:28:34.607 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622 3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465 AVAST engine scan C:\Windows
18:28:36.947 AVAST engine scan C:\Windows\system32
18:30:09.658 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Malware-gen
18:30:11.654 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120 AVAST engine scan C:\Windows\system32\drivers
18:31:39.233 AVAST engine scan C:\Users\Mom
18:32:45.549 AVAST engine scan C:\ProgramData
18:33:32.629 Scan finished successfully
18:33:50.024 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996 OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996 Number of processors: 2 586 0x170A
18:27:26.996 ComputerName: MOM-PC UserName: Mom
18:27:27.714 Initialize success
18:28:15.247 AVAST engine defs: 12012600
18:28:29.849 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849 Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864 Disk 0 MBR read successfully
18:28:29.864 Disk 0 MBR scan
18:28:29.864 Disk 0 Windows VISTA default MBR code
18:28:29.880 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
18:28:29.880 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14142 MB offset 81920
18:28:29.895 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462757 MB offset 29044736
18:28:29.895 Service scanning
18:28:34.591 Modules scanning
18:28:34.591 Disk 0 trace - called modules:
18:28:34.607 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
18:28:34.607 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622 3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465 AVAST engine scan C:\Windows
18:28:36.947 AVAST engine scan C:\Windows\system32
18:30:09.658 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Malware-gen
18:30:11.654 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120 AVAST engine scan C:\Windows\system32\drivers
18:31:39.233 AVAST engine scan C:\Users\Mom
18:32:45.549 AVAST engine scan C:\ProgramData
18:33:32.629 Scan finished successfully
18:33:50.024 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996 OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996 Number of processors: 2 586 0x170A
18:27:26.996 ComputerName: MOM-PC UserName: Mom
18:27:27.714 Initialize success
18:28:15.247 AVAST engine defs: 12012600
18:28:29.849 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849 Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864 Disk 0 MBR read successfully
18:28:29.864 Disk 0 MBR scan
18:28:29.864 Disk 0 Windows VISTA default MBR code
18:28:29.880 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
18:28:29.880 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14142 MB offset 81920
18:28:29.895 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462757 MB offset 29044736
18:28:29.895 Service scanning
18:28:34.591 Modules scanning
18:28:34.591 Disk 0 trace - called modules:
18:28:34.607 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
18:28:34.607 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622 3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465 AVAST engine scan C:\Windows
18:28:36.947 AVAST engine scan C:\Windows\system32
18:30:09.658 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Malware-gen
18:30:11.654 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120 AVAST engine scan C:\Windows\system32\drivers
18:31:39.233 AVAST engine scan C:\Users\Mom
18:32:45.549 AVAST engine scan C:\ProgramData
18:33:32.629 Scan finished successfully
18:33:50.024 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:36:16.211 Verifying
18:36:26.242 Disk 0 Windows 601 MBR fixed successfully
18:36:37.318 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:36:37.318 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-04 16:47:55
-----------------------------
16:47:55.291 OS Version: Windows x64 6.1.7601 Service Pack 1
16:47:55.291 Number of processors: 2 586 0x170A
16:47:55.291 ComputerName: MOM-PC UserName: Mom
16:47:56.008 Initialize success
16:48:22.123 AVAST engine defs: 12020401
16:48:36.990 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:48:37.005 Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
16:48:37.021 Disk 0 MBR read successfully
16:48:37.021 Disk 0 MBR scan
16:48:37.021 Disk 0 Windows 7 default MBR code
16:48:37.036 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
16:48:37.036 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14142 MB offset 81920
16:48:37.052 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462757 MB offset 29044736
16:48:37.068 Service scanning
16:48:38.347 Modules scanning
16:48:38.347 Disk 0 trace - called modules:
16:48:38.363 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:48:38.378 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80033a5060]
16:48:38.378 3 CLASSPNP.SYS[fffff88001dbd43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800324e050]
16:48:39.377 AVAST engine scan C:\Windows
16:48:41.186 AVAST engine scan C:\Windows\system32
16:50:00.325 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Malware-gen
16:50:01.869 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Adware-gen [Adw]
16:50:56.953 AVAST engine scan C:\Windows\system32\drivers
16:51:14.129 AVAST engine scan C:\Users\Mom
16:52:33.939 AVAST engine scan C:\ProgramData
16:53:16.870 Scan finished successfully
16:54:14.262 Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
16:54:14.262 The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
[/code]

This post has been edited by gringo_pr: 04 February 2012 - 08:54 PM

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 04 February 2012 - 08:56 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window: 

ClearJavaCache::

KillAll::

File::
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 04 February 2012 - 11:41 PM

Thanks for the help so far! Guessing asw comes next again?
ComboFix 12-02-05.01 - Mom 02/04/2012  23:31:45.5.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.2234 [GMT -5:00]
Running from: c:\users\Mom\Desktop\mevio virus\combo fix\ComboFix.exe
Command switches used :: c:\users\Mom\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\assembly\GAC_32\Desktop.ini"
"c:\windows\assembly\GAC_64\Desktop.ini"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-05 to 2012-02-05  )))))))))))))))))))))))))))))))
.
.
2012-02-05 04:34 . 2012-02-05 04:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-01-30 22:09 . 2012-01-30 22:09	--------	d-----w-	C:\_OTL
2012-01-30 21:19 . 2012-01-30 21:19	--------	d-----w-	c:\program files (x86)\ESET
2012-01-30 17:46 . 2012-01-30 17:46	--------	d-sh--w-	c:\windows\SysWow64\%APPDATA%
2012-01-30 17:27 . 2012-01-30 17:27	--------	d-----w-	c:\users\Mom\AppData\Local\Secunia PSI
2012-01-30 17:26 . 2012-01-30 17:26	--------	d-----w-	c:\program files (x86)\Common Files\Adobe
2012-01-30 17:25 . 2012-01-30 17:25	--------	d-----w-	c:\program files (x86)\Secunia
2012-01-30 17:23 . 2012-01-30 17:23	--------	d-----w-	c:\program files\CCleaner
2012-01-30 17:23 . 2012-01-30 17:22	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-01-30 16:28 . 2012-01-30 21:08	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-01-30 16:28 . 2012-01-30 16:29	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy
2012-01-30 16:26 . 2012-01-30 17:16	12872	----a-w-	c:\windows\system32\bootdelete.exe
2012-01-30 16:23 . 2012-01-30 17:54	25160	----a-w-	c:\windows\system32\drivers\hitmanpro36.sys
2012-01-30 16:22 . 2012-01-30 16:22	--------	d-----w-	c:\program files\HitmanPro
2012-01-30 15:09 . 2012-01-30 16:26	--------	d-----w-	c:\programdata\HitmanPro
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\users\Mom\AppData\Roaming\Malwarebytes
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\programdata\Malwarebytes
2012-01-30 14:58 . 2011-12-10 20:24	23152	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-01-30 14:58 . 2012-01-30 14:58	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 17:30 . 2011-05-07 04:36	525544	----a-w-	c:\windows\system32\deployJava1.dll
2011-12-22 03:45 . 2011-12-22 03:45	96376	----a-w-	c:\windows\system32\drivers\SMR210.SYS
2011-12-22 01:57 . 2011-12-22 01:57	174200	----a-w-	c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-12-21 21:58 . 2011-12-21 21:58	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52 . 2011-12-14 02:16	3145216	----a-w-	c:\windows\system32\win32k.sys
2011-11-21 11:40 . 2011-12-20 11:33	8822856	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{93DE565F-CEDF-4E77-B4D2-6BDECACB910C}\mpengine.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-01-30_23.54.48   )))))))))))))))))))))))))))))))))))))))))
.
- 2012-01-30 17:53 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-01-30 17:53 . 2012-02-05 04:35	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-05 04:35	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-05 04:35	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-05 04:35	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:18	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-07 04:36 . 2012-02-04 16:53	29432              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-04 16:53	36796              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-14 19:50 . 2012-02-04 16:53	10040              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2216533725-3130270411-608460433-1001_UserData.bin
+ 2012-01-30 23:21 . 2012-01-31 00:58	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-30 23:21 . 2012-01-30 23:21	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 16:06 . 2012-02-04 16:51	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 16:06 . 2012-01-30 23:21	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 16:55 . 2012-01-30 23:22	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 16:55 . 2012-02-05 04:32	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 16:55 . 2012-01-30 23:22	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-14 16:55 . 2012-02-05 04:32	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-30 23:18 . 2012-01-30 23:18	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-05 04:35 . 2012-02-05 04:35	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-30 23:18 . 2012-01-30 23:18	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-05 04:35 . 2012-02-05 04:35	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-15 01:58 . 2012-02-05 04:29	254904              c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2011-05-14 14:07 . 2012-01-30 23:21	245760              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 14:07 . 2012-01-31 00:58	245760              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-31 00:58	540672              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 23:21	540672              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:01 . 2012-01-30 21:17	357500              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-05 04:35	357500              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-16 29184]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\System32\drivers\SMR210.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1302000.00A\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1302000.00A\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120121.002\BHDrvx64.sys [2011-12-01 1157240]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1302000.00A\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120203.002\IDSvia64.sys [2012-01-26 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1302000.00A\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1302000.00A\SYMNETS.SYS [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 1044648]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe [2011-08-10 138760]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 138360]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 365592]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-01-25 1802472]
"lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2008-06-13 107176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ppa3
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.100.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
.
**************************************************************************
.
Completion time: 2012-02-04  23:39:17 - machine was rebooted
ComboFix-quarantined-files.txt  2012-02-05 04:39
ComboFix2.txt  2012-02-04 17:01
ComboFix3.txt  2012-01-30 23:56
ComboFix4.txt  2012-01-30 19:29
.
Pre-Run: 448,477,151,232 bytes free
Post-Run: 448,263,888,896 bytes free
.
- - End Of File - - DFB8585E4FF11EAD8146D4C7812AA9D4

This post has been edited by Grenaid: 04 February 2012 - 11:42 PM

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 12:05 AM

Yep - run ASWMbr lets make sure they have been removed


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 05 February 2012 - 12:15 AM

Well thank you VERY much for your help so far. Things are looking quite good. Prior to this, malwarebytes and combofix were coming up clean, only asw flagged. Should I scan with anything else?
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 18:27:26
-----------------------------
18:27:26.996    OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:26.996    Number of processors: 2 586 0x170A
18:27:26.996    ComputerName: MOM-PC  UserName: Mom
18:27:27.714    Initialize success
18:28:15.247    AVAST engine defs: 12012600
18:28:29.849    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:28:29.849    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
18:28:29.864    Disk 0 MBR read successfully
18:28:29.864    Disk 0 MBR scan
18:28:29.864    Disk 0 Windows VISTA default MBR code
18:28:29.880    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
18:28:29.880    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
18:28:29.895    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
18:28:29.895    Service scanning
18:28:34.591    Modules scanning
18:28:34.591    Disk 0 trace - called modules:
18:28:34.607    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:28:34.607    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80037b7060]
18:28:34.622    3 CLASSPNP.SYS[fffff88001d8c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003238050]
18:28:35.465    AVAST engine scan C:\Windows
18:28:36.947    AVAST engine scan C:\Windows\system32
18:30:09.658    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
18:30:11.654    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
18:31:22.120    AVAST engine scan C:\Windows\system32\drivers
18:31:39.233    AVAST engine scan C:\Users\Mom
18:32:45.549    AVAST engine scan C:\ProgramData
18:33:32.629    Scan finished successfully
18:33:50.024    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:33:50.024    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:34:32.222    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:34:32.736    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"
18:36:16.211    Verifying
18:36:26.242    Disk 0 Windows 601 MBR fixed successfully
18:36:37.318    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
18:36:37.318    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-04 16:47:55
-----------------------------
16:47:55.291    OS Version: Windows x64 6.1.7601 Service Pack 1
16:47:55.291    Number of processors: 2 586 0x170A
16:47:55.291    ComputerName: MOM-PC  UserName: Mom
16:47:56.008    Initialize success
16:48:22.123    AVAST engine defs: 12020401
16:48:36.990    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:48:37.005    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
16:48:37.021    Disk 0 MBR read successfully
16:48:37.021    Disk 0 MBR scan
16:48:37.021    Disk 0 Windows 7 default MBR code
16:48:37.036    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
16:48:37.036    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
16:48:37.052    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
16:48:37.068    Service scanning
16:48:38.347    Modules scanning
16:48:38.347    Disk 0 trace - called modules:
16:48:38.363    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
16:48:38.378    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80033a5060]
16:48:38.378    3 CLASSPNP.SYS[fffff88001dbd43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800324e050]
16:48:39.377    AVAST engine scan C:\Windows
16:48:41.186    AVAST engine scan C:\Windows\system32
16:50:00.325    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Malware-gen
16:50:01.869    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Adware-gen [Adw]
16:50:56.953    AVAST engine scan C:\Windows\system32\drivers
16:51:14.129    AVAST engine scan C:\Users\Mom
16:52:33.939    AVAST engine scan C:\ProgramData
16:53:16.870    Scan finished successfully
16:54:14.262    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
16:54:14.262    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-05 00:08:09
-----------------------------
00:08:09.123    OS Version: Windows x64 6.1.7601 Service Pack 1
00:08:09.123    Number of processors: 2 586 0x170A
00:08:09.123    ComputerName: MOM-PC  UserName: Mom
00:08:09.903    Initialize success
00:08:36.470    AVAST engine defs: 12020401
00:08:40.604    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:08:40.604    Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3
00:08:40.620    Disk 0 MBR read successfully
00:08:40.620    Disk 0 MBR scan
00:08:40.620    Disk 0 Windows 7 default MBR code
00:08:40.620    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
00:08:40.635    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        14142 MB offset 81920
00:08:40.651    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       462757 MB offset 29044736
00:08:40.651    Service scanning
00:08:42.788    Modules scanning
00:08:42.788    Disk 0 trace - called modules:
00:08:42.804    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
00:08:42.819    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003f34490]
00:08:43.334    3 CLASSPNP.SYS[fffff88001db243f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800325c050]
00:08:45.877    AVAST engine scan C:\Windows
00:08:48.529    AVAST engine scan C:\Windows\system32
00:11:32.454    AVAST engine scan C:\Windows\system32\drivers
00:11:41.065    AVAST engine scan C:\Users\Mom
00:12:32.576    AVAST engine scan C:\ProgramData
00:13:05.274    Scan finished successfully
00:13:36.240    Disk 0 MBR has been saved successfully to "C:\Users\Mom\Desktop\MBR.dat"
00:13:36.256    The log file has been saved successfully to "C:\Users\Mom\Desktop\aswMBR.txt"

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 12:24 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

  • click ok


copy and paste the report into this topic for me to review

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 05 February 2012 - 11:34 AM

Sure thing. Should I purge any restore points when we are done?
Adobe Reader X (10.1.2)
Consumer In-Home Service Agreement
D3DX10
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Getting Started Guide
Dell Marketplace Webslice IE8
Dell MusicStage
Dell PhotoStage
Dell Stage
Dell VideoStage
DirectX 9 Runtime
ESET Online Scanner v3
Google Chrome
GoToAssist 8.0.0.514
Intel(R) Control Center
Intel(R) Rapid Storage Technology
Internet Explorer
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.0.1800
Mesh Runtime
Messenger Companion
Microsoft Office 2010
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton AntiVirus
PhotoShowExpress
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Burn
Roxio Creator Starter
Roxio Express Labeler 3
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Skype™ 4.2
Sonic CinePlayer Decoder Pack
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
TrustedID
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
WildTangent Games
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 11:39 AM

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 05 February 2012 - 12:02 PM

Computer is running great now, I just wanted to make sure it was completely clean before returning it.

I keep testing for google redirect and it has not returned.

MBAM:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.05.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Mom :: MOM-PC [administrator]

2/5/2012 11:55:23 AM
mbam-log-2012-02-05 (11-55-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 182583
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HiJackThis:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:01:24 PM, on 2/5/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe
O23 - Service: lxdx_device -   - C:\Windows\system32\lxdxcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10095 bytes

#14 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 12:42 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
      O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   Grenaid 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 30-January 12

Posted 05 February 2012 - 02:14 PM

I'm going to pass on the accelerated start since it's not my computer. You marked optional, so I'm guessing that's just customer preference for a faster boot? It's very quick already.

I'm going to head home for the superbowl, but I'll be back tomorrow. Thanks again for all the help!


EDIT: I think the Dell flag is a false positive, I did some googling on that before. Let me know though!


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bcffc5d3d72547468f46d267cf2b3cb2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-30 10:02:50
# local_time=2012-01-30 05:02:50 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3587 16777214 85 65 2472422 146026326 0 0
# compatibility_mode=5893 16776574 66 94 2659722 79501990 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115640
# found=2
# cleaned=2
# scan_time=2429
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe	a variant of Win32/HiddenStart.A application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe	a variant of Win32/HiddenStart.A application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C

This post has been edited by Grenaid: 05 February 2012 - 02:15 PM

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users