Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 rambling

rambling

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 11 January 2011 - 11:53 PM

Mod Edit: See here for history: http://www.bleepingcomputer.com/forums/topic372801.html

EDIT: Sorry for going on ahead and using ComboFix, but I was advised to use it...The person had told me to install AVG Free but a whole bunch of crazy thing happened which he said had bad implications basically so he said try the thing the comboFox thing the website had said to do and then scan it with AVG. |: I hadn't touched it before since I was scared. xD Please analyze it. I'll ask him to do it too (but its a little late so I'm posting it here too).

How is this?

ComboFix 11-01-11.01 - Shewaye Moges 01/11/2011 20:36:41.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3964.1780 [GMT -7:00]
Running from: c:\users\Shewaye Moges\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
AV: Kaspersky Internet Security *Disabled/Updated* {AE1D740B-8F0F-D137-211D-873D44B3F4AE}
FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
FW: Kaspersky Internet Security *Disabled* {9626F52E-C560-D06F-0A42-2E08BA60B3D5}
SP: Kaspersky Internet Security *Disabled/Outdated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Kaspersky Internet Security *Disabled/Updated* {157C95EF-A935-DEB9-1BAD-BC4F3F34BE13}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files (x86)\FunWebProducts
c:\program files (x86)\MyWebSearch
c:\program files (x86)\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\CHROME.MANIFEST
c:\program files (x86)\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
c:\program files (x86)\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files (x86)\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3DTactl.dll
c:\program files (x86)\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files (x86)\MyWebSearch\bar\2.bin\F3HTtpct.dll
c:\program files (x86)\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files (x86)\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\F3SCrctr.dll
c:\program files (x86)\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files (x86)\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files (x86)\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files (x86)\MyWebSearch\bar\2.bin\INSTALL.RDF
c:\program files (x86)\MyWebSearch\bar\2.bin\M3AUXSTB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3DLGHK.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\M3MSg.dll
c:\program files (x86)\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSMLBTN.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files (x86)\MyWebSearch\bar\2.bin\MWSUABTN.DLL
c:\program files (x86)\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files (x86)\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files (x86)\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files (x86)\MyWebSearch\bar\Game\CHESS.F3S
c:\program files (x86)\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files (x86)\MyWebSearch\bar\icons\CM.ICO
c:\program files (x86)\MyWebSearch\bar\icons\MFC.ICO
c:\program files (x86)\MyWebSearch\bar\icons\PSS.ICO
c:\program files (x86)\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files (x86)\MyWebSearch\bar\icons\WB.ICO
c:\program files (x86)\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files (x86)\MyWebSearch\bar\Message\COMMON.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files (x86)\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files (x86)\MyWebSearch\bar\Settings\s_pid.dat
c:\program files (x86)\PlaySushi\PSTExt.dll
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\users\SHEWAY~1\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\users\Shewaye Moges\AppData\Local\syssvc.exe
c:\users\Shewaye Moges\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\jusched.exe
c:\windows\SysWow64\f3PSSavr.scr
c:\windows\SysWow64\jusched.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-12 to 2011-01-12 )))))))))))))))))))))))))))))))
.

2011-01-12 03:56 . 2011-01-12 03:56 -------- d-----w- c:\users\Society\AppData\Local\temp
2011-01-12 03:56 . 2011-01-12 03:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-12 03:56 . 2011-01-12 03:56 -------- d-----w- c:\users\Lia\AppData\Local\temp
2011-01-12 03:56 . 2011-01-12 03:56 -------- d-----w- c:\users\bambi\AppData\Local\temp
2011-01-12 03:25 . 2011-01-12 03:26 -------- d-----w- C:\32788R22FWJFW
2011-01-12 03:01 . 2011-01-12 03:01 -------- d-----w- c:\programdata\MFAData
2011-01-11 10:06 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8AA7A196-89A6-4A47-A5EE-369017709968}\mpengine.dll
2011-01-06 22:37 . 2011-01-06 22:37 -------- d-----w- c:\users\Shewaye Moges\AppData\Roaming\WinBatch
2010-12-21 15:15 . 2010-03-05 14:32 612864 ----a-w- c:\windows\system32\vbscript.dll
2010-12-21 15:15 . 2010-03-05 14:01 420352 ----a-w- c:\windows\SysWow64\vbscript.dll
2010-12-20 15:13 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-20 15:13 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2010-12-20 15:08 . 2009-03-08 11:40 115712 ----a-w- c:\program files\Internet Explorer\ielowutil.exe
2010-12-15 04:05 . 2010-10-28 16:29 48128 ----a-w- c:\windows\system32\atmlib.dll
2010-12-15 04:00 . 2010-11-06 11:18 500224 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-15 04:00 . 2010-11-06 11:18 655872 ----a-w- c:\windows\system32\taskschd.dll
2010-12-15 04:00 . 2010-11-06 11:18 410112 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-15 04:00 . 2010-11-06 11:18 855040 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-15 04:00 . 2010-11-04 23:58 267776 ----a-w- c:\windows\system32\taskeng.exe
2010-12-15 04:00 . 2010-11-04 18:55 352768 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-12-15 04:00 . 2010-11-04 18:55 270336 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-12-15 04:00 . 2010-11-04 16:34 171520 ----a-w- c:\windows\SysWow64\taskeng.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-09 03:19 . 2010-12-09 03:19 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-01 05:20 . 2010-11-25 14:01 2981996 ----a-w- c:\users\bambi\AppData\Local\My Web Search Installer.exe
2010-11-10 19:09 . 2009-03-31 00:21 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2010-11-10 19:09 . 2009-03-30 23:20 17816 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-10-19 17:41 . 2009-10-02 19:09 270720 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2010-04-15 19:33 2515552 ----a-w- c:\program files (x86)\myBabylon_English\tbmyBa.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 05:44 1400712 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files (x86)\myBabylon_English\tbmyBa.dll" [2010-04-15 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-04-15 972128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2010-02-20 149280]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 311680]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2010-07-26 202256]
"InstaLAN"="c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-29 1485208]

c:\users\bambi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Lia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Society\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Shewaye Moges\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
McAfee Security Scan.lnk - c:\program files (x86)\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
PalTalk.lnk - c:\program files (x86)\Paltalk Messenger\paltalk.exe [2009-12-23 12734216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~2\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~2\sbhook.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca85c93cbf6071;Google Update Service (gupdate1ca85c93cbf6071);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-26 133104]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-05-29 48640]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\DRIVERS\klbg.sys [2008-12-16 38416]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-05-16 26640]
S2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [2010-02-18 181760]
S2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [2010-02-09 55296]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 CAXHWBS3;CAXHWBS3;c:\windows\system32\DRIVERS\CAXHWBS3.sys [2008-02-12 286208]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-17 21008]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [2010-03-22 291352]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-26 01:17]

2011-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-26 01:17]

2011-01-12 c:\windows\Tasks\Norton Security Scan for bambi.job
- c:\program files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-06 17:04]

2011-01-12 c:\windows\Tasks\User_Feed_Synchronization-{3F8A4075-BB26-479A-B19E-F00A29F93A5E}.job
- c:\windows\system32\msfeedssync.exe [2010-12-20 04:25]

2011-01-12 c:\windows\Tasks\User_Feed_Synchronization-{43D209AB-6C3F-4D08-80E7-4CA9ED1445E8}.job
- c:\windows\system32\msfeedssync.exe [2010-12-20 04:25]

2011-01-12 c:\windows\Tasks\User_Feed_Synchronization-{BF0E69B7-EDB6-4C54-8CE2-A7A2E57808FC}.job
- c:\windows\system32\msfeedssync.exe [2010-12-20 04:25]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-03 6430208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 15851040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 82464]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 225792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~2\x64\sbhook64.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Shewaye Moges\AppData\Roaming\Mozilla\Firefox\Profiles\ximwujmo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-AdobeUpdater - c:\program files (x86)\Common Files\Adobe\Updater5\AdobeUpdater.exe
Wow6432Node-HKLM-Run-hpqSRMon - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\hp\kbd\kbd.exe
c:\program files (x86)\McAfee Security Scan\1.0.150\McUICnt.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2011-01-11 21:29:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-12 04:29

Pre-Run: 320,603,435,008 bytes free
Post-Run: 325,227,851,776 bytes free

- - End Of File - - 7AECD60FF27E41335E66FC6A56E10A6E


Post about problem before combo fix:
http://www.bleepingcomputer.com/forums/topic372801.html

Idk if I still need to make logs about the other stuff if combofix already made one o_o maybe its different. If so tell me and I'll install all the necessary things.
Help please T_T

Edited by Blade Zephon, 12 January 2011 - 05:45 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:19 PM

Posted 18 January 2011 - 04:00 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 AM

Posted 25 January 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users