Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Google Redirect + 'Security Protection' (defender.exe)


  • This topic is locked This topic is locked
21 replies to this topic

#1 drumr1829

drumr1829

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 25 August 2011 - 07:58 AM

Hello and thanks in advance for the help,

I'm helping to clean out my brother's PC remotely. It appears he has a few issues going on. Here's a list:

- Browsing through Firefox/ Pale Moon is slow, if it even works at all
- Google searches redirect to ad sites like 'moonsearch.net' and then download/ run the 'Security Protection' fake AV
- Random BSOD's, trouble booting sometimes - I believe this was attributed to the TDSS rootkit.
- Within Task Manager > Processes - Ping.exe *32 running using 30-40 CPU
- Typing in www.google.com will go to Google, but cannot reach igoogle (www.google.com/ig) - within Chrome we get "This webpage has a redirect loop - The webpage to http://www.google.com/ig has resulted in too many redirects"

I've followed the instructions to remove TDSS and Security Protection:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

In addition to doing an updated malwarebytes scan, I've done SuperAntiSpyware. Unfortunately, the PC is still infected as I'm still getting Google redirects which then re-installed the Security Protection. TDSS is no longer found but I still can't reach www.google.com/ig. I tried doing a Combofix scan but this crashed - not sure if it updated properly. This wasn't done in safe mode (as I later found that it should have been). So this is where I'm at.

The following are the DDS logs with the Attach.txt zipped and attached as requested:

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by Kevin at 7:44:57 on 2011-08-25
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2655 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\SetPointG\SetPointII.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [SansaDispatch] C:\Users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [CloneCDTray] "C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe" /s
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.11.1
TCP: Interfaces\{4B5A7C20-5B87-46DC-9229-D55D582101DB} : DhcpNameServer = 192.168.11.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
IFEO: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
BHO-X64: Yontoo Layers - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [CloneCDTray] "C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe" /s
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
IFEO-X64: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
Hosts: 80.79.117.219 www.google.com
Hosts: 80.79.117.220 search.yahoo.com
Hosts: 80.79.117.220 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-6-8 375176]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-1-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 CompFilter64;UVCCompositeFilter;C:\Windows\system32\DRIVERS\lvbflt64.sys --> C:\Windows\system32\DRIVERS\lvbflt64.sys [?]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 KMService;KMService;C:\Windows\System32\srvany.exe [2010-7-27 8192]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2010-6-26 24176]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys --> C:\Windows\system32\DRIVERS\RTL8187B.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2011-08-24 21:58:44 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-24 06:42:19 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9365642-98BD-4C4E-9FA8-B1509D4EDE87}\mpengine.dll
2011-08-19 23:37:59 -------- d-----w- C:\$RECYCLE.BIN
2011-08-18 19:09:39 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-08-15 23:12:37 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Moonchild Productions
2011-08-15 23:12:37 -------- d-----w- C:\Users\Kevin\AppData\Local\Moonchild Productions
2011-08-15 23:12:29 -------- d-----w- C:\Program Files (x86)\Pale Moon
2011-08-15 16:04:55 -------- d-----w- C:\Users\Kevin\AppData\Roaming\SUPERAntiSpyware.com
2011-08-15 16:04:22 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-08-15 16:04:22 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-08-06 19:43:24 98816 ----a-w- C:\Windows\sed.exe
2011-08-06 19:43:24 518144 ----a-w- C:\Windows\SWREG.exe
2011-08-06 19:43:24 256000 ----a-w- C:\Windows\PEV.exe
2011-08-06 19:43:24 208896 ----a-w- C:\Windows\MBR.exe
2011-08-02 03:05:17 15504 ----a-w- C:\Windows\SysWow64\drivers\mbam.sys
2011-08-02 03:05:15 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 00:40:51 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Malwarebytes
2011-08-02 00:40:47 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 00:40:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-28 03:36:46 -------- d-----w- C:\Users\Kevin\AppData\Local\uTorrent
2011-07-27 22:02:50 -------- d-----w- C:\Program Files (x86)\Yontoo Layers Runtime
.
==================== Find3M ====================
.
2011-07-06 20:33:18 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2011-07-06 20:33:06 33152 ----a-w- C:\Windows\System32\LMIport.dll
2011-07-06 20:33:04 80768 ----a-w- C:\Windows\System32\LMIinit.dll
2011-07-04 17:21:15 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-01 02:22:19 98816 ----a-w- C:\Windows\System32\wudriver.dll
2011-07-01 02:22:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-07-01 02:22:12 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2011-07-01 02:22:01 2621440 ----a-w- C:\Windows\System32\wucltux.dll
2011-06-08 17:06:32 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll.000.bak
.
============= FINISH: 7:45:26.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 29 August 2011 - 02:08 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 29 August 2011 - 02:32 PM

Hi Gringo,

Thanks for helping me out. I ran the defogger to disable any emulation and rebooted. Ran DDS without issue. The logs are as follows (attach.txt on second post):


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by Kevin at 15:26:37 on 2011-08-29
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2443 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\SetPointG\SetPointII.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [SansaDispatch] C:\Users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [CloneCDTray] "C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe" /s
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.11.1
TCP: Interfaces\{4B5A7C20-5B87-46DC-9229-D55D582101DB} : DhcpNameServer = 192.168.11.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
IFEO: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
BHO-X64: Yontoo Layers - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [CloneCDTray] "C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe" /s
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
IFEO-X64: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
Hosts: 80.79.117.220 search.yahoo.com
Hosts: 80.79.117.220 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-6-8 375176]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-1-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 CompFilter64;UVCCompositeFilter;C:\Windows\system32\DRIVERS\lvbflt64.sys --> C:\Windows\system32\DRIVERS\lvbflt64.sys [?]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 KMService;KMService;C:\Windows\System32\srvany.exe [2010-7-27 8192]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2010-6-26 24176]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys --> C:\Windows\system32\DRIVERS\RTL8187B.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2011-08-29 07:16:00 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BFFB2700-A31F-4D3B-A167-CF1FDC1E3F15}\mpengine.dll
2011-08-24 21:58:44 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-19 23:37:59 -------- d-----w- C:\$RECYCLE.BIN
2011-08-18 19:09:39 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-08-15 23:12:37 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Moonchild Productions
2011-08-15 23:12:37 -------- d-----w- C:\Users\Kevin\AppData\Local\Moonchild Productions
2011-08-15 23:12:29 -------- d-----w- C:\Program Files (x86)\Pale Moon
2011-08-15 16:04:55 -------- d-----w- C:\Users\Kevin\AppData\Roaming\SUPERAntiSpyware.com
2011-08-15 16:04:22 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-08-15 16:04:22 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-08-06 19:43:24 98816 ----a-w- C:\Windows\sed.exe
2011-08-06 19:43:24 518144 ----a-w- C:\Windows\SWREG.exe
2011-08-06 19:43:24 256000 ----a-w- C:\Windows\PEV.exe
2011-08-06 19:43:24 208896 ----a-w- C:\Windows\MBR.exe
2011-08-02 03:05:17 15504 ----a-w- C:\Windows\SysWow64\drivers\mbam.sys
2011-08-02 03:05:15 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 00:40:51 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Malwarebytes
2011-08-02 00:40:47 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 00:40:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-08-28 12:47:37 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-06 20:33:18 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2011-07-06 20:33:06 33152 ----a-w- C:\Windows\System32\LMIport.dll
2011-07-06 20:33:04 80768 ----a-w- C:\Windows\System32\LMIinit.dll
2011-07-01 02:22:19 98816 ----a-w- C:\Windows\System32\wudriver.dll
2011-07-01 02:22:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-07-01 02:22:12 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2011-07-01 02:22:01 2621440 ----a-w- C:\Windows\System32\wucltux.dll
2011-06-08 17:06:32 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll.000.bak
.
============= FINISH: 15:27:58.15 ===============

Edited by drumr1829, 29 August 2011 - 02:39 PM.


#4 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 29 August 2011 - 02:34 PM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume3
Install Date: 6/11/2010 3:34:02 PM
System Uptime: 8/29/2011 3:22:22 PM (0 hours ago)
.
Motherboard: EVGA | | EVGA P55 SLI E655
Processor: Intel® Core™ i5 CPU 750 @ 2.67GHz | CPU 1 | 2668/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 699 GiB total, 543.469 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 932 GiB total, 246.605 GiB free.
H: is FIXED (NTFS) - 750 GiB total, 749.887 GiB free.
J: is FIXED (FAT32) - 233 GiB total, 67.915 GiB free.
K: is FIXED (NTFS) - 1113 GiB total, 582.07 GiB free.
N: is FIXED (NTFS) - 932 GiB total, 152.454 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
Device ID: USB\VID_0BDA&PID_8189\00E04C000001
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
PNP Device ID: USB\VID_0BDA&PID_8189\00E04C000001
Service: RTL8187B
.
==== System Restore Points ===================
.
RP674: 8/6/2011 3:36:04 PM - 08.06.11 Successful Boot and Win7 Startup
RP675: 8/6/2011 4:01:36 PM - 08.06.11 Clean after ComboFix Run
RP676: 8/6/2011 4:04:29 PM - Windows Update
RP677: 8/7/2011 8:55:27 AM - Windows Backup
RP678: 8/8/2011 2:34:19 AM - Windows Update
RP679: 8/9/2011 9:12:20 PM - Windows Update
RP680: 8/10/2011 3:27:16 AM - Windows Update
RP681: 8/13/2011 2:54:09 AM - Windows Update
RP682: 8/13/2011 1:26:08 PM - Removed Quick Access Bar
RP683: 8/13/2011 1:30:02 PM - Windows Backup
RP684: 8/13/2011 2:18:40 PM - Windows Backup
RP685: 8/14/2011 2:37:16 AM - Windows Update
RP686: 8/14/2011 6:06:51 PM - Restore Operation
RP687: 8/14/2011 6:24:21 PM - Windows Update
RP688: 8/14/2011 6:40:13 PM - Removed Quick Access Bar
RP689: 8/15/2011 2:44:28 AM - Windows Update
RP690: 8/15/2011 7:29:52 AM - 08.15.11 "Clean" after Combofix Run
RP691: 8/15/2011 10:09:21 PM - 08.15.11 Pale Moon Installed
RP692: 8/16/2011 3:02:59 AM - Windows Update
RP693: 8/16/2011 10:39:06 PM - Restore Operation
RP694: 8/16/2011 10:57:40 PM - Windows Update
RP695: 8/17/2011 2:55:25 AM - Windows Update
RP696: 8/19/2011 4:23:42 PM - Windows Update
RP697: 8/20/2011 2:34:52 AM - Windows Update
RP698: 8/21/2011 2:59:18 AM - Windows Update
RP699: 8/23/2011 8:19:57 AM - Windows Update
RP700: 8/24/2011 2:42:05 AM - Windows Update
RP701: 8/26/2011 2:45:59 AM - Windows Update
RP702: 8/27/2011 2:45:53 AM - Windows Update
RP703: 8/28/2011 8:55:30 AM - Windows Update
RP704: 8/29/2011 3:15:35 AM - Windows Update
.
==== Installed Programs ======================
.
µTorrent
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.3 Professional
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe Shockwave Player 11.6
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AIM 7
Apple Application Support
Apple Software Update
ATI Catalyst Registration
Bejeweled 2 Deluxe
Call of Duty Modern Warfare 2
Call of Duty: Black Ops
CameraHelperMsi
Camtasia Studio 6
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
CloneCD
CloneDVD2
ConvertXtoDVD 3.3.2.100
Cool Edit Pro 2.1
Download Updater (AOL LLC)
DVD43 Plug-in v1.0.0.5
erLT
Fallout 3
Google Chrome
GoToMeeting 4.5.0.457
H&R Block Deluxe + Efile + State 2010
H&R Block Virginia 2010
Handbrake 0.9.4
Java™ 6 Update 21
LightScribe System Software
Logitech Webcam Software
LogMeIn
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Magic ISO Maker v5.4 (build 0239)
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft XML Parser
Mp3tag v2.46a
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
Pale Moon 5.0 (x86 en-US)
PDF Settings
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
QuickTime
Sansa Updater
Screen Sharing Plug-in
Security Update for CAPICOM (KB931906)
Skype Toolbars
Skype™ 5.3
SureThing CD Labeler LightScribe 5.0.581.0
swMSM
TightVNC 2.0.2
VCRedistSetup
Veetle TV 0.9.18
VoiceOver Kit
vShare Plugin
Winamp
Winamp Detector Plug-in
Windows Media Player Firefox Plugin
WinZip 14.0
Wolfenstein
.
==== Event Viewer Messages From Past Week ========
.
8/29/2011 1:06:03 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
8/28/2011 9:05:27 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR12.
8/28/2011 10:44:47 PM, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following error: Access is denied.
8/28/2011 10:11:05 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR4.
8/24/2011 9:46:47 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/24/2011 8:43:34 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/24/2011 8:40:31 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the gpsvc service.
8/24/2011 8:40:01 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BITS service.
8/24/2011 8:39:31 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
8/24/2011 8:39:01 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service.
8/24/2011 8:38:31 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Winmgmt service.
8/24/2011 8:37:01 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AeLookupSvc service.
8/24/2011 8:37:01 AM, Error: Service Control Manager [7000] - The Application Experience service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/24/2011 8:18:05 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.587.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80080005 Error description: Server execution failed
8/24/2011 6:35:01 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
8/24/2011 5:46:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
8/24/2011 5:46:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
8/24/2011 5:45:50 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
8/24/2011 5:45:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/24/2011 5:45:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/24/2011 5:45:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/24/2011 5:45:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/24/2011 5:43:00 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ElbyCDIO MpFilter SASDIFSV SASKUTIL spldr sptd Wanarpv6
8/24/2011 5:42:31 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
8/24/2011 11:54:08 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/24/2011 10:28:02 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
8/23/2011 8:09:43 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/23/2011 10:29:56 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR11.
8/22/2011 9:02:56 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/22/2011 8:50:12 AM, Error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
8/22/2011 8:04:45 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/22/2011 7:49:28 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/22/2011 4:54:34 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR9.
.
==== End Of File ===========================

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 29 August 2011 - 02:39 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 01 September 2011 - 12:26 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 03 September 2011 - 11:27 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 05 September 2011 - 11:05 AM

This topic has been re-opened at the request of the person who originally posted.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 05 September 2011 - 12:10 PM

Gringo, Thanks for reopening. Here's the Combofix log files:

*Not sure why it is saying MS Security Essentials is enabled. I thought it was disabled (ended process and service).

After the scan completed, I tried doing a Google search on all browsers without issue (Chrome, Pale Moon, Internet Explorer). So I think we're in good shape. Do you think there is anything else that needs to be run? Thanks again!

ComboFix 11-09-05.03 - Kevin 09/05/2011 10:33:27.4.4 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.3372 [GMT -4:00]
Running from: c:\users\Kevin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kevin\AppData\Roaming\Adobe\plugs
c:\users\Kevin\AppData\Roaming\Adobe\shed
c:\windows\SysWow64\mfc100deu.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-05 14:37 . 2011-09-05 14:37 -------- d-----w- c:\users\Shannon\AppData\Local\temp
2011-09-05 14:37 . 2011-09-05 14:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-05 07:01 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F0289136-BF16-4148-B7EC-F0EE427E28E3}\mpengine.dll
2011-08-24 21:58 . 2011-07-08 11:55 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 15:36 . 2011-08-24 15:36 -------- d-----w- c:\users\Shannon\AppData\Roaming\SUPERAntiSpyware.com
2011-08-24 15:33 . 2011-08-24 15:33 -------- d-----w- c:\users\Shannon\AppData\Roaming\Malwarebytes
2011-08-18 19:09 . 2011-08-18 19:10 -------- d-----w- c:\windows\SysWow64\Adobe
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\users\Kevin\AppData\Roaming\Moonchild Productions
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\users\Kevin\AppData\Local\Moonchild Productions
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\program files (x86)\Pale Moon
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\users\Kevin\AppData\Roaming\SUPERAntiSpyware.com
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-08-08 16:10 . 2011-08-08 16:10 -------- d-----w- c:\users\Shannon\AppData\Local\VirtualStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-28 12:47 . 2011-05-30 16:55 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-12 04:10 . 2010-06-17 21:22 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-08 11:55 . 2011-08-02 03:05 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 20:33 . 2011-07-01 02:20 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 20:33 . 2011-07-01 02:20 33152 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 20:33 . 2011-07-01 02:20 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-01 02:22 . 2011-07-01 02:22 98816 ----a-w- c:\windows\system32\wudriver.dll
2011-07-01 02:22 . 2011-07-01 02:22 700640 ----a-w- c:\windows\system32\wuapi.dll
2011-07-01 02:22 . 2011-07-01 02:22 38112 ----a-w- c:\windows\system32\wups.dll
2011-07-01 02:22 . 2011-07-01 02:22 36864 ----a-w- c:\windows\system32\wuapp.exe
2011-07-01 02:22 . 2011-07-01 02:22 185416 ----a-w- c:\windows\system32\wuwebv.dll
2011-07-01 02:22 . 2011-07-01 02:22 57560 ----a-w- c:\windows\system32\wuauclt.exe
2011-07-01 02:22 . 2011-07-01 02:22 43744 ----a-w- c:\windows\system32\wups2.dll
2011-07-01 02:22 . 2011-07-01 02:22 2621440 ----a-w- c:\windows\system32\wucltux.dll
2011-07-01 02:22 . 2011-07-01 02:22 2424024 ----a-w- c:\windows\system32\wuaueng.dll
2011-06-08 17:06 . 2011-07-01 02:20 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-07-13 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-07-13 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-08-19_23.38.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-28 03:29 . 2011-08-24 15:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-07-28 03:29 . 2011-08-19 23:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-08-05 13:20 . 2011-08-19 23:27 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-08-05 13:20 . 2011-08-24 14:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-08-24 13:25 . 2011-08-24 14:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011082420110825\index.dat
+ 2011-08-23 12:21 . 2011-08-23 13:19 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011082320110824\index.dat
+ 2011-08-22 12:18 . 2011-08-22 20:19 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011082220110823\index.dat
+ 2011-07-28 03:32 . 2011-08-24 15:28 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-06-11 19:40 . 2011-08-25 01:48 54454 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-09-04 20:25 37030 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-06-11 19:36 . 2011-09-04 20:25 17516 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1146036068-726168831-3891721190-1001_UserData.bin
- 2011-08-02 01:13 . 2011-08-06 19:11 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2011-08-02 01:13 . 2011-08-30 11:24 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2010-06-11 22:22 . 2011-09-04 20:18 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 22:22 . 2011-08-19 23:02 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 22:22 . 2011-09-04 20:18 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-11 22:22 . 2011-08-19 23:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-09-04 20:18 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-19 23:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-11 19:36 . 2011-08-19 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 19:36 . 2011-08-19 23:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-04 20:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-11 19:36 . 2011-08-19 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 19:36 . 2011-08-19 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 19:36 . 2011-08-19 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-23 00:05 . 2011-08-23 00:05 2402 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS8SZRDA\spike[1].com
- 2011-08-19 23:02 . 2011-08-19 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-05 14:22 . 2011-09-05 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-19 23:02 . 2011-08-19 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-05 14:22 . 2011-09-05 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-28 12:47 . 2011-08-28 12:47 243360 c:\windows\SysWOW64\Macromed\Flash\FlashUtil10w_Plugin.exe
+ 2009-07-14 04:54 . 2011-08-24 15:40 802816 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-08-05 17:08 . 2011-08-22 13:49 247569 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2011-08-22 12:18 . 2011-08-22 12:05 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081520110822\index.dat
+ 2009-07-14 05:12 . 2011-09-04 20:18 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2011-08-19 23:02 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2007-02-20 20:04 . 2011-08-28 12:47 6277280 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2009-07-14 04:54 . 2011-08-24 15:40 5455872 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-24 15:40 3325952 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-19 23:03 3325952 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-22 15:27 . 2011-08-22 15:27 2570144 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Adobe\Updater5\Install\illustrator13-en_US\Illustrator1302-en_US.exe
+ 2009-07-14 02:36 . 2011-09-02 21:01 5081242 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-09-02 21:01 1610998 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-08-19 23:01 1106412 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-09-05 14:20 1106412 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-08-22 15:26 . 2011-08-22 15:27 10935296 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Adobe\Updater5\Install\acrobat8pro-en_US\AcrobatUpd814_all_incr.msp
- 2009-07-14 02:34 . 2011-08-19 23:14 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-09-04 21:32 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-08-07 03:22 . 2011-09-05 14:20 16746050 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1146036068-726168831-3891721190-1001-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 2646128]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"SansaDispatch"="c:\users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-09-13 79872]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 5471104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"CloneCDTray"="c:\program files (x86)\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
R1 twfxgsxd;twfxgsxd;c:\windows\system32\drivers\twfxgsxd.sys [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-07-06 375176]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-11 15928]
R2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 24176]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 17:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1146036068-726168831-3891721190-1001Core.job
- c:\users\Kevin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-06 00:55]
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1146036068-726168831-3891721190-1001UA.job
- c:\users\Kevin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-06 00:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1446504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1609296]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-11 57928]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.11.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1146036068-726168831-3891721190-1001\Software\SecuROM\License information*]
"datasecu"=hex:d2,51,cd,3c,d3,e7,54,58,47,b7,d2,56,90,6d,6e,b3,e2,0c,4e,c2,05,
66,c3,93,66,b1,c2,68,ce,1c,a0,40,5d,09,e5,9e,87,3f,39,b9,f3,cf,14,6d,3c,a7,\
"rkeysecu"=hex:48,5a,23,fb,4b,83,4f,c4,4d,a5,b1,86,8c,96,16,eb
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-05 10:38:35
ComboFix-quarantined-files.txt 2011-09-05 14:38
ComboFix2.txt 2011-08-19 23:41
ComboFix3.txt 2011-08-15 02:06
ComboFix4.txt 2011-08-13 18:07
ComboFix5.txt 2011-09-05 14:31
.
Pre-Run: 569,700,655,104 bytes free
Post-Run: 569,652,273,152 bytes free
.
- - End Of File - - 2D02DC63E89D1E1B20FCAE4295A83C75

Edited by drumr1829, 05 September 2011 - 12:18 PM.


#10 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 05 September 2011 - 12:11 PM

Here is the 'ComboFix-quarantined-files.txt' file

2011-08-19 23:40:04 . 2011-08-19 23:40:04 1,070 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-StartNow Toolbar.reg.dat
2011-08-19 23:40:04 . 2011-08-19 23:40:04 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat
2011-08-19 23:39:42 . 2011-08-19 23:39:42 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-mE06700JjJjE06700.reg.dat
2011-08-19 23:39:41 . 2011-08-19 23:39:41 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-StartNowToolbarHelper.reg.dat
2011-08-19 23:39:41 . 2011-08-19 23:39:41 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-compmgm.reg.dat
2011-08-19 23:00:11 . 2011-08-19 23:00:12 264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Updater Service for StartNow Toolbar.reg.dat
2011-08-19 20:26:04 . 2011-08-19 20:34:07 208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\mE06700JjJjE06700\mE06700JjJjE06700.vir
2011-08-18 23:47:37 . 2011-08-19 20:36:18 1,151 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\update.xml.vir
2011-08-18 23:47:37 . 2011-08-18 23:47:37 1,068 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\installer.xml.vir
2011-08-18 23:47:36 . 2011-08-18 23:47:36 245 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\uninstall.dat.vir
2011-08-13 18:06:30 . 2011-08-13 18:06:30 916 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}.reg.dat
2011-08-06 19:49:54 . 2011-08-06 19:49:54 566 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-SolutoService.reg.dat
2011-08-06 19:49:46 . 2011-08-06 19:49:46 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-R66v.reg.dat
2011-08-06 19:49:46 . 2011-08-06 19:49:46 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-nL01602MlHpI01602.reg.dat
2011-08-06 19:49:06 . 2005-11-15 15:08:04 36 ----a-w- C:\Qoobox\Quarantine\J\autorun.inf.vir
2011-08-06 19:47:20 . 2011-09-05 14:36:04 10,743 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-08-06 18:23:41 . 2011-09-05 14:31:14 663 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-08-05 17:08:29 . 2011-08-05 17:16:42 208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\nL01602MlHpI01602\nL01602MlHpI01602.vir
2011-08-05 11:42:32 . 2011-07-15 04:46:41 350,208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir
2011-08-05 11:42:32 . 2009-11-19 06:12:03 4,846 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico.vir
2011-08-05 11:42:32 . 2011-07-15 04:47:05 705,536 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll.vir
2011-08-05 11:42:31 . 2011-03-11 03:29:12 227,984 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe.vir
2011-07-28 00:23:21 . 2011-07-28 00:23:21 5,956 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\{E63BCF88-AF1F-44C5-ACB1-2D151F05AF1D}\chrome\content\overlay.xul.vir
2011-07-28 00:23:21 . 2011-07-28 00:23:21 764 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\{E63BCF88-AF1F-44C5-ACB1-2D151F05AF1D}\install.rdf.vir
2011-07-27 22:02:54 . 2011-08-05 11:42:39 97,496 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat.vir
2011-07-27 15:15:42 . 2011-07-27 15:15:42 502,272 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir
2011-07-27 15:14:46 . 2011-07-27 15:14:46 5,682 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\toolbar.xml.vir
2011-07-27 11:06:44 . 2011-07-27 11:06:44 267,488 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir
2011-07-27 10:36:30 . 2011-07-27 10:36:30 183,394 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 537 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 248 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,224 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,370 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_games.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,467 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_msn.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,280 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,262 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_travel.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,420 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 2,674 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 3,191 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.js.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 566 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_images.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 804 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_maps.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 374 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_news.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 688 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_videos.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 845 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_web.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 1,582 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\index.html.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 16,534 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\LeftImage.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 269 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\NotIE6.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 300 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\OnlyIE6.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 1,009 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 497 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,023 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 4,653 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,885 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 168 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 177 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 158 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 270 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\separator.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 339 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\splitter.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 206 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,829 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,838 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,863 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,828 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,842 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,880 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 1,606 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\index.html.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 278 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\NotIE6.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 309 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\OnlyIE6.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 4,503 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\SearchProtectIcon.png.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 1,009 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 3,344 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.js.vir
2010-11-19 01:16:22 . 2010-11-19 01:16:23 72,080 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\g2mdlhlpx.exe.vir
2010-03-18 14:15:26 . 2010-03-18 14:15:26 64,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\mfc100deu.dll.vir

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 05 September 2011 - 06:44 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files (x86)\Yontoo Layers Runtime\

Driver::
twfxgsxd


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 07 September 2011 - 11:39 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 September 2011 - 11:13 AM

Hi Gringo,

Here are the ComboFix logs:


ComboFix 11-09-08.03 - Kevin 09/08/2011 11:45:58.5.4 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.3384 [GMT -4:00]
Running from: c:\users\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\users\Kevin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Yontoo Layers Runtime
c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
c:\users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_twfxgsxd
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-08 15:51 . 2011-09-08 15:51 -------- d-----w- c:\users\Shannon\AppData\Local\temp
2011-09-08 15:51 . 2011-09-08 15:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-09-08 15:51 . 2011-09-08 15:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-08 14:51 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F261FD0-9734-411B-978A-2079561007D3}\mpengine.dll
2011-08-24 21:58 . 2011-07-08 11:55 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 15:36 . 2011-08-24 15:36 -------- d-----w- c:\users\Shannon\AppData\Roaming\SUPERAntiSpyware.com
2011-08-24 15:33 . 2011-08-24 15:33 -------- d-----w- c:\users\Shannon\AppData\Roaming\Malwarebytes
2011-08-18 19:09 . 2011-08-18 19:10 -------- d-----w- c:\windows\SysWow64\Adobe
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\users\Kevin\AppData\Roaming\Moonchild Productions
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\users\Kevin\AppData\Local\Moonchild Productions
2011-08-15 23:12 . 2011-08-15 23:12 -------- d-----w- c:\program files (x86)\Pale Moon
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\users\Kevin\AppData\Roaming\SUPERAntiSpyware.com
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-15 16:04 . 2011-08-15 16:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-28 12:47 . 2011-05-30 16:55 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-12 04:10 . 2010-06-17 21:22 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-08 11:55 . 2011-08-02 03:05 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 20:33 . 2011-07-01 02:20 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 20:33 . 2011-07-01 02:20 33152 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 20:33 . 2011-07-01 02:20 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-01 02:22 . 2011-07-01 02:22 98816 ----a-w- c:\windows\system32\wudriver.dll
2011-07-01 02:22 . 2011-07-01 02:22 700640 ----a-w- c:\windows\system32\wuapi.dll
2011-07-01 02:22 . 2011-07-01 02:22 38112 ----a-w- c:\windows\system32\wups.dll
2011-07-01 02:22 . 2011-07-01 02:22 36864 ----a-w- c:\windows\system32\wuapp.exe
2011-07-01 02:22 . 2011-07-01 02:22 185416 ----a-w- c:\windows\system32\wuwebv.dll
2011-07-01 02:22 . 2011-07-01 02:22 57560 ----a-w- c:\windows\system32\wuauclt.exe
2011-07-01 02:22 . 2011-07-01 02:22 43744 ----a-w- c:\windows\system32\wups2.dll
2011-07-01 02:22 . 2011-07-01 02:22 2621440 ----a-w- c:\windows\system32\wucltux.dll
2011-07-01 02:22 . 2011-07-01 02:22 2424024 ----a-w- c:\windows\system32\wuaueng.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-07-13 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-07-13 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-09-05_14.37.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-11 19:40 . 2011-09-05 14:48 54462 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-09-08 15:55 38350 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-06-11 22:22 . 2011-09-08 15:52 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 22:22 . 2011-09-04 20:18 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 22:22 . 2011-09-08 15:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-11 22:22 . 2011-09-04 20:18 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-09-08 15:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-09-04 20:18 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 19:36 . 2011-09-08 15:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 19:36 . 2011-09-08 15:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-11 19:36 . 2011-09-04 20:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-08 15:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-11 19:36 . 2011-09-08 15:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-11 19:36 . 2011-09-04 20:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-11 19:36 . 2011-09-08 15:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-09-05 14:22 . 2011-09-05 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-08 15:52 . 2011-09-08 15:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-09-05 14:22 . 2011-09-05 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-08 15:52 . 2011-09-08 15:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:12 . 2011-09-04 20:18 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2011-09-08 15:52 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 02:36 . 2011-09-08 03:02 5130770 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-09-08 03:02 1627742 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-09-05 14:20 1106412 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-09-08 15:38 1106412 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:34 . 2011-09-04 21:32 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-09-08 04:11 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-08-07 03:22 . 2011-09-08 15:38 17410866 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1146036068-726168831-3891721190-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 2646128]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 5471104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"CloneCDTray"="c:\program files (x86)\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 24176]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-07-06 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-11 15928]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 17:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1146036068-726168831-3891721190-1001Core.job
- c:\users\Kevin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-06 00:55]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1146036068-726168831-3891721190-1001UA.job
- c:\users\Kevin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-06 00:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1446504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1609296]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-11 57928]
"combofix"="c:\combofix\CF6721.3XE" [2009-07-14 344576]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.11.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-SansaDispatch - c:\users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1146036068-726168831-3891721190-1001\Software\SecuROM\License information*]
"datasecu"=hex:d2,51,cd,3c,d3,e7,54,58,47,b7,d2,56,90,6d,6e,b3,e2,0c,4e,c2,05,
66,c3,93,66,b1,c2,68,ce,1c,a0,40,5d,09,e5,9e,87,3f,39,b9,f3,cf,14,6d,3c,a7,\
"rkeysecu"=hex:48,5a,23,fb,4b,83,4f,c4,4d,a5,b1,86,8c,96,16,eb
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2011-09-08 11:58:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 15:58
ComboFix2.txt 2011-09-05 14:38
ComboFix3.txt 2011-08-19 23:41
ComboFix4.txt 2011-08-15 02:06
ComboFix5.txt 2011-09-08 15:45
.
Pre-Run: 561,289,474,048 bytes free
Post-Run: 561,783,197,696 bytes free
.
- - End Of File - - 31E329C6D7A0AE7ED275BEBA9EFE7AA3

Here is the "ComboFix-quarantined-files.txt" logs


2011-09-08 15:57:24 . 2011-09-08 15:57:25 176 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-SansaDispatch.reg.dat
2011-09-08 15:50:18 . 2011-09-08 15:50:18 1,164 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_twfxgsxd.reg.dat
2011-09-08 15:45:41 . 2011-09-08 15:45:41 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-08-19 23:40:04 . 2011-08-19 23:40:04 1,070 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-StartNow Toolbar.reg.dat
2011-08-19 23:40:04 . 2011-08-19 23:40:04 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat
2011-08-19 23:39:42 . 2011-08-19 23:39:42 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-mE06700JjJjE06700.reg.dat
2011-08-19 23:39:41 . 2011-08-19 23:39:41 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-StartNowToolbarHelper.reg.dat
2011-08-19 23:39:41 . 2011-08-19 23:39:41 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-compmgm.reg.dat
2011-08-19 23:00:11 . 2011-08-19 23:00:12 264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Updater Service for StartNow Toolbar.reg.dat
2011-08-19 20:26:04 . 2011-08-19 20:34:07 208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\mE06700JjJjE06700\mE06700JjJjE06700.vir
2011-08-18 23:47:37 . 2011-08-19 20:36:18 1,151 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\update.xml.vir
2011-08-18 23:47:37 . 2011-08-18 23:47:37 1,068 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\installer.xml.vir
2011-08-18 23:47:36 . 2011-08-18 23:47:36 245 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\uninstall.dat.vir
2011-08-13 18:06:30 . 2011-08-13 18:06:30 916 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}.reg.dat
2011-08-06 19:49:54 . 2011-08-06 19:49:54 566 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-SolutoService.reg.dat
2011-08-06 19:49:46 . 2011-08-06 19:49:46 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-R66v.reg.dat
2011-08-06 19:49:46 . 2011-08-06 19:49:46 85 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-nL01602MlHpI01602.reg.dat
2011-08-06 19:49:06 . 2005-11-15 15:08:04 36 ----a-w- C:\Qoobox\Quarantine\J\autorun.inf.vir
2011-08-06 19:47:20 . 2011-09-08 15:50:10 10,743 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-08-06 18:23:41 . 2011-09-08 15:45:13 765 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-08-05 17:08:29 . 2011-08-05 17:16:42 208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\nL01602MlHpI01602\nL01602MlHpI01602.vir
2011-08-05 11:42:33 . 2011-07-15 04:46:37 195,360 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll.vir
2011-08-05 11:42:32 . 2011-07-15 04:46:37 195,360 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll.vir
2011-08-05 11:42:32 . 2011-07-15 04:46:41 350,208 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir
2011-08-05 11:42:32 . 2009-11-19 06:12:03 4,846 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico.vir
2011-08-05 11:42:32 . 2011-07-15 04:47:05 705,536 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll.vir
2011-08-05 11:42:31 . 2011-03-11 03:29:12 227,984 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe.vir
2011-07-28 00:23:21 . 2011-07-28 00:23:21 5,956 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\{E63BCF88-AF1F-44C5-ACB1-2D151F05AF1D}\chrome\content\overlay.xul.vir
2011-07-28 00:23:21 . 2011-07-28 00:23:21 764 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\{E63BCF88-AF1F-44C5-ACB1-2D151F05AF1D}\install.rdf.vir
2011-07-27 22:02:54 . 2011-08-05 11:42:39 97,496 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat.vir
2011-07-27 15:15:42 . 2011-07-27 15:15:42 502,272 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir
2011-07-27 15:14:46 . 2011-07-27 15:14:46 5,682 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\toolbar.xml.vir
2011-07-27 11:06:44 . 2011-07-27 11:06:44 267,488 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir
2011-07-27 10:36:30 . 2011-07-27 10:36:30 183,394 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Shannon\AppData\Roaming\Mozilla\Firefox\Profiles\brufzany.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\zpr7u1qm.default\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 134 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome.manifest.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 1,672 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\chrome\xulcache.jar.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\defaults\preferences\xulcache.js.vir
2011-07-12 22:06:03 . 2011-07-19 22:46:02 771 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\bxpu5nj9.Kevin\extensions\{7406622e-a947-4b11-903a-2b1e1732b7a2}\install.rdf.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 537 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 248 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,224 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,370 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_games.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,467 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_msn.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,280 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,262 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_travel.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 1,420 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 2,674 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png.vir
2011-06-09 12:28:18 . 2011-06-09 12:28:18 3,191 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.js.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 566 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_images.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 804 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_maps.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 374 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_news.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 688 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_videos.png.vir
2011-06-09 12:28:16 . 2011-06-09 12:28:16 845 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_web.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 1,582 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\index.html.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 16,534 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\LeftImage.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 269 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\NotIE6.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 300 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\OnlyIE6.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 1,009 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.css.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 497 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,023 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 4,653 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,885 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 168 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 177 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 158 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 270 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\separator.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 339 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\splitter.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 206 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,829 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,838 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,863 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,828 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,842 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png.vir
2011-04-07 07:19:30 . 2011-04-07 07:19:30 2,880 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 1,606 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\index.html.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 278 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\NotIE6.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 309 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\OnlyIE6.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 4,503 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\SearchProtectIcon.png.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 1,009 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.css.vir
2011-04-07 07:19:28 . 2011-04-07 07:19:28 3,344 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.js.vir
2010-11-19 01:16:22 . 2010-11-19 01:16:23 72,080 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\g2mdlhlpx.exe.vir
2010-09-13 22:38:14 . 2010-09-13 22:38:14 79,872 ----a-w- C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe.vir
2010-03-18 14:15:26 . 2010-03-18 14:15:26 64,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\mfc100deu.dll.vir

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 08 September 2011 - 12:34 PM

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 drumr1829

drumr1829
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 September 2011 - 07:35 PM

Hi Gringo,

I was able to update the Java version, clear the Java cache and run TFC without issue. Here is the MBAM log from the quick scan as requested.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7686

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/9/2011 8:17:32 PM
mbam-log-2011-09-09 (20-17-32).txt

Scan type: Quick scan
Objects scanned: 196154
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users