Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With a Variant of Win32/Kryptik.TKY and Firefox redirects


  • This topic is locked This topic is locked
22 replies to this topic

#1 MLynne

MLynne

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 20 October 2011 - 05:48 AM

Please see my original post and steps followed here: http://www.bleepingcomputer.com/forums/topic424159.html

Basically, whatever has infected my computer is causing my Windows Firewall to be turned off and my browser (Firefox) to be redirected.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by MLynne at 6:35:23 on 2011-10-20
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\MLynne\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Thunderbird-Tray\TBTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\RunDll32.exe
C:\Users\MLynne\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [googletalk] c:\users\MLynne\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Google Update] "c:\users\MLynne\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking10\Ereg.ini
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Reader Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://1800flowers.webex.com/client/T27LB/training/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E421D49-F3B5-4DF9-AC51-6A1925DCE861} : DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{780E6758-B29A-40E8-8CEF-78141DE37EA4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{780E6758-B29A-40E8-8CEF-78141DE37EA4}\C696E6B6379737 : DhcpNameServer = 190.80.8.11 190.80.8.12 190.80.8.13
TCP: Interfaces\{780E6758-B29A-40E8-8CEF-78141DE37EA4}\D4148554C4C4 : DhcpNameServer = 192.168.254.1 192.168.254.1
TCP: Interfaces\{780E6758-B29A-40E8-8CEF-78141DE37EA4}\E456878747 : DhcpNameServer = 190.80.8.11 190.80.8.12
TCP: Interfaces\{D750CD85-6FA1-438B-A7EE-CE305377506E} : DhcpNameServer = 190.80.8.11 190.80.8.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\MLynne\appdata\roaming\mozilla\firefox\profiles\28mbmp17.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\users\MLynne\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\MLynne\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\users\MLynne\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\MLynne\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x)
R? osppsvc;Office Software Protection Platform
R? rootrepeal;rootrepeal
R? StorSvc;Storage Service
R? SwitchBoard;Adobe SwitchBoard
R? TsUsbFlt;TsUsbFlt
R? WatAdminSvc;Windows Activation Technologies Service
S? !SASCORE;SAS Core Service
S? AdobeARMservice;Adobe Acrobat Update Service
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? btusbflt;Bluetooth USB Filter
S? HWiNFO32;HWiNFO32 Kernel Driver
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? SrvHsfHDA;SrvHsfHDA
S? SrvHsfV92;SrvHsfV92
S? SrvHsfWinac;SrvHsfWinac
S? vToolbarUpdater;vToolbarUpdater
S? vwififlt;Virtual WiFi Filter Driver
S? vwifimp;Microsoft Virtual WiFi Miniport Service
S? yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller
.
=============== Created Last 30 ================
.
2011-10-20 01:03:12 -------- d-----w- c:\program files\ESET
2011-10-19 19:06:02 -------- d-----w- c:\users\MLynne\appdata\roaming\SUPERAntiSpyware.com
2011-10-19 19:05:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-19 19:05:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-19 16:05:14 -------- d-----w- c:\program files\CCleaner
2011-10-19 05:31:14 -------- d-----w- c:\users\MLynne\appdata\roaming\Malwarebytes
2011-10-19 05:30:58 -------- d-----w- c:\programdata\Malwarebytes
2011-10-19 05:30:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 05:30:54 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-19 05:30:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-18 20:05:04 -------- d-----w- c:\users\MLynne\.morena
2011-10-16 15:35:48 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-10-16 15:35:47 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-10-16 15:35:47 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-10-16 15:35:47 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-10-16 15:35:47 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-16 15:35:47 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-16 15:35:47 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-10-16 15:35:47 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-10-10 15:09:40 4550304 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2011-10-05 15:38:40 -------- d-----w- c:\users\MLynne\appdata\local\{AC6F9B49-D8EE-42B6-B9E9-8706C5EF9106}
2011-09-30 08:58:34 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-09-30 08:58:33 -------- d-----w- c:\program files\AVG Secure Search
2011-09-30 08:56:49 -------- d-----w- c:\users\MLynne\appdata\roaming\AVG2012
2011-09-30 08:56:20 -------- d-----w- c:\programdata\AVG2012
2011-09-22 14:56:52 -------- d-----w- c:\users\MLynne\appdata\local\{F6360A47-5F1F-4514-964E-32D51788223B}
2011-09-21 16:21:34 -------- d-----w- c:\program files\Thunderbird-Tray
.
==================== Find3M ====================
.
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-30 08:46:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 02:28:37 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-08-27 04:26:27 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 04:24:12 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll
.
============= FINISH: 6:37:36.82 ===============




GMER Log:



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-20 01:56:02
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD2500BEVS-75UST0 rev.01.01A01
Running: myfvkv6y.exe; Driver: C:\Users\MLynne\AppData\Local\Temp\ufliiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x98DD8F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x98DD8FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x98DD9080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x98DD911C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82C3F349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C78D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82C80054 4 Bytes [3C, 8F, DD, 98]
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82C80324 8 Bytes [E4, 8F, DD, 98, 80, 90, DD, ...] {IN AL, 0x8f; FSTP QWORD [EAX-0x67226f80]}
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82C80398 4 Bytes [1C, 91, DD, 98]
.text netbt.sys!E_PIA_U__otz_vGYUPVH_CRSIB_LEZAWLLw_iYLO 9032C000 16 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text netbt.sys!E_PIA_U__otz_vGYUPVH_CRSIB_LEZAWLLw_iYLO + 13 9032C013 153 Bytes [CF, FF, 15, 4C, B2, 34, 90, ...]
.text netbt.sys!E_PIA_U__otz_vGYUPVH_CRSIB_LEZAWLLw_iYLO + AD 9032C0AD 389 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text netbt.sys!E_PIA_U__otz_vGYUPVH_CRSIB_LEZAWLLw_iYLO + 233 9032C233 23 Bytes [F0, EB, 72, 8B, 4D, F8, 8B, ...]
.text netbt.sys!SBFHizb_mkos_scf__ + 15 9032C24B 35 Bytes [01, 89, 48, 04, 33, C0, F6, ...]
.text netbt.sys!SBFHizb_mkos_scf__ + 39 9032C26F 232 Bytes [C1, 08, EB, 15, 6A, 30, 6A, ...]
.text netbt.sys!SBFHizb_mkos_scf__ + 122 9032C358 17 Bytes [55, FF, 8B, CE, FF, 15, 5C, ...]
.text netbt.sys!SBFHizb_mkos_scf__ + 134 9032C36A 124 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text netbt.sys!SBFHizb_mkos_scf__ + 1B1 9032C3E7 100 Bytes [89, 4E, 18, 83, F8, FF, 74, ...]
.text ...
.text netbt.sys!AH_BYmFJD__I__c_scmmje + 2 9032C450 24 Bytes [FF, 55, 8B, EC, 51, 56, 8D, ...]
.text netbt.sys!AH_BYmFJD__I__c_scmmje + 1B 9032C469 335 Bytes [01, FF, 75, FC, FF, 15, E4, ...]
.text netbt.sys!AH_BYmFJD__I__c_scmmje + 16B 9032C5B9 184 Bytes CALL 9032CB2E \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!sfhoUVVG_EY_E + 1D 9032C672 359 Bytes [47, 2C, 89, 58, 50, 89, 5F, ...]
.text netbt.sys!sfhoUVVG_EY_E + 185 9032C7DA 15 Bytes [89, 47, 0C, C7, 47, 10, 0A, ...] {MOV [EDI+0xc], EAX; MOV DWORD [EDI+0x10], 0xa; JMP 0xffffffffffffff8c; TEST DL, 0x4}
.text netbt.sys!sfhoUVVG_EY_E + 195 9032C7EA 130 Bytes [84, 97, 00, 00, 00, F6, 45, ...]
.text netbt.sys!qfsiMHJDI__pokRMLXH____wlz__vzzkl_n_imbaq_zxq_k_uX_ZL + 23 9032C86D 56 Bytes [C9, 66, 3B, 4E, 72, 0F, 84, ...]
.text netbt.sys!qfsiMHJDI__pokRMLXH____wlz__vzzkl_n_imbaq_zxq_k_uX_ZL + 5C 9032C8A6 473 Bytes [34, 90, 66, 89, 47, 0C, F7, ...]
.text netbt.sys!P_PY__B__OWJDL_o_gpiHDD + 7 9032CA80 68 Bytes [75, 0C, 8D, 7B, 6C, 33, D2, ...]
.text netbt.sys!P_PY__B__OWJDL_o_gpiHDD + 4C 9032CAC5 257 Bytes [83, C4, 0C, 85, C0, 74, 1C, ...]
.text netbt.sys!P_PY__B__OWJDL_o_gpiHDD + 14E 9032CBC7 63 Bytes [0B, 8B, 46, 18, 3B, C3, 74, ...]
.text netbt.sys!P_PY__B__OWJDL_o_gpiHDD + 18E 9032CC07 18 Bytes [8B, 46, 1C, 3B, C3, 74, 04, ...] {MOV EAX, [ESI+0x1c]; CMP EAX, EBX; JZ 0xb; PUSH EBX; PUSH EAX; CALL EDI; MOV EAX, [ESI+0x64]; CMP EAX, EBX; JZ 0x23}
.text netbt.sys!P_PY__B__OWJDL_o_gpiHDD + 1A1 9032CC1A 195 Bytes [50, FF, D7, 33, C0, 89, 5E, ...]
.text netbt.sys!TJEfnbiKOL_IixnqsRKVXUxjnNIV_jc_pyF + 46 9032CCDE 35 Bytes [48, 04, F6, 45, 0C, 01, 8B, ...]
.text netbt.sys!TJEfnbiKOL_IixnqsRKVXUxjnNIV_jc_pyF + 6A 9032CD02 498 Bytes [50, FF, D7, 89, 5E, 7C, 8D, ...]
.text netbt.sys!fIBFHNBPK_c_tnE_D_a_ueSUC_fzz + 13 9032CEF5 108 Bytes [F6, 75, 07, B8, 9A, 00, 00, ...]
.text netbt.sys!fIBFHNBPK_c_tnE_D_a_ueSUC_fzz + 80 9032CF62 497 Bytes [0E, 89, 0F, 89, 79, 04, 8A, ...]
.text netbt.sys!fIBFHNBPK_c_tnE_D_a_ueSUC_fzz + 272 9032D154 3 Bytes [90, 90, 8B]
.text netbt.sys!fIBFHNBPK_c_tnE_D_a_ueSUC_fzz + 276 9032D158 15 Bytes [55, 8B, EC, 51, 51, 53, 56, ...]
.text netbt.sys!fIBFHNBPK_c_tnE_D_a_ueSUC_fzz + 286 9032D168 13 Bytes [00, C0, 8B, CF, 33, DB, 89, ...]
.text ...
.text netbt.sys!YSYQrm_ukpV_SAMQV___VVP_vo_p + 22 9032EBE0 27 Bytes CALL 903313E4 \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!YSYQrm_ukpV_SAMQV___VVP_vo_p + 3E 9032EBFC 261 Bytes [02, 00, 00, 80, 78, 1D, 04, ...]
.text netbt.sys!YSYQrm_ukpV_SAMQV___VVP_vo_p + 144 9032ED02 500 Bytes [00, 80, 78, 1D, 04, 0F, 82, ...]
.text netbt.sys!UKSEndQQ_B__X__UPADS_ftqy_PJLF_Dnou_naAL + 125 9032EEF7 79 Bytes [34, 90, 3D, 00, C0, 34, 90, ...]
.text netbt.sys!UKSEndQQ_B__X__UPADS_ftqy_PJLF_Dnou_naAL + 175 9032EF47 35 Bytes [EC, 32, 90, 25, ED, 32, 90, ...]
.text netbt.sys!UKSEndQQ_B__X__UPADS_ftqy_PJLF_Dnou_naAL + 199 9032EF6B 136 Bytes [ED, 32, 90, A6, EE, 32, 90, ...]
.text netbt.sys!aw_w__cnqheh_ + 24 9032EFF5 194 Bytes [88, 45, FF, 8B, 45, 08, 50, ...]
.text netbt.sys!aw_w__cnqheh_ + E7 9032F0B8 163 Bytes [5B, 5D, C2, 04, 00, 90, 90, ...]
.text netbt.sys!aw_w__cnqheh_ + 18B 9032F15C 237 Bytes [5F, 5E, 5D, C2, 1C, 00, 90, ...]
.text netbt.sys!b_aos__bzvof_tiVF__EA + 5C 9032F24A 413 Bytes [FF, 15, 4C, B2, 34, 90, 88, ...]
.text netbt.sys!b_aos__bzvof_tiVF__EA + 1FA 9032F3E8 192 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text netbt.sys!tXSKGOMN_VHG + AF 9032F4A9 34 Bytes [FF, 39, 46, 14, 74, 06, 83, ...]
.text netbt.sys!tXSKGOMN_VHG + D2 9032F4CC 496 Bytes [86, 98, 00, 00, 00, 8B, 4D, ...]
.text netbt.sys!tXSKGOMN_VHG + 2C3 9032F6BD 111 Bytes [E8, B1, 34, 90, 8B, F0, 3B, ...]
.text netbt.sys!tXSKGOMN_VHG + 333 9032F72D 71 Bytes [38, 5D, 0B, 74, 4C, 8B, 06, ...]
.text netbt.sys!tXSKGOMN_VHG + 37B 9032F775 69 Bytes [34, 90, B8, 01, 00, 00, C0, ...]
.text ...
? C:\Windows\System32\DRIVERS\netbt.sys suspicious PE modification
? C:\Windows\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77705F18 5 Bytes JMP 00E4000A
.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 77706A98 5 Bytes JMP 00E9000A
.text C:\Windows\system32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 77707008 5 Bytes JMP 00A1000A
.text C:\Windows\system32\svchost.exe[1144] ole32.dll!CoCreateInstance 753B9D0B 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1144] USER32.dll!GetCursorPos 756EA4B3 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1144] USER32.dll!GetForegroundWindow 756F335D 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[1144] USER32.dll!WindowFromPoint 75716BE9 5 Bytes JMP 0024000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2124] ntdll.dll!NtProtectVirtualMemory 77705F18 5 Bytes JMP 0143000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2124] ntdll.dll!NtWriteVirtualMemory 77706A98 5 Bytes JMP 0144000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2124] ntdll.dll!KiUserExceptionDispatcher 77707008 5 Bytes JMP 0142000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2428] USER32.dll!GetWindowInfo 756F4B5E 5 Bytes JMP 695D89A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2428] USER32.dll!TrackPopupMenu 75702228 5 Bytes JMP 695D8F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[580] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73CC2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73CA5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73CA56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73CC24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73CB8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73CB4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73CB506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73CB5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73CB6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73CB826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73CB87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73CB901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73CBE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3128] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CB4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe[3556] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74FAFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000005a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\BTHUSB \Device\0000008a bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000008c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 9030B000-9032B000 (131072 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1de7a12
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{31A8F147-E4BE-47F8-BF41-25D7D30932BA}@InterfaceName isatap.{5074987F-8F96-492C-8451-E611070A8603}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{31A8F147-E4BE-47F8-BF41-25D7D30932BA}@ReusableType 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1de7a12 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB35185$\2312437924 0 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\@ 2048 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\bckfg.tmp 800 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\cfg.ini 199 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\keywords 28 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\kwrd.dll 208896 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\L 0 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\L\xadqgnnk 187904 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\U 0 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\U\00000001.@ 1536 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\U\00000002.@ 209920 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB35185$\2312437924\U\80000032.@ 71168 bytes
File C:\Windows\$NtUninstallKB35185$\2743016363 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\button_go[1].gif 350 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\in[1].htm 36985 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\in[1].js 1902 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\saletrack[1].pl 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\saletrack[2].pl 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\misc;pos=728a;exp=0;adnt=1;dcopt=ist;tile=1;sz=728x90;ord=9613371568170396[1] 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\ppx[1].gif 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\bgr_shadow[1].png 107 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\sendtracker[1].gif 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\sendtracker[2].gif 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\v2[2].xml 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\tmo_300x250_18fps_final[1].swf 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\pippa-052011-4[1].jpg 6316 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\274GYH42\pippa-052011-6[1].jpg 6204 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\if[3].txt 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\trf[1].htm 924 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\trf[2].htm 1522 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\trf[3].htm 972 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\trf[4].htm 922 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\1[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\s[2].htm 1977 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[10].htm 904 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[11].htm 942 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[2].htm 1738 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[5].htm 1570 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[7].htm 928 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[8].htm 924 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\search[9].htm 1406 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cached_iframe[2].htm 3346 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\pippa-middleton-10132011-07[1].jpg 5357 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\NMT[1].jpg 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\parking[2].htm 926 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cd[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cd[3].htm 935 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cd[4].htm 1477 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cd[5].htm 945 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\cd[6].htm 429 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\ent[2].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\ent[3].htm 1084 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\ent[5].htm 918 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\seek[1].htm 0 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\seek[2].htm 427 bytes
File C:\Windows\Temp\Temporary Internet Files\Content.IE5\4W24Q3CD\ADTECH;cc=2;alias=93245211;size=300x250;target=_blank[1].htm 237 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 21 October 2011 - 07:28 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 24 October 2011 - 09:29 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 27 October 2011 - 01:11 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 27 October 2011 - 10:52 AM

This topic has been re-opened at the request of the person who originally posted.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 MLynne

MLynne
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 27 October 2011 - 11:17 AM

I apologize for the long delay. I ran Combofix three times. The first two times, I was not able to let it run after it rebooted the computer. I had an issue after I shut it down prematurely the first time as when I rebooted my PC, it kept opening up multiple copies of the Combofix window over and over again. Finally, I went to safe mode and disabled Combofix in the system configuration startup list. Finally, last night I was able to let it run overnight and the following log was generated:

ComboFix 11-10-27.02 - MLynne 10/27/2011 1:13.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3062.2057 [GMT -4:00]
Running from: c:\users\MLynne\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MLynne\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
.
.
((((((((((((((((((((((((( Files Created from 2011-09-27 to 2011-10-27 )))))))))))))))))))))))))))))))
.
.
2011-10-27 05:38 . 2011-10-27 08:07 -------- d-----w- c:\users\MLynne\AppData\Local\temp
2011-10-27 05:38 . 2011-10-27 05:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-10-27 05:38 . 2011-10-27 05:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-20 14:21 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-20 01:03 . 2011-10-20 01:03 -------- d-----w- c:\program files\ESET
2011-10-19 19:06 . 2011-10-19 19:06 -------- d-----w- c:\users\MLynne\AppData\Roaming\SUPERAntiSpyware.com
2011-10-19 19:05 . 2011-10-19 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-19 19:05 . 2011-10-19 19:05 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-19 16:05 . 2011-10-19 16:05 -------- d-----w- c:\program files\CCleaner
2011-10-19 05:31 . 2011-10-19 05:31 -------- d-----w- c:\users\MLynne\AppData\Roaming\Malwarebytes
2011-10-19 05:30 . 2011-10-19 05:30 -------- d-----w- c:\programdata\Malwarebytes
2011-10-19 05:30 . 2011-10-20 00:47 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-19 05:30 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 05:30 . 2011-10-20 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 04:13 . 2011-10-19 04:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-10-19 03:20 . 2011-10-19 03:20 -------- d-----w- c:\windows\Sun
2011-10-18 20:05 . 2011-10-18 20:05 -------- d-----w- c:\users\MLynne\.morena
2011-10-16 15:35 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-10-16 15:35 . 2011-09-29 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-10-16 15:35 . 2011-09-29 06:53 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-16 15:35 . 2011-09-29 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-10-16 15:35 . 2011-09-29 06:53 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-10-16 15:35 . 2011-09-29 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-10-16 15:35 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-10-16 15:35 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-10-10 15:09 . 2011-10-10 15:09 4550304 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2011-09-30 08:58 . 2011-09-30 08:58 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-09-30 08:58 . 2011-09-30 08:58 -------- d-----w- c:\program files\AVG Secure Search
2011-09-30 08:56 . 2011-09-30 08:56 -------- d-----w- c:\users\MLynne\AppData\Roaming\AVG2012
2011-09-30 08:56 . 2011-10-19 03:08 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 08:46 . 2011-06-27 02:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-08 10:08 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-29 06:53 . 2011-10-16 15:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"googletalk"="c:\users\MLynne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeBridge"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\users\MLynne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\MLynne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-8 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-05 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [2010-09-30 20088]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-09-30 246600]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\DRIVERS\MRVW24B.sys [2008-03-19 310016]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2881592152-1477174181-655329023-1000Core.job
- c:\users\MLynne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 02:03]
.
2011-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2881592152-1477174181-655329023-1000UA.job
- c:\users\MLynne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 02:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\MLynne\AppData\Roaming\Mozilla\Firefox\Profiles\28mbmp17.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-combofix - c:\combofix\CF10512.3XE
AddRemove-{25C40A3F-CBF6-4949-8AC9-EB56E504A76E} - c:\users\MLynne\AppData\Local\{2C4A57D6-4F0C-49A4-9A3F-89423FD797DC}\Anonymizer_Universal_Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1200)
c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-10-27 04:14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-27 08:14
.
Pre-Run: 103,209,787,392 bytes free
Post-Run: 103,155,806,208 bytes free
.
- - End Of File - - 3DF1567D30A767562335767C7DFD2C19



I am not having any issues with Windows Firewall (it is on and staying enabled) or redirects in Firefox. My only concern is if interrupting Combofix a couple of time caused any issues. Otherwise, everything seems OK.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 27 October 2011 - 11:43 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 MLynne

MLynne
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 28 October 2011 - 09:23 AM

Here is my log:

ComboFix 11-10-27.05 - MLynne 10/28/2011 1:31.4.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3062.1908 [GMT -4:00]
Running from: c:\users\MLynne\Desktop\ComboFix.exe
Command switches used :: c:\users\MLynne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MLynne\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-28 )))))))))))))))))))))))))))))))
.
.
2011-10-28 05:39 . 2011-10-28 06:10 -------- d-----w- c:\users\MLynne\AppData\Local\temp
2011-10-28 05:39 . 2011-10-28 05:39 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-10-28 05:39 . 2011-10-28 05:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-20 14:21 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-19 19:06 . 2011-10-19 19:06 -------- d-----w- c:\users\MLynne\AppData\Roaming\SUPERAntiSpyware.com
2011-10-19 19:05 . 2011-10-19 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-19 19:05 . 2011-10-19 19:05 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-19 16:05 . 2011-10-19 16:05 -------- d-----w- c:\program files\CCleaner
2011-10-19 05:31 . 2011-10-19 05:31 -------- d-----w- c:\users\MLynne\AppData\Roaming\Malwarebytes
2011-10-19 05:30 . 2011-10-19 05:30 -------- d-----w- c:\programdata\Malwarebytes
2011-10-19 05:30 . 2011-10-20 00:47 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-19 05:30 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 05:30 . 2011-10-20 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 04:13 . 2011-10-19 04:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-10-19 03:20 . 2011-10-19 03:20 -------- d-----w- c:\windows\Sun
2011-10-18 20:05 . 2011-10-18 20:05 -------- d-----w- c:\users\MLynne\.morena
2011-10-16 15:35 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-10-16 15:35 . 2011-09-29 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-10-16 15:35 . 2011-09-29 06:53 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-16 15:35 . 2011-09-29 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-10-16 15:35 . 2011-09-29 06:53 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-10-16 15:35 . 2011-09-29 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-10-16 15:35 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-10-16 15:35 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-10-10 15:09 . 2011-10-10 15:09 4550304 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2011-09-30 08:58 . 2011-09-30 08:58 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-09-30 08:58 . 2011-09-30 08:58 -------- d-----w- c:\program files\AVG Secure Search
2011-09-30 08:56 . 2011-09-30 08:56 -------- d-----w- c:\users\MLynne\AppData\Roaming\AVG2012
2011-09-30 08:56 . 2011-10-19 03:08 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 08:46 . 2011-06-27 02:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-08 10:08 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-29 06:53 . 2011-10-16 15:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"googletalk"="c:\users\MLynne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeBridge"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\users\MLynne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\MLynne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-8 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
R3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\DRIVERS\MRVW24B.sys [2008-03-19 310016]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-05 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [2010-09-30 20088]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-09-30 246600]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2881592152-1477174181-655329023-1000Core.job
- c:\users\MLynne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 02:03]
.
2011-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2881592152-1477174181-655329023-1000UA.job
- c:\users\MLynne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 02:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\MLynne\AppData\Roaming\Mozilla\Firefox\Profiles\28mbmp17.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2420)
c:\users\MLynne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-10-28 02:13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-28 06:13
ComboFix2.txt 2011-10-27 08:14
.
Pre-Run: 109,184,139,264 bytes free
Post-Run: 109,615,992,832 bytes free
.
- - End Of File - - E7EF9F02C40CD3F4700B32F0408E7B0C



Still no issues with the Firewall or with redirects. However, I went to device manager to re-enable my internal wireless card (I had been using a USB one as the internal one was giving me issues when I was traveling) and got a "threat detected" message from AVG (it was turned off while ComboFix was running and I re-enabled it this morning) that says: c:\Windows\System32\drivers\netbt.sys Trojan horse BackDoor.Generic14.BENF. The only option AVG gives me is to "Ignore the Threat". The error message occurs as soon as I open device manager.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 28 October 2011 - 03:32 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
netbt.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 MLynne

MLynne
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 29 October 2011 - 01:49 AM

SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 02:45 on 29/10/2011 by MLynne
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\Windows\System32\drivers\netbt.sys ------- 187904 bytes [18:27 26/04/2011] [08:39 20/11/2010] 61EDD14FA52EC6DCDC8C2A0EED32FAAA
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys --a---- 187904 bytes [23:12 13/07/2009] [23:12 13/07/2009] DD52A733BF4CA5AF84562A5E2F963B91

-= EOF =-

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 29 October 2011 - 07:33 AM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys C:\Windows\System32\drivers\netbt.sys
"C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys" C:\Windows\System32\drivers\netbt.sys

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 MLynne

MLynne
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 29 October 2011 - 12:38 PM

BlitzBlank log:


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 29 October 2011 - 06:46 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..




TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 MLynne

MLynne
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 31 October 2011 - 11:49 AM

I had an issue after attempting to run TFC. It stalled for about a half hour so I rebooted my computer but now Windows does not want to startup. I am prompted to either choose startup repair or start Windows normally but in either case, I end up at a black screen. Starting in safe mode just stalls.

Update: Windows start up repair is stalling at a Windows splash screen with a cursor but is not (so far) moving beyond that. Windows startup (normal and safe mode) goes to the black screen with the Windows logo then a BSOD flashes for a split second (can't read anything) then it goes to a black screen and the PC reboots.

New Update: Startup repair finally got running and I'm able to boot into Windows now. I will try TFC and MABM tonigt/overnight and then HijackThis tomorrow and post the results.

Edited by MLynne, 31 October 2011 - 02:50 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:11 AM

Posted 31 October 2011 - 08:41 PM

Thanks for the updates skip TFC and do the rest


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users