Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS still persistent in google/bing directs


  • This topic is locked This topic is locked
36 replies to this topic

#1 ChamelionK

ChamelionK

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 28 October 2011 - 06:46 PM

I'm running a Windows Vista 64 program, and had been having issues with an earleir virus that I was finally able to remove, and we (my dad and I) are able to find out that the problem also came with the TDSS rootkit. We followed the instructions on removing it, and also ran the program System Mechanic to fix any security issues (it would report two - Bing and Google - being redirected and would fix them), and while we're very positive that the aforementioned rootkit has been removed, we've noticed that it still keeps doing google/bing redirects whenever we're trying to do a search program - fortunately it's only been isolated to just those ones so far.

Also, i seem to notice that the aforementioned security issues would keep reappearing, so it makes me wonder what it is in the computer that's been doing the issue.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_17
Run by Owner at 19:51:21 on 2011-10-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5579 [GMT -4:00]
.
AV: System Shield *Enabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: System Shield *Enabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\MHotKey.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\svcs.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\ChiFuncExt.exe
C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files (x86)\iolo\System Mechanic Professional\SystemGuardAlerter.exe
C:\Windows\RAVCpl64.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\splwow64.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0209&m=lx6200-01
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - C:\PROGRA~2\ArcSoft\VIDEOD~1\ARCURL~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - C:\PROGRA~2\Neopets\Toolbar\Toolbar.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - C:\PROGRA~2\Neopets\Toolbar\Toolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [EPSON WorkForce 500 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEQA.EXE /FU "C:\Windows\TEMP\E_S4F86.tmp" /EF "HKCU"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
mRun: [LedKey] CNYHKey.exe
mRun: [iolo Startup] "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNzMzMjI2NTM0LUZMMTArMS1ERFQrNDgxNzQtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1MMTBNKzItRjEwTTEyQVQrMTEtRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtU1QxMkZPSSsxLUYxME0xMkFVKzEtRVVMQSsxLVNUMTJGQVBQKzEtU1RGMTBNMTJBVUYrMQ"&"prod=90"&"ver=2012.0.1831"&"mid=e54b4b20e24f47d1a903d156a4de7695-6e891e4a3b434452288b09b3998be71f87a488e9
mRunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
dRun: [volmgr] C:\Windows\system32\config\systemprofile\AppData\Local\volmgr.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Read EXIF - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: C:\Windows\system32\iavlsp.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://p.playfirst.com/play/game/dinerdashfloonthego/ddfotg.1.0.0.32.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.47/ttinst.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://p.playfirst.com/play/game/wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-489553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-489553540022} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-489553540026} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-489553541400} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{94C52B0A-0AE2-45E7-ABA4-D306B97E0259} : DhcpNameServer = 192.168.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: menukof - C:\Windows\system32\config\systemprofile\AppData\Local\menukof.dll
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: IEPlugin Class: {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~2\ArcSoft\VIDEOD~1\ARCURL~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Neopets: {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~2\Neopets\Toolbar\Toolbar.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
TB-X64: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Neopets: {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~2\Neopets\Toolbar\Toolbar.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
mRun-x64: [LedKey] CNYHKey.exe
mRun-x64: [iolo Startup] "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNzMzMjI2NTM0LUZMMTArMS1ERFQrNDgxNzQtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1MMTBNKzItRjEwTTEyQVQrMTEtRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtU1QxMkZPSSsxLUYxME0xMkFVKzEtRVVMQSsxLVNUMTJGQVBQKzEtU1RGMTBNMTJBVUYrMQ"&"prod=90"&"ver=2012.0.1831"&"mid=e54b4b20e24f47d1a903d156a4de7695-6e891e4a3b434452288b09b3998be71f87a488e9
mRunOnce-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
Hosts: 94.63.240.133 www.google.com
Hosts: 94.63.240.134 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\l4d6yqer.default\
FF - component: C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\FireFox Extension\components\FirefoxMenu.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RAW Thumbnail Viewer: RAWThumbnailViewer@arcsoft.com.cn - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\FireFox Extension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;\??\C:\Windows\system32\drivers\ElRawDsk.sys --> C:\Windows\system32\drivers\ElRawDsk.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMP;Active Malware Protection Minifilter Driver;\??\C:\Windows\system32\Drivers\amp.sys --> C:\Windows\system32\Drivers\amp.sys [?]
R2 AMPSE;Active Malware Protection Support Driver;\??\C:\Windows\system32\Drivers\ampse.sys --> C:\Windows\system32\Drivers\ampse.sys [?]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-6-15 249648]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2011-10-15 722616]
R2 NetworkLog;NetworkLog;C:\Windows\svcs.exe [2011-10-23 508928]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-2-1 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-2-1 185640]
R2 vseamps;vseamps;C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [2011-1-21 121152]
R2 vsedsps;vsedsps;C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2011-1-21 119104]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdLH6.sys --> C:\Windows\system32\drivers\AtihdLH6.sys [?]
R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?]
R3 HpGmb001;USB Mobile Packet Filter Driver;C:\Windows\system32\DRIVERS\HpGmb001.SYS --> C:\Windows\system32\DRIVERS\HpGmb001.SYS [?]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1c9ad648f0c435b;Google Update Service (gupdate1c9ad648f0c435b);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-3-25 133104]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-7-7 195336]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-3-25 133104]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SQ931;USB 2.0 Video Camera;C:\Windows\system32\Drivers\Capt931a.sys --> C:\Windows\system32\Drivers\Capt931a.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vseqrts;vseqrts;C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2011-1-21 179008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-6-9 89920]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-10-28 21:47:45 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-28 13:51:13 -------- d-----w- C:\Program Files (x86)\Mystery Legends - Beauty and the Beast Collector's Edition
2011-10-27 11:04:06 627600 ----a-w- C:\Windows\System32\deployJava1.dll
2011-10-26 23:00:46 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-26 23:00:45 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-23 15:15:35 508928 ----a-w- C:\Windows\svcs.exe
2011-10-23 13:25:35 -------- d-----w- C:\Program Files\iPod
2011-10-23 13:25:05 -------- d-----w- C:\Program Files\iTunes
2011-10-23 13:25:05 -------- d-----w- C:\Program Files (x86)\iTunes
2011-10-23 12:52:03 -------- d-----w- C:\Program Files\Bonjour
2011-10-23 12:52:03 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-23 02:33:15 40244 ----a-w- C:\Windows\SysWow64\0.4239797979691192.exe
2011-10-22 13:16:03 -------- d-----w- C:\Users\Owner\AppData\Local\SecondLife
2011-10-22 11:35:55 -------- d-----w- C:\Program Files (x86)\SecondLifeViewer2
2011-10-22 02:16:05 107832 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-22 02:16:03 682280 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-10-22 02:16:03 66872 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-10-15 23:27:29 23464 ----a-w- C:\Windows\System32\drivers\ElRawDsk.sys
2011-10-15 22:39:32 74703 ----a-w- C:\Windows\SysWow64\mfc45.dll
2011-10-15 22:39:06 -------- d-----w- C:\Users\Owner\AppData\Roaming\iolo
2011-10-15 22:39:06 -------- d-----w- C:\ProgramData\iolo
2011-10-15 21:33:36 -------- d-----w- C:\Users\Owner\AppData\Roaming\PC Cleaners
2011-10-15 21:33:31 5356304 ----a-w- C:\Windows\uninst.exe
2011-10-15 21:33:30 -------- d-----w- C:\ProgramData\PC1Data
2011-10-15 21:22:21 -------- d-----w- C:\Users\Owner\AppData\Roaming\AVG
2011-10-15 01:41:17 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes
2011-10-15 01:33:48 -------- d-sh--w- C:\found.003
2011-10-13 03:22:50 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-12 21:42:47 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-10-12 21:33:43 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-12 21:33:43 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-12 21:32:59 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-12 21:32:58 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-10-12 21:32:58 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-10-12 21:32:58 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-10-12 21:32:58 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-12 21:32:58 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-12 21:32:58 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-12 21:32:58 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-10-09 03:59:15 -------- d--h--w- C:\$AVG
2011-10-07 00:59:08 -------- d-----w- C:\Users\Owner\AppData\Local\Activision
2011-10-07 00:25:26 -------- d-----w- C:\Program Files (x86)\Activision
2011-10-07 00:19:23 -------- d-sh--w- C:\Windows\ftpcache
2011-09-29 20:19:10 -------- d-----w- C:\Program Files (x86)\My Company Name
2011-09-29 20:13:37 111120 ----a-w- C:\Windows\System32\drivers\AtihdLH6.sys
2011-09-29 20:09:45 58880 ----a-w- C:\Windows\System32\coinst.dll
.
==================== Find3M ====================
.
2011-10-26 03:10:55 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-30 23:25:35 1147904 ----a-w- C:\Windows\System32\wininet.dll
2011-09-30 23:21:20 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2011-09-30 23:21:00 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-09-30 23:20:40 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2011-09-30 23:20:39 77312 ----a-w- C:\Windows\System32\iesetup.dll
2011-09-30 23:06:24 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2011-09-30 22:29:23 479232 ----a-w- C:\Windows\System32\html.iec
2011-09-30 22:07:25 385024 ----a-w- C:\Windows\SysWow64\html.iec
2011-09-30 21:48:19 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2011-09-30 21:47:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-30 21:29:54 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-08-08 19:01:40 14848 ----a-w- C:\Windows\System32\smrgdf.exe
2011-08-08 19:01:34 45568 ----a-w- C:\Windows\System32\iolobtdfg.exe
2011-08-08 18:18:18 2141832 ----a-w- C:\Windows\System32\Incinerator64.dll
2011-08-08 18:18:16 2083464 ----a-w- C:\Windows\SysWow64\Incinerator32.dll
.
============= FINISH: 19:53:22.37 ===============

Edited by ChamelionK, 28 October 2011 - 06:59 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 29 October 2011 - 10:10 AM

Hello ChamelionK ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Notes: Skip the Recovery Console part as you're running Vista. You can use the Windows DVD to boot into the Vista Recovery Environment if something goes awry.
  • Click on Yes, to continue scanning for malware.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.



-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.




Regards,
Georgi

cXfZ4wS.png


#3 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 October 2011 - 04:40 PM

Okay, running Combofix as we speak (and I am reporting this on a laptop so as not to interrupt the process) but it seems that it stalled a but when it's on the "deleting Folders" step. I'm not sure if this is supposed to happen or not.

Scratch that. It's working normally now.

Edited by ChamelionK, 29 October 2011 - 04:42 PM.


#4 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 October 2011 - 05:13 PM

Here's the log of the ComboFix. Also, when I turned back on System Shield, it reported that there's now 5 security vulnerabilities and 5 registry problems - they do have the ability to fix them but I'd rather wait for your okay first to see what to do.

Other than that, I did a test to see if the searches were operating normally, and at the time of this report, they are, but as I said before, I want to make sure everything is cleaned out first before I consider this problem solved.

EDIT: one other thing. My dad and I have two different accounts on the same computer that's been having this issue. I ran the ComboFix on my side of the computer. Would that also have carried over to my dad's side to fix that end as well, or should I re-run it again on his side?


ComboFix 11-10-29.05 - Kory 10/29/2011 17:14:20.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.4636 [GMT -4:00]
Running from: c:\users\Kory\Desktop\ComboFix.exe
AV: System Shield *Disabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}
SP: System Shield *Disabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\Fast Browser Search
c:\users\Kory\AppData\Roaming\4922.5CE
c:\users\Kory\AppData\Roaming\install
c:\users\Kory\AppData\Roaming\Remote
c:\users\Kory\AppData\Roaming\Remote\hnqyzs
c:\windows\svcs.exe
c:\windows\SysWow64\0.4239797979691192.exe
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\srrstr.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NetworkLog
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))
.
.
2011-10-29 21:40 . 2011-10-29 21:40 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-29 21:40 . 2011-10-29 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-28 21:47 . 2011-10-28 21:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-28 14:09 . 2011-10-28 14:09 -------- d-----w- c:\users\Kory\AppData\Roaming\PlayPond
2011-10-28 13:51 . 2011-10-28 13:53 -------- d-----w- c:\program files (x86)\Mystery Legends - Beauty and the Beast Collector's Edition
2011-10-27 11:04 . 2011-10-27 11:03 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-26 23:00 . 2011-08-13 05:11 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 23:00 . 2011-08-13 04:43 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-10-26 22:27 . 2011-10-26 22:27 -------- d-----w- c:\programdata\ATI
2011-10-23 13:25 . 2011-10-23 13:25 -------- d-----w- c:\program files\iPod
2011-10-23 13:25 . 2011-10-23 13:26 -------- d-----w- c:\program files\iTunes
2011-10-23 13:25 . 2011-10-23 13:26 -------- d-----w- c:\program files (x86)\iTunes
2011-10-23 12:52 . 2011-10-23 12:52 -------- d-----w- c:\program files\Bonjour
2011-10-23 12:52 . 2011-10-23 12:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-22 13:16 . 2011-10-26 14:56 -------- d-----w- c:\users\Owner\AppData\Roaming\SecondLife
2011-10-22 13:16 . 2011-10-26 15:06 -------- d-----w- c:\users\Owner\AppData\Local\SecondLife
2011-10-22 11:35 . 2011-10-22 11:37 -------- d-----w- c:\program files (x86)\SecondLifeViewer2
2011-10-22 02:16 . 2011-10-22 02:16 107832 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-22 02:16 . 2011-10-22 02:16 682280 ----a-w- c:\windows\SysWow64\pbsvc.exe
2011-10-22 02:16 . 2011-10-22 02:16 66872 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-10-20 11:27 . 2011-10-20 11:31 -------- d-----w- c:\program files\Java
2011-10-16 16:08 . 2011-10-17 17:21 -------- d-----w- c:\users\Kory\AppData\Roaming\iolo
2011-10-15 23:27 . 2008-12-09 14:59 23464 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2011-10-15 22:39 . 2011-10-15 22:39 74703 ----a-w- c:\windows\SysWow64\mfc45.dll
2011-10-15 22:39 . 2011-10-28 10:30 -------- d-----w- c:\users\Owner\AppData\Roaming\iolo
2011-10-15 22:39 . 2011-10-17 17:26 -------- d-----w- c:\programdata\iolo
2011-10-15 21:33 . 2011-10-15 21:33 -------- d-----w- c:\users\Owner\AppData\Roaming\PC Cleaners
2011-10-15 21:33 . 2011-10-15 21:32 5356304 ----a-w- c:\windows\uninst.exe
2011-10-15 21:33 . 2011-10-15 21:33 -------- d-----w- c:\programdata\PC1Data
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\users\Owner\AppData\Roaming\AVG
2011-10-15 01:41 . 2011-10-15 01:41 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2011-10-15 01:33 . 2011-10-20 16:38 -------- d-----w- C:\found.003
2011-10-13 18:26 . 2011-10-13 18:26 -------- d-----w- c:\programdata\LogiShrd
2011-10-13 12:17 . 2011-10-13 12:17 -------- d-----w- c:\windows\system32\config\systemprofile\{A27179C3-BFF8-45C7-BB46-A9A5FD1D8CF8}
2011-10-13 03:22 . 2011-10-13 19:52 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-12 21:42 . 2011-09-06 13:56 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 21:33 . 2011-09-14 10:52 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-12 21:33 . 2011-09-14 10:51 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-10-12 21:32 . 2011-07-29 16:08 375808 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:08 289792 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:32 . 2011-07-29 16:06 73216 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:06 100352 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:32 . 2011-07-29 16:01 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:01 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-12 21:32 . 2011-07-29 16:00 57856 ----a-w- c:\windows\SysWow64\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:00 69632 ----a-w- c:\windows\SysWow64\Mpeg2Data.ax
2011-10-10 11:45 . 2011-10-10 11:48 -------- d-----w- c:\users\Kory\AppData\Roaming\AVG
2011-10-09 03:59 . 2011-10-09 03:59 -------- d-----w- C:\$AVG
2011-10-07 03:58 . 2011-10-07 03:58 -------- d-----w- c:\users\Kory\AppData\Local\Activision
2011-10-07 00:59 . 2011-10-22 02:07 -------- d-----w- c:\users\Owner\AppData\Local\Activision
2011-10-07 00:25 . 2011-10-07 00:25 -------- d-----w- c:\program files (x86)\Activision
2011-10-07 00:19 . 2011-10-07 00:19 -------- d-sh--w- c:\windows\ftpcache
2011-10-06 16:18 . 2011-10-06 16:18 -------- d-----w- c:\windows\system32\config\systemprofile\{E47CE1B8-9B6A-4C52-810E-C263754EC3C6}
2011-10-05 11:19 . 2011-10-05 11:19 -------- d-----w- c:\windows\system32\config\systemprofile\{82E71709-9F4E-44BA-A83D-4E37F7761E73}
2011-10-05 11:17 . 2011-10-05 11:18 -------- d-----w- c:\windows\system32\config\systemprofile\{C1EC7E97-D429-4ADB-933B-EBACC2B2854F}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-26 03:10 . 2011-06-06 00:49 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-18 10:55 . 2011-09-18 10:55 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-31 21:00 . 2010-12-12 11:22 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-04 1242448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-07 102400]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"iolo Startup"="c:\program files (x86)\iolo\Common\Lib\ioloLManager.exe" [2011-08-08 606392]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNzMzMjI2NTM0LUZMMTArMS1ERFQrNDgxNzQtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1MMTBNKzItRjEwTTEyQVQrMTEtRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtU1QxMkZPSSsxLUYxME0xMkFVKzEtRVVMQSsxLVNUMTJGQVBQKzEtU1RGMTBNMTJBVUYrMQ&prod=90&ver=2012.0.1831&mid=e54b4b20e24f47d1a903d156a4de7695-6e891e4a3b434452288b09b3998be71f87a488e9" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\menukof]
2011-10-22 20:09 11264 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1c9ad648f0c435b;Google Update Service (gupdate1c9ad648f0c435b);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 133104]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 dump_wmimmc;dump_wmimmc;c:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 133104]
R3 npkcft64;npkcft64;c:\nexon\MapleStory\npkcft64.sys [x]
R3 npkuft64;npkuft64;c:\nexon\MapleStory\npkuft64.sys [x]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SQ931;USB 2.0 Video Camera;c:\windows\system32\Drivers\Capt931a.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2011-01-21 179008]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMP;Active Malware Protection Minifilter Driver;c:\windows\system32\Drivers\amp.sys [x]
S2 AMPSE;Active Malware Protection Support Driver;c:\windows\system32\Drivers\ampse.sys [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2011-08-08 722616]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-02-01 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-02-01 185640]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2011-01-21 121152]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2011-01-21 119104]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH6.sys [x]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD64.sys [x]
S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [x]
S3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\DRIVERS\HpGmb001.SYS [x]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ioloSGuardDriver
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 16:12]
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 16:12]
.
2011-10-29 c:\windows\Tasks\User_Feed_Synchronization-{3C9C65C3-B250-4683-A8CD-89490F05D976}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-08-19 6456352]
"Skytel"="Skytel.exe" [2008-08-19 1833504]
"combofix"="c:\combofix\CF9418.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.neopets.com/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0209&m=lx6200-01
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: gametap.com
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://p.playfirst.com/play/game/wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Kory\AppData\Roaming\Mozilla\Firefox\Profiles\invl15f1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.neopets.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64869
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-Run-volmgr - c:\windows\system32\config\systemprofile\AppData\Local\volmgr.exe
SafeBoot-AMP
SafeBoot-AMPSE
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-Move Media Player - c:\users\Kory\AppData\Roaming\Move Networks\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\* ;*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\0* ;*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\Software\SecuROM\License information*]
"datasecu"=hex:2a,c0,ac,cd,da,33,25,91,8f,77,3f,c5,27,f7,10,76,28,bd,82,01,d1,
e8,1d,ea,36,fd,cd,59,ea,78,ea,82,60,0e,00,0c,5d,01,e5,f7,34,51,d4,7a,1a,49,\
"rkeysecu"=hex:55,3c,15,51,f5,ef,7d,d5,76,84,bd,57,64,a0,f4,50
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\`* =*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\À*¬ &*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ *É*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ '*!*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×* *]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*¡*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*²*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*³*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*º*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*Ñ*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Á*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Æ*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Ç*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Ù*]
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\MHotKey.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\program files (x86)\iolo\System Mechanic Professional\SystemGuardAlerter.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\program files (x86)\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
.
**************************************************************************
.
Completion time: 2011-10-29 18:08:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-29 22:08
.
Pre-Run: 237,270,102,016 bytes free
Post-Run: 236,931,710,976 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 776B2CDF04B30157A3FFDFE3AEE0819E

Edited by ChamelionK, 29 October 2011 - 05:16 PM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 29 October 2011 - 08:11 PM

Also, when I turned back on System Shield, it reported that there's now 5 security vulnerabilities and 5 registry problems - they do have the ability to fix them but I'd rather wait for your okay first to see what to do.



Hi again,



Registry Editor / Cleaner Warning !!



The following is referring to System Mechanic.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools



Other than that, I did a test to see if the searches were operating normally, and at the time of this report, they are, but as I said before, I want to make sure everything is cleaned out first before I consider this problem solved.



We still have what to do here!

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/



EDIT: one other thing. My dad and I have two different accounts on the same computer that's been having this issue. I ran the ComboFix on my side of the computer. Would that also have carried over to my dad's side to fix that end as well, or should I re-run it again on his side?




Thanks for letting me know. I think we should check his side with Combofix as well. But hold on - let me do a little research on this so I can find out. ;)



Regards,
Georgi

cXfZ4wS.png


#6 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 October 2011 - 08:23 PM

that will be a while. My dad is currently on the computer (and I did test for the search redirect on his side; it seems fine now) so I wont' be able to do this step right away, but it will be done eventually.

#7 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 October 2011 - 09:09 PM

Results:

Antivirus Version Last Update Result
AhnLab-V3 2011.10.29.00 2011.10.29 Trojan/Win32.Agent
AntiVir 7.11.16.201 2011.10.28 TR/Spy.Gen
Antiy-AVL 2.0.3.7 2011.10.29 -
Avast 6.0.1289.0 2011.10.29 -
AVG 10.0.0.1190 2011.10.30 -
BitDefender 7.2 2011.10.30 -
ByteHero 1.0.0.1 2011.09.23 -
CAT-QuickHeal 11.00 2011.10.29 -
ClamAV 0.97.3.0 2011.10.29 -
Commtouch 5.3.2.6 2011.10.30 -
Comodo 10598 2011.10.29 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.30 -
Emsisoft 5.1.0.11 2011.10.30 Trojan-Spy!IK
eSafe 7.0.17.0 2011.10.26 -
eTrust-Vet 36.1.8645 2011.10.28 -
F-Prot 4.6.5.141 2011.10.30 -
F-Secure 9.0.16440.0 2011.10.30 -
Fortinet 4.3.370.0 2011.10.30 -
GData 22 2011.10.30 -
Ikarus T3.1.1.107.0 2011.10.29 Trojan-Spy
Jiangmin 13.0.900 2011.10.29 -
K7AntiVirus 9.116.5354 2011.10.29 -
Kaspersky 9.0.0.837 2011.10.30 -
McAfee 5.400.0.1158 2011.10.30 -
McAfee-GW-Edition 2010.1D 2011.10.29 Heuristic.BehavesLike.Win32.Spyware.J
Microsoft 1.7801 2011.10.29 -
NOD32 6586 2011.10.30 -
Norman 6.07.13 2011.10.29 -
nProtect 2011-10-29.01 2011.10.29 -
Panda 10.0.3.5 2011.10.29 Generic Malware
PCTools 8.0.0.5 2011.10.30 -
Prevx 3.0 2011.10.30 -
Rising 23.81.04.01 2011.10.28 -
Sophos 4.70.0 2011.10.30 -
SUPERAntiSpyware 4.40.0.1006 2011.10.29 -
Symantec 20111.2.0.82 2011.10.30 -
TheHacker 6.7.0.1.335 2011.10.28 -
TrendMicro 9.500.0.1008 2011.10.30 -
TrendMicro-HouseCall 9.500.0.1008 2011.10.30 -
VBA32 3.12.16.4 2011.10.25 -
VIPRE 10914 2011.10.30 -
ViRobot 2011.10.29.4745 2011.10.29 -
VirusBuster 14.1.37.0 2011.10.29 -

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 29 October 2011 - 09:09 PM

Don't worry and take your time.
We have different timezone.
Here it is 04.06 a.m. and I'll get some sleep.
See ya tomorrow as I'm very tired and I might just fall asleep during typing..stay tuned. :wink:
As I said we still have what to do, so please stick with me until I say the computer is malware free.



Regards,
Georgi

cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 29 October 2011 - 09:23 PM

Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!



We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

www.bleepingcomputer.com/forums/topic425486.html

Collect::
c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\menukof]
Firefox::
FF - ProfilePath - c:\users\Kory\AppData\Roaming\Mozilla\Firefox\Profiles\invl15f1.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64869

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe

7. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.

Posted Image

Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#10 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 30 October 2011 - 07:16 AM

Hm.... I didn't get the message regarding about the combofix uploading anything, nor did I receive the message about the CF-Submit file. Nonethelss, here's a log of the second Combofix results, if it helps.


ComboFix 11-10-30.01 - Kory 10/30/2011 7:19.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5720 [GMT -4:00]
Running from: c:\users\Kory\Desktop\ComboFix.exe
Command switches used :: c:\users\Kory\Desktop\CFScript.txt
AV: System Shield *Disabled/Updated* {C132074B-BF68-2E15-D4FD-E242EED15F18}
SP: System Shield *Disabled/Updated* {7A53E6AF-9952-219B-EE4D-D930955615A5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\srrstr.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-30 )))))))))))))))))))))))))))))))
.
.
2011-10-30 11:43 . 2011-10-30 11:43 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-30 11:43 . 2011-10-30 11:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-29 22:09 . 2011-10-30 11:51 -------- d-----w- c:\users\Kory\AppData\Local\temp
2011-10-28 14:09 . 2011-10-28 14:09 -------- d-----w- c:\users\Kory\AppData\Roaming\PlayPond
2011-10-28 13:51 . 2011-10-28 13:53 -------- d-----w- c:\program files (x86)\Mystery Legends - Beauty and the Beast Collector's Edition
2011-10-27 11:04 . 2011-10-27 11:03 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-26 23:00 . 2011-08-13 05:11 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 23:00 . 2011-08-13 04:43 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-10-26 22:27 . 2011-10-26 22:27 -------- d-----w- c:\programdata\ATI
2011-10-23 13:25 . 2011-10-23 13:25 -------- d-----w- c:\program files\iPod
2011-10-23 13:25 . 2011-10-23 13:26 -------- d-----w- c:\program files\iTunes
2011-10-23 13:25 . 2011-10-23 13:26 -------- d-----w- c:\program files (x86)\iTunes
2011-10-23 12:52 . 2011-10-23 12:52 -------- d-----w- c:\program files\Bonjour
2011-10-23 12:52 . 2011-10-23 12:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-22 13:16 . 2011-10-26 14:56 -------- d-----w- c:\users\Owner\AppData\Roaming\SecondLife
2011-10-22 13:16 . 2011-10-26 15:06 -------- d-----w- c:\users\Owner\AppData\Local\SecondLife
2011-10-22 11:35 . 2011-10-22 11:37 -------- d-----w- c:\program files (x86)\SecondLifeViewer2
2011-10-22 02:16 . 2011-10-22 02:16 107832 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-22 02:16 . 2011-10-22 02:16 682280 ----a-w- c:\windows\SysWow64\pbsvc.exe
2011-10-22 02:16 . 2011-10-22 02:16 66872 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-10-20 11:27 . 2011-10-20 11:31 -------- d-----w- c:\program files\Java
2011-10-16 16:08 . 2011-10-17 17:21 -------- d-----w- c:\users\Kory\AppData\Roaming\iolo
2011-10-15 23:27 . 2008-12-09 14:59 23464 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2011-10-15 22:39 . 2011-10-15 22:39 74703 ----a-w- c:\windows\SysWow64\mfc45.dll
2011-10-15 22:39 . 2011-10-28 10:30 -------- d-----w- c:\users\Owner\AppData\Roaming\iolo
2011-10-15 22:39 . 2011-10-17 17:26 -------- d-----w- c:\programdata\iolo
2011-10-15 21:33 . 2011-10-15 21:33 -------- d-----w- c:\users\Owner\AppData\Roaming\PC Cleaners
2011-10-15 21:33 . 2011-10-15 21:32 5356304 ----a-w- c:\windows\uninst.exe
2011-10-15 21:33 . 2011-10-15 21:33 -------- d-----w- c:\programdata\PC1Data
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\users\Owner\AppData\Roaming\AVG
2011-10-15 01:41 . 2011-10-15 01:41 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2011-10-15 01:33 . 2011-10-20 16:38 -------- d-----w- C:\found.003
2011-10-13 18:26 . 2011-10-13 18:26 -------- d-----w- c:\programdata\LogiShrd
2011-10-13 12:17 . 2011-10-13 12:17 -------- d-----w- c:\windows\system32\config\systemprofile\{A27179C3-BFF8-45C7-BB46-A9A5FD1D8CF8}
2011-10-13 03:22 . 2011-10-13 19:52 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-12 21:42 . 2011-09-06 13:56 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 21:33 . 2011-09-14 10:52 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-12 21:33 . 2011-09-14 10:51 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-10-12 21:32 . 2011-07-29 16:08 375808 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:08 289792 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:32 . 2011-07-29 16:06 73216 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:06 100352 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:32 . 2011-07-29 16:01 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:01 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-12 21:32 . 2011-07-29 16:00 57856 ----a-w- c:\windows\SysWow64\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:00 69632 ----a-w- c:\windows\SysWow64\Mpeg2Data.ax
2011-10-10 11:45 . 2011-10-10 11:48 -------- d-----w- c:\users\Kory\AppData\Roaming\AVG
2011-10-09 03:59 . 2011-10-09 03:59 -------- d-----w- C:\$AVG
2011-10-07 03:58 . 2011-10-07 03:58 -------- d-----w- c:\users\Kory\AppData\Local\Activision
2011-10-07 00:59 . 2011-10-22 02:07 -------- d-----w- c:\users\Owner\AppData\Local\Activision
2011-10-07 00:25 . 2011-10-07 00:25 -------- d-----w- c:\program files (x86)\Activision
2011-10-07 00:19 . 2011-10-07 00:19 -------- d-sh--w- c:\windows\ftpcache
2011-10-06 16:18 . 2011-10-06 16:18 -------- d-----w- c:\windows\system32\config\systemprofile\{E47CE1B8-9B6A-4C52-810E-C263754EC3C6}
2011-10-05 11:19 . 2011-10-05 11:19 -------- d-----w- c:\windows\system32\config\systemprofile\{82E71709-9F4E-44BA-A83D-4E37F7761E73}
2011-10-05 11:17 . 2011-10-05 11:18 -------- d-----w- c:\windows\system32\config\systemprofile\{C1EC7E97-D429-4ADB-933B-EBACC2B2854F}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-26 03:10 . 2011-06-06 00:49 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-18 10:55 . 2011-09-18 10:55 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-31 21:00 . 2010-12-12 11:22 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-04 1242448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-07 102400]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"iolo Startup"="c:\program files (x86)\iolo\Common\Lib\ioloLManager.exe" [2011-08-08 606392]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNzMzMjI2NTM0LUZMMTArMS1ERFQrNDgxNzQtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1MMTBNKzItRjEwTTEyQVQrMTEtRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtU1QxMkZPSSsxLUYxME0xMkFVKzEtRVVMQSsxLVNUMTJGQVBQKzEtU1RGMTBNMTJBVUYrMQ&prod=90&ver=2012.0.1831&mid=e54b4b20e24f47d1a903d156a4de7695-6e891e4a3b434452288b09b3998be71f87a488e9" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1c9ad648f0c435b;Google Update Service (gupdate1c9ad648f0c435b);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 133104]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 dump_wmimmc;dump_wmimmc;c:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 133104]
R3 npkcft64;npkcft64;c:\nexon\MapleStory\npkcft64.sys [x]
R3 npkuft64;npkuft64;c:\nexon\MapleStory\npkuft64.sys [x]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SQ931;USB 2.0 Video Camera;c:\windows\system32\Drivers\Capt931a.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2011-01-21 179008]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMP;Active Malware Protection Minifilter Driver;c:\windows\system32\Drivers\amp.sys [x]
S2 AMPSE;Active Malware Protection Support Driver;c:\windows\system32\Drivers\ampse.sys [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2011-08-08 722616]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-02-01 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-02-01 185640]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2011-01-21 121152]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2011-01-21 119104]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH6.sys [x]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD64.sys [x]
S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [x]
S3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\DRIVERS\HpGmb001.SYS [x]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ioloSGuardDriver
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 16:12]
.
2011-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-25 16:12]
.
2011-10-30 c:\windows\Tasks\User_Feed_Synchronization-{3C9C65C3-B250-4683-A8CD-89490F05D976}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-08-19 6456352]
"Skytel"="Skytel.exe" [2008-08-19 1833504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.neopets.com/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0209&m=lx6200-01
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: gametap.com
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://p.playfirst.com/play/game/wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Kory\AppData\Roaming\Mozilla\Firefox\Profiles\invl15f1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.neopets.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\* ;*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\0* ;*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\Software\SecuROM\License information*]
"datasecu"=hex:2a,c0,ac,cd,da,33,25,91,8f,77,3f,c5,27,f7,10,76,28,bd,82,01,d1,
e8,1d,ea,36,fd,cd,59,ea,78,ea,82,60,0e,00,0c,5d,01,e5,f7,34,51,d4,7a,1a,49,\
"rkeysecu"=hex:55,3c,15,51,f5,ef,7d,d5,76,84,bd,57,64,a0,f4,50
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\`* =*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\À*¬ &*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ *É*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ '*!*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×* *]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*¡*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*²*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*³*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*º*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ ×*Ñ*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Á*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Æ*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Ç*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3293240728-1398273569-3462809688-1001\¬ û*Ù*]
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\program files (x86)\iolo\System Mechanic Professional\SystemGuardAlerter.exe
c:\program files (x86)\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
c:\windows\CNYHKey.exe
.
**************************************************************************
.
Completion time: 2011-10-30 08:12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-30 12:12
ComboFix2.txt 2011-10-29 22:09
.
Pre-Run: 237,169,881,088 bytes free
Post-Run: 236,906,348,544 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9699877C4486BA218536C271760DC131

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 30 October 2011 - 07:46 AM

We Need to Run a Batch Script

  • Press the Windows Logo in the bottom left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    COLOR 9f
    CLS
    @echo off
    SETLOCAL enabledelayedexpansion
    :START
    echo killing explorer.exe
    C:\Windows\System32\taskkill.exe -f -im explorer.exe
    echo stage 1 is complete...proceeding next stage...
    
    echo starting deletion process...
    :START
    IF EXIST c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll goto DELETE
    IF NOT EXIST c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll goto ERROR
    goto END
    
    :DELETE
    DEL /A/F "c:\windows\System32\config\systemprofile\AppData\Local\menukof.dll"
    echo.Deleted Successfully !!
    goto END
    
    :ERROR
    echo.No file found
    echo.Delete Failed !!
    
    :END
    start explorer.exe
    echo stage 2 is complete...
    echo.The Job is Done !!
    @pause
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.bat.
  • Press Posted Image.
  • Close Notepad.
  • Right click Posted Image on your desktop, and choose Posted Image.
  • Press Yes if prompted by User Account Control.
  • Press any key to close the screen.
  • Go to c:\windows\System32\config\systemprofile\AppData\Local and let me know if the file menukof.dll was deleted.



Regards,
Georgi

cXfZ4wS.png


#12 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 30 October 2011 - 10:42 AM

Okay, did as instructed, checked the aforementioned file, and I do not see menukof.dll listed in that area.

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:10 PM

Posted 30 October 2011 - 11:39 AM

Hi ChamelionK,


Well done!


Run Scan with Malwarebytes


I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.





Please download the latest version of TDSSKiller from here and save it to your Desktop.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • Doubleclick on TDSSKiller.exe to run the application.
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


How are things now ? Any problems left ?


Regards,
Georgi

cXfZ4wS.png


#14 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 30 October 2011 - 12:41 PM

unfortunately I am unable at this time to perform this step, as my dad is currently using the main computer and I have to be at work in roughyl an hour from now. So thsi step won't be able to be completed until tonight. However, I will be sure ot post the results when i can.

#15 ChamelionK

ChamelionK
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 30 October 2011 - 01:45 PM

Nevermind. He let me on so I can do this.



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8047

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

10/30/2011 2:36:35 PM
mbam-log-2011-10-30 (14-36-35).txt

Scan type: Quick scan
Objects scanned: 199101
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------


TDSSKiller log not provied as there were no threats detected. Restarted computer, however, to finish the removal process of the ones MAB detected.

Other than that, the only issue I'm having is that System Shield's detected two security vulnerabilites and two registry errors, but I'm not touching them as per your request.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users