Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus after ComboFix


  • This topic is locked This topic is locked
3 replies to this topic

#1 scw024000

scw024000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 05 November 2011 - 09:23 AM

Yesterday morning I woke up to find that my computer had a really nasty virus. It was the type of virus that completely cripples your computer and won't let you run anti-malware programs like ComboFix. I decided to restore my computer to a previous point in time (sometime last week). This got rid of the really nasty virus, but I still had/have one that redirects and randomly opens IE (and also adds lots of tracking cookies). I ran ComboFix, and it made things better, but only temporarily. I think that ComboFix keeps going back to the same restore point that I established when I found that my computer was infected. Anyway, this thing is nasty and I want to get rid of it.
Any suggestions or help are appreciated.
Thanks in advance,
Scott

BC AdBot (Login to Remove)

 


#2 scw024000

scw024000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 05 November 2011 - 10:56 AM

I just ran ComboFix again (it took more than an hour) and I still have the redirect virus. Here is my log:
ComboFix 11-11-05.02 - Williams 11/05/2011 10:03:56.15.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2840 [GMT -5:00]
Running from: c:\users\Williams\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-05 to 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-05 15:32 . 2011-11-05 15:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-05 15:32 . 2011-11-05 15:32 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-11-05 15:32 . 2011-11-05 15:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-04 21:02 . 2011-11-04 21:02 -------- d-----w- c:\programdata\Hitman Pro
2011-10-17 00:19 . 2011-10-17 00:22 -------- d--h--w- c:\users\Williams\AppData\Roaming\Xiqyoc
2011-10-15 17:09 . 2011-10-15 17:09 -------- d--h--w- c:\users\Williams\AppData\Roaming\k1ivD2onFpHsJdK
2011-10-15 17:08 . 2011-10-15 17:08 -------- d--h--w- c:\users\Williams\AppData\Roaming\ohhhTXXqjUC
2011-10-15 17:07 . 2011-10-15 17:07 -------- d--h--w- c:\users\Williams\AppData\Roaming\jwwUUVOOtP0cSi3
2011-10-15 17:06 . 2011-10-15 17:06 -------- d--h--w- c:\users\Williams\AppData\Roaming\WAAA0uucS2iD3nG
2011-10-15 17:05 . 2011-10-15 17:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\lGG55aQQH6dK
2011-10-15 17:04 . 2011-10-15 17:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\t1ioG6sL8ZCkl
2011-10-15 17:03 . 2011-10-15 17:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\a99hXUCekz
2011-10-15 17:02 . 2011-10-15 17:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\mzOONttxA0uc2Dp
2011-10-15 17:01 . 2011-10-15 17:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\wAAA0uuvS2
2011-10-15 17:00 . 2011-10-15 17:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\TjUUeelIt
2011-10-15 16:59 . 2011-10-15 16:59 -------- d--h--w- c:\users\Williams\AppData\Roaming\w11ivDD3onF4H5W
2011-10-15 16:58 . 2011-10-15 16:58 -------- d--h--w- c:\users\Williams\AppData\Roaming\pJJdgqVOB
2011-10-15 16:57 . 2011-10-15 16:57 -------- d--h--w- c:\users\Williams\AppData\Roaming\sjjUUCeelIB
2011-10-15 16:56 . 2011-10-15 16:56 -------- d--h--w- c:\users\Williams\AppData\Roaming\wYYYXwwjUVelB
2011-10-15 16:55 . 2011-10-15 16:55 -------- d--h--w- c:\users\Williams\AppData\Roaming\IQQJ6dEK8fR9Twj
2011-10-15 16:54 . 2011-10-15 16:54 -------- d--h--w- c:\users\Williams\AppData\Roaming\AzAuuSiFp5Q6
2011-10-15 16:53 . 2011-10-15 16:53 -------- d--h--w- c:\users\Williams\AppData\Roaming\yIIVVrzzONtA0cS
2011-10-15 16:52 . 2011-10-15 16:52 -------- d--h--w- c:\users\Williams\AppData\Roaming\o444pmmG5sQJKh
2011-10-15 16:51 . 2011-10-15 16:51 -------- d--h--w- c:\users\Williams\AppData\Roaming\m0yyycA1ivD2o
2011-10-15 16:50 . 2011-10-15 16:50 -------- d--h--w- c:\users\Williams\AppData\Roaming\mvS2obF3pGaJdKf
2011-10-15 16:49 . 2011-10-15 16:49 -------- d--h--w- c:\users\Williams\AppData\Roaming\xsWJ7fEL8TqYwUr
2011-10-15 16:48 . 2011-10-15 16:48 -------- d--h--w- c:\users\Williams\AppData\Roaming\iwkkUUVrlOBtP
2011-10-15 16:47 . 2011-10-15 16:47 -------- d--h--w- c:\users\Williams\AppData\Roaming\OONNyyxA0uvS2b3
2011-10-15 16:46 . 2011-10-15 16:46 -------- d--h--w- c:\users\Williams\AppData\Roaming\AKK88gRRZ9hXwUV
2011-10-15 16:45 . 2011-10-15 16:45 -------- d--h--w- c:\users\Williams\AppData\Roaming\OQQQH66sWK
2011-10-15 16:44 . 2011-10-15 16:44 -------- d--h--w- c:\users\Williams\AppData\Roaming\b2oobbF3pmG5QJ
2011-10-15 16:43 . 2011-10-15 16:43 -------- d--h--w- c:\users\Williams\AppData\Roaming\o333onnF4am5sJ
2011-10-15 16:42 . 2011-10-15 16:42 -------- d--h--w- c:\users\Williams\AppData\Roaming\yVVVrzzONtx0uS
2011-10-15 16:41 . 2011-10-15 16:41 -------- d--h--w- c:\users\Williams\AppData\Roaming\FEEEK88fRZ9hXwU
2011-10-15 16:40 . 2011-10-15 16:40 -------- d--h--w- c:\users\Williams\AppData\Roaming\VnnFF4ammHsWJdL
2011-10-15 16:39 . 2011-10-15 16:39 -------- d--h--w- c:\users\Williams\AppData\Roaming\T11uuvSS2oF3
2011-10-15 16:38 . 2011-10-15 16:38 -------- d--h--w- c:\users\Williams\AppData\Roaming\WXXwwkUUVelB
2011-10-15 16:37 . 2011-10-15 16:37 -------- d--h--w- c:\users\Williams\AppData\Roaming\CLLL9hhTXqjUek
2011-10-15 16:36 . 2011-10-15 16:36 -------- d--h--w- c:\users\Williams\AppData\Roaming\zeeelOOBtzPyc1i
2011-10-15 16:35 . 2011-10-15 16:35 -------- d--h--w- c:\users\Williams\AppData\Roaming\yjjYYCwkkIr
2011-10-15 16:34 . 2011-10-15 16:34 -------- d--h--w- c:\users\Williams\AppData\Roaming\immGG5aaQJ
2011-10-15 16:33 . 2011-10-15 16:33 -------- d--h--w- c:\users\Williams\AppData\Roaming\r888fRRL9hTXjUe
2011-10-15 16:32 . 2011-10-15 16:32 -------- d--h--w- c:\users\Williams\AppData\Roaming\JfffELL9g
2011-10-15 16:31 . 2011-10-15 16:31 -------- d--h--w- c:\users\Williams\AppData\Roaming\RzOONNyxA0uv2i
2011-10-15 16:30 . 2011-10-15 16:30 -------- d--h--w- c:\users\Williams\AppData\Roaming\YEEEK88gRZ9YX
2011-10-15 16:29 . 2011-10-15 16:29 -------- d--h--w- c:\users\Williams\AppData\Roaming\oHH66sWKK7EL9Tq
2011-10-15 16:28 . 2011-10-15 16:28 -------- d--h--w- c:\users\Williams\AppData\Roaming\XCeekkIBrzONy
2011-10-15 16:27 . 2011-10-15 16:27 -------- d--h--w- c:\users\Williams\AppData\Roaming\V5ssWWJ7dEL8
2011-10-15 16:26 . 2011-10-15 16:26 -------- d--h--w- c:\users\Williams\AppData\Roaming\KyyxxA00uv2ib3p
2011-10-15 16:25 . 2011-10-15 16:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\SgRRZZqhYXwkVeO
2011-10-15 16:24 . 2011-10-15 16:24 -------- d--h--w- c:\users\Williams\AppData\Roaming\rDDD33pnG4aQ6sK
2011-10-15 16:23 . 2011-10-15 16:23 -------- d--h--w- c:\users\Williams\AppData\Roaming\mqjjjYCekIVrzNx
2011-10-15 16:22 . 2011-10-15 16:22 -------- d--h--w- c:\users\Williams\AppData\Roaming\rQQJJ6ddE
2011-10-15 16:21 . 2011-10-15 16:21 -------- d--h--w- c:\users\Williams\AppData\Roaming\bssWWJ77fELgTqh
2011-10-15 16:20 . 2011-10-15 16:20 -------- d--h--w- c:\users\Williams\AppData\Roaming\taQQHH6dWK7fR9T
2011-10-15 16:19 . 2011-10-15 16:19 -------- d--h--w- c:\users\Williams\AppData\Roaming\qZZZ9hhTXwjUelB
2011-10-15 16:18 . 2011-10-15 16:18 -------- d--h--w- c:\users\Williams\AppData\Roaming\hhhYYCwwkUVlOtx
2011-10-15 16:17 . 2011-10-15 16:17 -------- d--h--w- c:\users\Williams\AppData\Roaming\VWWKK7fEELgTZjC
2011-10-15 16:16 . 2011-10-15 16:16 -------- d--h--w- c:\users\Williams\AppData\Roaming\dlIIBBrzPNyx
2011-10-15 16:15 . 2011-10-15 16:15 -------- d--h--w- c:\users\Williams\AppData\Roaming\I555sWWJ7
2011-10-15 16:14 . 2011-10-15 16:14 -------- d--h--w- c:\users\Williams\AppData\Roaming\ZffRRL9hTXqj
2011-10-15 16:13 . 2011-10-15 16:13 -------- d--h--w- c:\users\Williams\AppData\Roaming\rffEEL99gTZjYwk
2011-10-15 16:12 . 2011-10-15 16:12 -------- d--h--w- c:\users\Williams\AppData\Roaming\fNyyxxA1uvS2b
2011-10-15 16:11 . 2011-10-15 16:11 -------- d--h--w- c:\users\Williams\AppData\Roaming\rXXqqjYYCeIVrON
2011-10-15 16:10 . 2011-10-15 16:10 -------- d--h--w- c:\users\Williams\AppData\Roaming\knFFF4pmH5sQJdK
2011-10-15 16:09 . 2011-10-15 16:09 -------- d--h--w- c:\users\Williams\AppData\Roaming\pnGG44amH6sW
2011-10-15 16:08 . 2011-10-15 16:08 -------- d--h--w- c:\users\Williams\AppData\Roaming\rIIBBrzzPNyA1vS
2011-10-11 02:52 . 2011-10-11 02:52 -------- d--h--w- c:\users\Default\AppData\Local\Microsoft Help
2011-10-06 21:05 . 2011-10-06 21:10 -------- d--h--w- c:\users\Williams\AppData\Roaming\QP0ucS1ib3n4m6W
2011-10-06 21:05 . 2011-10-06 21:10 -------- d--h--w- c:\users\Williams\AppData\Roaming\TS2ibD3pn4Q6W7E
2011-10-06 21:05 . 2011-10-06 21:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\vH5sQJ7dE8R9YwU
2011-10-06 21:05 . 2011-10-06 21:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\ftA2pJ8hjINvFaK
2011-10-06 21:05 . 2011-10-06 21:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\UxP0ucS1iDoGaHs
2011-10-06 21:05 . 2011-10-06 21:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\rjYCekIVrNu2
2011-10-06 21:05 . 2011-10-06 21:05 -------- d--h--w- c:\users\Williams\AppData\Roaming\bYwVraEgZUlo4H
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\vJ7dEKgBzNc1DoF
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\oNycAuD2o5Q6E8R
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\JS3na6WR9XjeIzt
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\gxSpQK9jVxSomJh
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\gF5K9jByS3aK9jr
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\lEqXketyinm7
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\IinsEqkOyvFWLqU
2011-10-06 21:04 . 2011-10-06 21:04 -------- d--h--w- c:\users\Williams\AppData\Roaming\CeVA2pa6fZw
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\yO0iG6fqkOu
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\FQKTCr0iG
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\f3G6fTYkO0inHfT
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\enaHJEgZYweBzyA
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\N5WEqXkltPc12F
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\WpGQsKE9ZjwVl0i
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\oJ8hUByvF5KZjlP
2011-10-06 21:03 . 2011-10-06 21:03 -------- d--h--w- c:\users\Williams\AppData\Roaming\RQK9qIxba7g
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\Wa6WfLTjCIrNAbG
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\j56fhUByvF
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\R5EZjByS3a8hCzA
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\S89jkO0F5W
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\mqeBzyAvbp
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\StPc1Doa5WdLRwU
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\FZhCk3aWLhVz1op
2011-10-06 21:02 . 2011-10-06 21:02 -------- d--h--w- c:\users\Williams\AppData\Roaming\vubG6fTCrxSpQ
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\us9XezA2p
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\mkO02paKLqkO0
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\RHEhe1FsfwBxo5W
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\qOc3HjrunsLYOc5
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\o5d8RhXUIzNAuo4
2011-10-06 21:01 . 2011-10-06 21:01 -------- d--h--w- c:\users\Williams\AppData\Roaming\l3nas7EgZ
2011-10-06 21:00 . 2011-10-06 21:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\X6KR9XjISb
2011-10-06 21:00 . 2011-10-06 21:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\ixui3naHWEgZYBx
2011-10-06 21:00 . 2011-10-06 21:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\LPxu2F5dRqkrNuS
2011-10-06 21:00 . 2011-10-06 21:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\ASbpGQWfLTqVztA
2011-10-06 21:00 . 2011-10-06 21:00 -------- d--h--w- c:\users\Williams\AppData\Roaming\Da7RXeP1nsK9jlP
2011-10-06 20:59 . 2011-10-06 20:59 -------- d--h--w- c:\users\Williams\AppData\Roaming\Uc1DnHWgYri
2011-10-06 20:59 . 2011-10-06 20:59 -------- d--h--w- c:\users\Williams\AppData\Roaming\GwrxcDasEZwezA2
2011-10-06 18:26 . 2011-10-06 18:26 -------- d--h--w- c:\users\Williams\AppData\Roaming\cv2FpHQ7KRjl
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\TH5sQJ7dE8Zh
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\v4m6WEgqCkVOtPc
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\DW9qkzAS346
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\Ff8TYO0inH7Zw14
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\Z4QZUt14JZeN
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\HJXxaTtpLVDEkis
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\otzP0ycA1v2n4m5
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\hY2kiJk1shSHhzF
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\u7EgZjwIl
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\XwPnLlvJUv7Ip
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\fHX0aZNoLOnR0p9
2011-10-06 18:25 . 2011-10-06 18:25 -------- d--h--w- c:\users\Williams\AppData\Roaming\pRk0GEI0G8OoEUv
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-04 21:03 . 2011-08-22 01:17 25160 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-30 22:57 . 2011-07-05 01:26 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-10 19:22 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-09-10 19:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-08-21 00:42 . 2011-08-21 00:42 332288 ----a-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-11-04_16.56.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-05 06:08 . 2011-11-05 06:08 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2011-10-31 12:38 . 2011-10-31 12:38 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-07-28 16:21 . 2011-11-05 02:09 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-28 16:21 . 2011-11-04 13:40 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-28 16:21 . 2011-11-04 13:40 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-07-28 16:21 . 2011-11-05 02:09 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-04 13:40 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-05 02:09 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-04 00:48 . 2011-11-04 12:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-04 00:48 . 2011-11-05 13:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-04 12:05 . 2011-11-05 13:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-04 12:05 . 2011-11-04 12:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-04 12:05 . 2011-11-04 12:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2011-11-04 12:05 . 2011-11-05 13:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2011-11-04 12:05 . 2011-11-05 13:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2011-11-04 12:05 . 2011-11-04 12:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2010-09-04 00:48 . 2011-11-05 13:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-04 00:48 . 2011-11-04 12:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-04 00:48 . 2011-11-04 12:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-04 00:48 . 2011-11-05 13:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-05 13:58 . 2011-11-05 13:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-11-04 12:57 . 2011-11-04 12:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-05 13:58 . 2011-11-05 13:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-04 12:57 . 2011-11-04 12:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2011-11-04 12:57 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-11-05 13:59 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-11-04 12:57 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-05 13:59 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:36 . 2011-11-04 13:01 627288 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-05 14:03 627288 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-05 14:03 107346 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-11-04 13:01 107346 c:\windows\system32\perfc009.dat
- 2009-07-14 04:54 . 2011-11-04 12:57 1703936 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-05 13:59 1703936 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ElevatedDiagnosticsUpdate"="c:\users\Williams\AppData\Local\ElevatedDiagnostics\ElevatedDiagnosticsUpdate\ElevatedDiagnosticsupdt32.exe" [BU]
"Macrovision Update"="c:\users\Williams\AppData\Local\DataSafeOnline\DataSafeOnlineUpdate\DataSafeOnlineupdt32.DLL" [BU]
"GoogleOnlineService"="c:\programdata\GoogleOnlineService.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2010-07-20 206120]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-06 559616]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ElevatedDiagnosticsUpdate"="c:\users\Williams\AppData\Local\ElevatedDiagnostics\ElevatedDiagnosticsUpdate\ElevatedDiagnosticsupdt32.exe" [BU]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 AxInstSV32;ActiveX Installer (AxInstSV) ;c:\windows\system32\secur3232.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IPBusEnum32;PnP-X IP Bus Enumerator ;c:\windows\system32\wshcon32.exe [x]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Williams\AppData\Roaming\Mozilla\Firefox\Profiles\uxuudfl5.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z157&form=ZGAADF&install_date=20110808&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
Supplementary scan did not complete!
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-MiKTeX 2.9 - c:\users\Williams\Desktop\TeX\miktex/bin/internal\copystart.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-05 10:50:50
ComboFix-quarantined-files.txt 2011-09-30 23:53
ComboFix2.txt 2011-09-18 17:36
ComboFix3.txt 2011-09-17 16:43
ComboFix4.txt 2011-09-16 00:12
ComboFix5.txt 2011-11-05 14:56
.
Pre-Run: 424,670,621,696 bytes free
Post-Run: 421,618,728,960 bytes free
.
- - End Of File - - 8E3EC0A7934A5E58E4F2F1945B34002B

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 AM

Posted 05 November 2011 - 06:38 PM

Hi,

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\users\Williams\AppData\Roaming\Xiqyoc
c:\users\Williams\AppData\Roaming\k1ivD2onFpHsJdK
c:\users\Williams\AppData\Roaming\ohhhTXXqjUC
c:\users\Williams\AppData\Roaming\jwwUUVOOtP0cSi3
c:\users\Williams\AppData\Roaming\WAAA0uucS2iD3nG
c:\users\Williams\AppData\Roaming\lGG55aQQH6dK
c:\users\Williams\AppData\Roaming\t1ioG6sL8ZCkl
c:\users\Williams\AppData\Roaming\a99hXUCekz
c:\users\Williams\AppData\Roaming\mzOONttxA0uc2Dp
c:\users\Williams\AppData\Roaming\wAAA0uuvS2
c:\users\Williams\AppData\Roaming\TjUUeelIt
c:\users\Williams\AppData\Roaming\w11ivDD3onF4H5W
c:\users\Williams\AppData\Roaming\pJJdgqVOB
c:\users\Williams\AppData\Roaming\sjjUUCeelIB
c:\users\Williams\AppData\Roaming\wYYYXwwjUVelB
c:\users\Williams\AppData\Roaming\IQQJ6dEK8fR9Twj
c:\users\Williams\AppData\Roaming\AzAuuSiFp5Q6
c:\users\Williams\AppData\Roaming\yIIVVrzzONtA0cS
c:\users\Williams\AppData\Roaming\o444pmmG5sQJKh
c:\users\Williams\AppData\Roaming\m0yyycA1ivD2o
c:\users\Williams\AppData\Roaming\mvS2obF3pGaJdKf
c:\users\Williams\AppData\Roaming\xsWJ7fEL8TqYwUr
c:\users\Williams\AppData\Roaming\iwkkUUVrlOBtP
c:\users\Williams\AppData\Roaming\OONNyyxA0uvS2b3
c:\users\Williams\AppData\Roaming\AKK88gRRZ9hXwUV
c:\users\Williams\AppData\Roaming\OQQQH66sWK
c:\users\Williams\AppData\Roaming\b2oobbF3pmG5QJ
c:\users\Williams\AppData\Roaming\o333onnF4am5sJ
c:\users\Williams\AppData\Roaming\yVVVrzzONtx0uS
c:\users\Williams\AppData\Roaming\FEEEK88fRZ9hXwU
c:\users\Williams\AppData\Roaming\VnnFF4ammHsWJdL
c:\users\Williams\AppData\Roaming\T11uuvSS2oF3
c:\users\Williams\AppData\Roaming\WXXwwkUUVelB
c:\users\Williams\AppData\Roaming\CLLL9hhTXqjUek
c:\users\Williams\AppData\Roaming\zeeelOOBtzPyc1i
c:\users\Williams\AppData\Roaming\yjjYYCwkkIr
c:\users\Williams\AppData\Roaming\immGG5aaQJ
c:\users\Williams\AppData\Roaming\r888fRRL9hTXjUe
c:\users\Williams\AppData\Roaming\JfffELL9g
c:\users\Williams\AppData\Roaming\RzOONNyxA0uv2i
c:\users\Williams\AppData\Roaming\YEEEK88gRZ9YX
c:\users\Williams\AppData\Roaming\oHH66sWKK7EL9Tq
c:\users\Williams\AppData\Roaming\XCeekkIBrzONy
c:\users\Williams\AppData\Roaming\V5ssWWJ7dEL8
c:\users\Williams\AppData\Roaming\KyyxxA00uv2ib3p
c:\users\Williams\AppData\Roaming\SgRRZZqhYXwkVeO
c:\users\Williams\AppData\Roaming\rDDD33pnG4aQ6sK
c:\users\Williams\AppData\Roaming\mqjjjYCekIVrzNx
c:\users\Williams\AppData\Roaming\rQQJJ6ddE
c:\users\Williams\AppData\Roaming\bssWWJ77fELgTqh
c:\users\Williams\AppData\Roaming\taQQHH6dWK7fR9T
c:\users\Williams\AppData\Roaming\qZZZ9hhTXwjUelB
c:\users\Williams\AppData\Roaming\hhhYYCwwkUVlOtx
c:\users\Williams\AppData\Roaming\VWWKK7fEELgTZjC
c:\users\Williams\AppData\Roaming\dlIIBBrzPNyx
c:\users\Williams\AppData\Roaming\I555sWWJ7
c:\users\Williams\AppData\Roaming\ZffRRL9hTXqj
c:\users\Williams\AppData\Roaming\rffEEL99gTZjYwk
c:\users\Williams\AppData\Roaming\fNyyxxA1uvS2b
c:\users\Williams\AppData\Roaming\rXXqqjYYCeIVrON
c:\users\Williams\AppData\Roaming\knFFF4pmH5sQJdK
c:\users\Williams\AppData\Roaming\pnGG44amH6sW
c:\users\Williams\AppData\Roaming\rIIBBrzzPNyA1vS
c:\users\Williams\AppData\Roaming\QP0ucS1ib3n4m6W
c:\users\Williams\AppData\Roaming\TS2ibD3pn4Q6W7E
c:\users\Williams\AppData\Roaming\vH5sQJ7dE8R9YwU
c:\users\Williams\AppData\Roaming\ftA2pJ8hjINvFaK
c:\users\Williams\AppData\Roaming\UxP0ucS1iDoGaHs
c:\users\Williams\AppData\Roaming\rjYCekIVrNu2
c:\users\Williams\AppData\Roaming\bYwVraEgZUlo4H
c:\users\Williams\AppData\Roaming\vJ7dEKgBzNc1DoF
c:\users\Williams\AppData\Roaming\oNycAuD2o5Q6E8R
c:\users\Williams\AppData\Roaming\JS3na6WR9XjeIzt
c:\users\Williams\AppData\Roaming\gxSpQK9jVxSomJh
c:\users\Williams\AppData\Roaming\gF5K9jByS3aK9jr
c:\users\Williams\AppData\Roaming\lEqXketyinm7
c:\users\Williams\AppData\Roaming\IinsEqkOyvFWLqU
c:\users\Williams\AppData\Roaming\CeVA2pa6fZw
c:\users\Williams\AppData\Roaming\yO0iG6fqkOu
c:\users\Williams\AppData\Roaming\FQKTCr0iG
c:\users\Williams\AppData\Roaming\f3G6fTYkO0inHfT
c:\users\Williams\AppData\Roaming\enaHJEgZYweBzyA
c:\users\Williams\AppData\Roaming\N5WEqXkltPc12F
c:\users\Williams\AppData\Roaming\WpGQsKE9ZjwVl0i
c:\users\Williams\AppData\Roaming\oJ8hUByvF5KZjlP
c:\users\Williams\AppData\Roaming\RQK9qIxba7g
c:\users\Williams\AppData\Roaming\Wa6WfLTjCIrNAbG
c:\users\Williams\AppData\Roaming\j56fhUByvF
c:\users\Williams\AppData\Roaming\R5EZjByS3a8hCzA
c:\users\Williams\AppData\Roaming\S89jkO0F5W
c:\users\Williams\AppData\Roaming\mqeBzyAvbp
c:\users\Williams\AppData\Roaming\StPc1Doa5WdLRwU
c:\users\Williams\AppData\Roaming\FZhCk3aWLhVz1op
c:\users\Williams\AppData\Roaming\vubG6fTCrxSpQ
c:\users\Williams\AppData\Roaming\us9XezA2p
c:\users\Williams\AppData\Roaming\mkO02paKLqkO0
c:\users\Williams\AppData\Roaming\RHEhe1FsfwBxo5W
c:\users\Williams\AppData\Roaming\qOc3HjrunsLYOc5
c:\users\Williams\AppData\Roaming\o5d8RhXUIzNAuo4
c:\users\Williams\AppData\Roaming\l3nas7EgZ
c:\users\Williams\AppData\Roaming\X6KR9XjISb
c:\users\Williams\AppData\Roaming\ixui3naHWEgZYBx
c:\users\Williams\AppData\Roaming\LPxu2F5dRqkrNuS
c:\users\Williams\AppData\Roaming\ASbpGQWfLTqVztA
c:\users\Williams\AppData\Roaming\Da7RXeP1nsK9jlP
c:\users\Williams\AppData\Roaming\Uc1DnHWgYri
c:\users\Williams\AppData\Roaming\GwrxcDasEZwezA2
c:\users\Williams\AppData\Roaming\cv2FpHQ7KRjl
c:\users\Williams\AppData\Roaming\TH5sQJ7dE8Zh
c:\users\Williams\AppData\Roaming\v4m6WEgqCkVOtPc
c:\users\Williams\AppData\Roaming\DW9qkzAS346
c:\users\Williams\AppData\Roaming\Ff8TYO0inH7Zw14
c:\users\Williams\AppData\Roaming\Z4QZUt14JZeN
c:\users\Williams\AppData\Roaming\HJXxaTtpLVDEkis
c:\users\Williams\AppData\Roaming\otzP0ycA1v2n4m5
c:\users\Williams\AppData\Roaming\hY2kiJk1shSHhzF
c:\users\Williams\AppData\Roaming\u7EgZjwIl
c:\users\Williams\AppData\Roaming\XwPnLlvJUv7Ip
c:\users\Williams\AppData\Roaming\fHX0aZNoLOnR0p9
c:\users\Williams\AppData\Roaming\pRk0GEI0G8OoEUv


ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 AM

Posted 15 November 2011 - 11:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users