Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Anti-Virus Program Running


  • This topic is locked This topic is locked
43 replies to this topic

#1 MrApartment

MrApartment

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 11 November 2011 - 03:47 PM

Hi there,

As I was browsing familiar websites on Firefox last night, the program shut down inexplicably. A "program" so-called "Privacy Protection" then popped up and began its "analysis" stating I was infected with numerous trojans and worms. One worm I recollect it informing of was titled "Win 32 Worm Blaster" or something of the sort. I then entered into Safe Mode, booted up Combofix and Malwarebytes by way of a USB dongle. I was unable to install Malwarebytes. The installation process continually ended with a "Access Denied" message. I then moved onto Combofix. I was able to generate a log with Combofix and it is available for posting if needed. I have since come to find, I shouldn't have ran either of these programs myself without professional guidance from the many helpers here at BleepingComputer. However, ever since Combofix ran its course, the so-called "Privacy Protection" program has been nowhere to be found. As well, I am now able to run a gamet of .exe's I wasn't previously enabled to. Cosmetically, it looks as if I'm in the clear. Though, I'd like to have my case examined thoroughly as to guarantee the problem to be gone and my computer clean as a whistle. I originally started a thread in the "Windows 7" forum. I was then instructed to do a run-through corresponding to the Preparation Guide. I have done so.

1. My data (of choice) has been backed up (to a USB dongle) by Cobian Backup 10.
2. Slow computer is not a relevant problem in my case.
3. A free account at this forum has been created/activated and is in use.
4. Topic Reply Notification is not preferred personally.
5. I have verified that my firewall is, indeed, enabled.
6. My computer does not contain CD emulation software.
7. DDS has been downloaded and ran. Both logs have been generated and are located on my Desktop. They are both available to post.
8. A GMER log has not been created as I am using a 64-bit version of Windows.
9. This post is my topic.

Here is my DDS.txt log:





.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_27
Run by Jordan at 15:21:25 on 2011-11-11
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2882 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Cobian Backup 10\Cobian.exe
C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{EEBA2E7E-6454-418D-8BED-0CC8E049FFEB} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jordan\AppData\Roaming\Mozilla\Firefox\Profiles\icmfwg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-19 2214504]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [2011-11-11 67584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.txt=Notepad++_file
.
=============== Created Last 30 ================
.
2011-11-11 20:00:32 -------- d-----w- C:\Users\Jordan\AppData\Local\Safe mirror
2011-11-11 20:00:04 -------- d-----w- C:\Program Files (x86)\Cobian Backup 10
2011-11-11 19:26:55 -------- d-----w- C:\$RECYCLE.BIN
2011-11-11 18:43:27 98816 ----a-w- C:\Windows\sed.exe
2011-11-11 18:43:27 518144 ----a-w- C:\Windows\SWREG.exe
2011-11-11 18:43:27 256000 ----a-w- C:\Windows\PEV.exe
2011-11-11 18:43:27 208896 ----a-w- C:\Windows\MBR.exe
2011-11-11 18:42:00 -------- d-----w- C:\123
2011-11-11 18:38:19 742884 ----a-w- C:\Windows\System32\PerfStringBackup.TMP
2011-11-11 17:54:05 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-11-11 17:54:01 -------- d-----w- C:\Users\Jordan\AppData\Roaming\Malwarebytes
2011-11-11 17:53:55 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-11 17:53:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-09 11:14:45 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 11:14:45 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 11:14:44 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 11:14:43 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-01 20:56:12 -------- d-----w- C:\Users\Jordan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-11-01 20:56:12 -------- d-----w- C:\Users\Jordan\AppData\Roaming\Adobe Mini Bridge CS5
2011-10-26 15:33:03 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-26 15:33:03 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-19 14:12:20 -------- d-----w- C:\Program Files\CCleaner
2011-10-17 16:55:18 -------- d-----w- C:\Users\Jordan\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-10-17 11:32:55 -------- d-----w- C:\Program Files\iTunes
2011-10-17 11:32:55 -------- d-----w- C:\Program Files\iPod
2011-10-17 11:32:55 -------- d-----w- C:\Program Files (x86)\iTunes
2011-10-17 11:31:06 -------- d-----w- C:\Program Files\Bonjour
2011-10-17 11:31:06 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-16 23:55:32 18139008 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
.
==================== Find3M ====================
.
2011-10-17 12:35:10 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-27 03:38:14 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-08-20 05:37:58 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-08-20 04:31:05 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-17 05:26:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-08-17 05:25:08 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-08-17 04:24:12 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
.
============= FINISH: 15:28:47.68 ===============

I have also attached the Attach.txt log. To reiterate, I've also generated a Combofix log and am willing to post it if requested. Looking forward to the next step in ridding my computer of whatever it's caught!

Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 16 November 2011 - 03:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427443 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 16 November 2011 - 05:42 PM

I'm dealing with a psuedo-anti-virus program called "Privacy Protection". I thought I got rid of it. But, it came back. It's gone again but I wouldn't be surprised to see it back. It shuts down all processes and tells me I'm infected with all kinds of worms/trojans. I am only able to run other processes in safe mode. Also, I'm experiencing what I consider "Google Redirect" problems and generally slow loading times (only with Google). I'm running a Windows 7 64-bit system. As a result, a GMER log will not be generated. Having problems with my Adobe software (Illustrator, Photoshop) as well. Not sure if it's related but I'll note it just in case. The programs, when launched, will sometimes ask me for a activation key, and if I don't have one I must start a new 30-day trial. I never sign up for the trial. The next day, the program might boot right up as it used to. Very inconsistent. As stated in the OP, I regretfully ran Combofix and Malwarebytes. The "Privacy Protection" problem went away after doing so (but has since came back only to be gone again). Still, I know I shouldn't have ran either program as I really don't know much about it. Assistance would be useful. I do not have a Windows CD/DVD available. Lastly, random "iexplorer.exe" and "iexplorer.exe 32" processes pop up intermittently. I never use Internet Explorer. My DDS log is below;

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_27
Run by Jordan at 17:31:51 on 2011-11-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2659 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{EEBA2E7E-6454-418D-8BED-0CC8E049FFEB} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jordan\AppData\Roaming\Mozilla\Firefox\Profiles\icmfwg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [2011-11-11 67584]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-19 2214504]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.txt=Notepad++_file
.
=============== Created Last 30 ================
.
2011-11-15 14:10:10 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-15 03:50:40 -------- d-----w- C:\123169051
2011-11-11 20:00:32 -------- d-----w- C:\Users\Jordan\AppData\Local\Safe mirror
2011-11-11 20:00:04 -------- d-----w- C:\Program Files (x86)\Cobian Backup 10
2011-11-11 18:43:27 98816 ----a-w- C:\Windows\sed.exe
2011-11-11 18:43:27 518144 ----a-w- C:\Windows\SWREG.exe
2011-11-11 18:43:27 256000 ----a-w- C:\Windows\PEV.exe
2011-11-11 18:43:27 208896 ----a-w- C:\Windows\MBR.exe
2011-11-11 18:42:00 -------- d-----w- C:\123
2011-11-11 17:54:01 -------- d-----w- C:\Users\Jordan\AppData\Roaming\Malwarebytes
2011-11-11 17:53:55 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-11 17:53:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-09 11:14:45 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 11:14:45 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 11:14:44 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 11:14:43 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-01 20:56:12 -------- d-----w- C:\Users\Jordan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-11-01 20:56:12 -------- d-----w- C:\Users\Jordan\AppData\Roaming\Adobe Mini Bridge CS5
2011-10-26 15:33:03 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-26 15:33:03 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-19 14:12:20 -------- d-----w- C:\Program Files\CCleaner
.
==================== Find3M ====================
.
2011-11-12 01:27:39 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-27 03:38:14 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-08-20 05:37:58 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-08-20 04:31:05 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
.
============= FINISH: 17:39:17.13 ===============

My Attach.txt log is attached. Both a zipped and an unzipped version are available at your discretion.

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 17 November 2011 - 09:16 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's see the Combofix log please. If you can't find it then go to start -> Run.

Copy and paste the bold line in the run-box and click OK:

cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

A text file opens up, copy and paste the content to your reply.


Returning malware may be caused by a rootkit so please also run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 November 2011 - 09:55 PM

Below is my Combofix log:
ComboFix 11-11-18.02 - Jordan 11/18/2011 20:42:47.3.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3002 [GMT -5:00]
Running from: c:\users\Jordan\Desktop\123.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\3D00\1981.tmp
c:\program files (x86)\LP\3D00\1DB7.tmp
c:\program files (x86)\LP\3D00\6D04.tmp
c:\program files (x86)\LP\3D00\9B02.tmp
c:\users\Jordan\AppData\Roaming\083AC
c:\users\Jordan\AppData\Roaming\083AC\C6E0.83A
c:\users\Jordan\AppData\Roaming\083AC\DF63D.exe
c:\users\Jordan\Desktop\AV Protection 2011.lnk
c:\users\Public\Desktop\Privacy Protection.lnk
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2011-11-19 02:14 . 2011-11-19 02:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-11-19 02:14 . 2011-11-19 02:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-18 07:10 . 2011-11-18 07:11 -------- d-----w- c:\program files (x86)\AC6E0
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\pBBBttxP0ycSiv3
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nnnnF44amH5s
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\HzzcuD2obF4pG5Q
2011-11-18 07:09 . 2011-11-18 15:33 -------- d-----w- c:\users\Jordan\AppData\Roaming\FgRRZZqhYXwUelB
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nFF44ammH
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\mFFF4ppmG5sQ6
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\c2oonnF4pmH5sJd
2011-11-12 01:27 . 2011-11-12 01:27 -------- d-----w- c:\windows\system32\Macromed
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\users\Jordan\AppData\Local\Safe mirror
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\program files (x86)\Cobian Backup 10
2011-11-11 18:42 . 2011-11-11 19:50 -------- d-----w- C:\123
2011-11-11 17:54 . 2011-11-11 17:54 -------- d-----w- c:\users\Jordan\AppData\Roaming\Malwarebytes
2011-11-11 17:53 . 2011-11-11 17:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-11 17:53 . 2011-11-11 18:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-09 11:14 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 11:14 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\Adobe Mini Bridge CS5
2011-10-26 15:33 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 15:33 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 15:45 . 2011-05-17 07:25 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-01 02:42 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-27 05:37 . 2011-10-12 02:16 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-12 02:16 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-12 02:16 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 02:16 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-27 03:38 . 2011-08-27 03:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-11_19.27.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-11 18:08 . 2011-11-18 21:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-11-11 18:08 . 2011-11-11 18:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-11-18 09:29 . 2011-11-18 13:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-11-18 07:44 . 2011-11-18 18:28 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011111820111119\index.dat
+ 2011-11-18 07:44 . 2011-11-18 07:42 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011110720111114\index.dat
+ 2011-11-11 18:09 . 2011-11-18 21:33 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-04-28 02:48 . 2011-11-18 15:36 18534 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-19 02:19 35762 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-04-27 01:05 . 2011-11-11 17:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-27 01:05 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-27 01:05 . 2011-11-11 17:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-27 01:05 . 2011-11-18 15:35 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-11 17:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-11 18:28 . 2011-11-11 19:26 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-11 18:28 . 2011-11-11 19:26 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-19 02:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-11-11 18:28 . 2011-11-11 19:26 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:47 . 2011-11-11 18:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-26 22:47 . 2011-11-11 18:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-18 16:10 . 2011-11-18 16:10 8192 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFLY89X4\GraboidVideoSetup-2.32-Complete[1].exe
+ 2011-11-18 16:40 . 2011-11-18 16:40 8192 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLHNPFXD\GraboidVideoSetup-2.32-Complete[1].exe
+ 2011-04-26 22:57 . 2011-11-19 02:19 9166 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1890686147-1497101914-2097041915-1001_UserData.bin
- 2011-11-11 19:26 . 2011-11-11 19:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-11 19:26 . 2011-11-11 19:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-11-12 01:27 . 2011-11-12 01:27 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2011-11-18 15:45 . 2011-11-18 15:45 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2011-11-18 15:45 . 2011-11-18 15:45 335520 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2009-07-14 04:54 . 2011-11-18 21:33 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-27 21:32 . 2011-11-14 13:20 254290 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:36 . 2011-11-18 15:39 636154 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-18 15:39 110334 c:\windows\system32\perfc009.dat
+ 2011-11-12 01:27 . 2011-11-12 01:27 461984 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_Plugin.exe
+ 2011-11-18 15:45 . 2011-11-18 15:45 461984 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.exe
+ 2011-11-18 15:45 . 2011-11-18 15:45 376480 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.dll
+ 2009-07-14 04:46 . 2011-11-15 07:26 103944 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2011-11-19 02:16 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-11-11 00:30 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-11-18 07:10 . 2011-11-18 15:35 223744 c:\windows\assembly\temp\kwrd.dll
+ 2011-04-27 01:38 . 2011-11-12 01:27 8527008 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2009-07-14 04:54 . 2011-11-18 21:33 3768320 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-18 21:33 1146880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:45 . 2011-11-14 23:36 7333660 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-11-10 08:22 7333660 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 02:34 . 2011-11-12 08:11 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2011-10-12 07:21 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-11-12 01:27 . 2011-11-12 01:27 11336864 c:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll
- 2011-04-27 23:23 . 2011-11-10 22:35 54078340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1890686147-1497101914-2097041915-1001-12288.dat
+ 2011-04-27 23:23 . 2011-11-19 02:16 54078340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1890686147-1497101914-2097041915-1001-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files (x86)\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 16:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"combofix"="c:\123146421\CF2297.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Jordan\AppData\Roaming\Mozilla\Firefox\Profiles\icmfwg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
------- File Associations -------
.
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-11-18 21:36:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-19 02:36
ComboFix2.txt 2011-11-15 04:51
ComboFix3.txt 2011-11-11 19:50
.
Pre-Run: 95,267,848,192 bytes free
Post-Run: 95,356,973,056 bytes free
.
- - End Of File - - F613AD91BD22EBBF37E242AF02FA84B0

Below is my aswMBR log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-18 21:40:36
-----------------------------
21:40:36.659 OS Version: Windows x64 6.1.7601 Service Pack 1
21:40:36.659 Number of processors: 2 586 0x6B01
21:40:36.659 ComputerName: JORDAN-PC UserName: Jordan
21:40:37.813 Initialize success
21:41:18.878 AVAST engine defs: 11111801
21:41:29.096 The log file has been saved successfully to "C:\Users\Jordan\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-18 21:40:36
-----------------------------
21:40:36.659 OS Version: Windows x64 6.1.7601 Service Pack 1
21:40:36.659 Number of processors: 2 586 0x6B01
21:40:36.659 ComputerName: JORDAN-PC UserName: Jordan
21:40:37.813 Initialize success
21:41:18.878 AVAST engine defs: 11111801
21:41:29.096 The log file has been saved successfully to "C:\Users\Jordan\Desktop\aswMBR.txt"
21:41:34.923 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000056
21:41:34.923 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 8
21:41:36.967 Disk 0 MBR read successfully
21:41:36.967 Disk 0 MBR scan
21:41:36.982 Disk 0 Windows 7 default MBR code
21:41:36.982 Service scanning
21:41:38.433 Modules scanning
21:41:38.433 Disk 0 trace - called modules:
21:41:38.449 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004451334]<<
21:41:38.449 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80043ef060]
21:41:38.464 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa800409ee40]
21:41:38.464 5 ACPI.sys[fffff88000f477a1] -> nt!IofCallDriver -> \Device\00000056[0xfffffa8004096540]
21:41:38.464 \Driver\nvstor64[0xfffffa80036f0990] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004451334
21:41:40.180 AVAST engine scan C:\Windows
21:41:42.520 AVAST engine scan C:\Windows\system32
21:43:42.765 AVAST engine scan C:\Windows\system32\drivers
21:43:54.106 AVAST engine scan C:\Users\Jordan
21:44:49.205 File: C:\Users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1e5202bb-2efac39b **INFECTED** Win32:Small-HTVV [Trj]
21:46:53.350 File: C:\Users\Jordan\Documents\rpmk.exe **INFECTED** Win32:FakeAV-CND [Trj]
21:47:08.825 AVAST engine scan C:\ProgramData
21:49:39.147 Scan finished successfully
21:52:24.975 Disk 0 MBR has been saved successfully to "C:\Users\Jordan\Desktop\MBR.dat"
21:52:24.991 The log file has been saved successfully to "C:\Users\Jordan\Desktop\aswMBR.txt"

END OF POST


#6 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 19 November 2011 - 12:08 PM

For the sake of a more efficient diagnosis, I figured I'd mention that "it" looks like it's back this morning, though under a new name. It is the same fake anti-virus "program". This time, it's called "AV Protection" instead of "Privacy Protection". Looks to be a little milder than the last one as I can run .exe's like Firefox and such. Previously, I couldn't do that. I was also able to kill the "AV Protection" process via Ctrl-Alt-Delete; something I wasn't able to do previously. To clarify, this is all after running the logs seen in the previous post. Thanks for your help mole.

#7 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 19 November 2011 - 05:13 PM

With respect to the "no-bump policy", I'm compelled to further update you on the status of my situation. The original "Privacy Protection" program sprouted back up fifteen minutes ago. My computer is important and needs to be of use at all times. Therefore, I ran Malwarebytes. It is gone for now. It seems everything done up to this point is but a temporary band-aid. I also noted with a novice eye that the number of infections found by Malwarebytes was higher today than ever. As well, it seems registry values are now being reached, which to my recollection, wasn't happening til now. I have attached the freshest Malwarebytes for your use. Thanks again.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 20 November 2011 - 06:00 AM

Did you run MBAM and select the removal of what you found. The log shows you took no action. Can you confirm that you did or
you will need to run MBAM again but make sure that everything is checked, and that you click Remove Selected. Please post the log in this case.

The log also shows traces of malware but the improvement is due to Combofix's removal of the consrv.dll malware file.
Posted Image
m0le is a proud member of UNITE

#9 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 20 November 2011 - 01:32 PM

I'm pretty sure I removed them. But, just in case, I generated two fresh logs of MBAM.

Log One
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8197

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

11/20/2011 1:19:57 PM
mbam-log-2011-11-20 (13-19-57).txt

Scan type: Quick scan
Objects scanned: 184834
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Jordan\AppData\Local\Temp\0.9362525994572283fdrgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jordan\AppData\Local\Temp\F5D7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jordan\AppData\Local\Temp\F7CA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Public\Desktop\privacy protection.lnk (Malware.Trace) -> Quarantined and deleted successfully.
c:\programdata\privacy.exe (Rogue.PrvacyProtect) -> Quarantined and deleted successfully.

Log Two
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8197

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

11/20/2011 1:25:26 PM
mbam-log-2011-11-20 (13-25-26).txt

Scan type: Quick scan
Objects scanned: 184967
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

END OF LOG

Everything looks good right now. But, at this point, I expect it to be back. Usually takes about 5 hours to regenerate. Still dealing with redirecting in Google.

Also finding "PING.exe"'s in my processes.

Edited by MrApartment, 20 November 2011 - 03:05 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 20 November 2011 - 08:05 PM

It may return, this log will tell me. We're running Combofix again

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
C:\Users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1e5202bb-2efac39b
C:\Users\Jordan\Documents\rpmk.exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 20 November 2011 - 10:10 PM

ComboFix 11-11-20.02 - Jordan 11/20/2011 21:12:49.4.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2798 [GMT -5:00]
Running from: c:\users\Jordan\Desktop\123.exe
Command switches used :: c:\users\Jordan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1e5202bb-2efac39b"
"c:\users\Jordan\Documents\rpmk.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\3D00\1.tmp
c:\program files (x86)\LP\3D00\118D.tmp
c:\program files (x86)\LP\3D00\B1FF.tmp
c:\program files (x86)\LP\3D00\C080.tmp
c:\programdata\F9DC.tmp
c:\users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1e5202bb-2efac39b
c:\users\Jordan\Desktop\AV Protection 2011.lnk
c:\users\Jordan\Documents\rpmk.exe
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 02:45 . 2011-11-21 02:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-11-21 02:45 . 2011-11-21 02:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\B3GaH6dWKfLgXjC
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\U9hTXqjUCkBzy0v
2011-11-19 16:51 . 2011-11-19 22:05 -------- d-----w- c:\users\Jordan\AppData\Roaming\083AC
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\ppmH5sQJ7E8R9Yw
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\FVelOBtzPyAiDoF
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pgRRZZ9hYXwjVeI
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FttzzPNNycAuv2o
2011-11-19 06:46 . 2011-11-19 22:04 -------- d-----w- c:\users\Jordan\AppData\Roaming\FrrrzzONyxA0vSi
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FAAA0uucS2iD3nG
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pffRRL99h
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\IEEEL88gT
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\BsssWKK7fE
2011-11-18 07:10 . 2011-11-19 22:05 -------- d-----w- c:\program files (x86)\AC6E0
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\pBBBttxP0ycSiv3
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nnnnF44amH5s
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\HzzcuD2obF4pG5Q
2011-11-18 07:09 . 2011-11-18 15:33 -------- d-----w- c:\users\Jordan\AppData\Roaming\FgRRZZqhYXwUelB
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nFF44ammH
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\mFFF4ppmG5sQ6
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\c2oonnF4pmH5sJd
2011-11-12 01:27 . 2011-11-12 01:27 -------- d-----w- c:\windows\system32\Macromed
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\users\Jordan\AppData\Local\Safe mirror
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\program files (x86)\Cobian Backup 10
2011-11-11 18:42 . 2011-11-11 19:50 -------- d-----w- C:\123
2011-11-11 17:54 . 2011-11-11 17:54 -------- d-----w- c:\users\Jordan\AppData\Roaming\Malwarebytes
2011-11-11 17:53 . 2011-11-11 17:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-11 17:53 . 2011-11-11 18:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-09 11:14 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 11:14 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\Adobe Mini Bridge CS5
2011-10-26 15:33 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 15:33 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 15:45 . 2011-05-17 07:25 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-01 02:42 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-27 05:37 . 2011-10-12 02:16 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-12 02:16 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-12 02:16 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 02:16 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-27 03:38 . 2011-08-27 03:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-11-19_02.19.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-11-11 18:08 . 2011-11-18 21:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-11-11 18:08 . 2011-11-21 01:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-11-18 09:29 . 2011-11-21 00:41 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2011-11-18 09:29 . 2011-11-18 13:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-11-20 18:40 . 2011-11-21 00:41 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011112020111121\index.dat
+ 2011-11-19 17:11 . 2011-11-20 01:09 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011111920111120\index.dat
+ 2011-11-11 18:09 . 2011-11-21 01:12 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-04-28 02:48 . 2011-11-20 19:13 20916 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-21 02:50 35802 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-27 01:05 . 2011-11-20 19:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-27 01:05 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-27 01:05 . 2011-11-18 15:35 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-27 01:05 . 2011-11-20 19:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-20 19:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-11-20 23:30 21168 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:47 . 2011-11-21 02:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:47 . 2011-11-21 02:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-26 22:55 . 2011-11-19 17:11 3314 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-04-26 22:57 . 2011-11-21 02:50 9448 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1890686147-1497101914-2097041915-1001_UserData.bin
+ 2011-11-21 02:48 . 2011-11-21 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-21 02:48 . 2011-11-21 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-11-21 02:46 344064 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 02:36 . 2011-11-20 19:15 636154 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-11-18 15:39 636154 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-11-18 15:39 110334 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-20 19:15 110334 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-11-19 02:16 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-21 02:47 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-18 07:10 . 2011-11-18 15:35 223744 c:\windows\assembly\temp\kwrd.dll
+ 2011-11-18 07:10 . 2011-11-20 19:11 223744 c:\windows\assembly\temp\kwrd.dll
+ 2009-07-14 04:54 . 2011-11-21 02:46 4947968 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-21 02:46 1802240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-27 23:23 . 2011-11-21 02:47 54671420 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1890686147-1497101914-2097041915-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files (x86)\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 16:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"combofix"="c:\123162781\CF14872.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Jordan\AppData\Roaming\Mozilla\Firefox\Profiles\icmfwg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-11-20 22:08:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 03:07
ComboFix2.txt 2011-11-19 02:37
ComboFix3.txt 2011-11-15 04:51
ComboFix4.txt 2011-11-11 19:50
.
Pre-Run: 94,448,218,112 bytes free
Post-Run: 94,169,755,648 bytes free
.
- - End Of File - - 9ABF98396F5A076EA4EF473FB28E4FC7

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 21 November 2011 - 07:55 PM

The consrv.dll file is from the ZeroAccess rootkit and you can see it is regenerating to be removed again by Combofix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Folder::
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\B3GaH6dWKfLgXjC
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\U9hTXqjUCkBzy0v
2011-11-19 16:51 . 2011-11-19 22:05 -------- d-----w- c:\users\Jordan\AppData\Roaming\083AC
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\ppmH5sQJ7E8R9Yw
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\FVelOBtzPyAiDoF
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pgRRZZ9hYXwjVeI
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FttzzPNNycAuv2o
2011-11-19 06:46 . 2011-11-19 22:04 -------- d-----w- c:\users\Jordan\AppData\Roaming\FrrrzzONyxA0vSi
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FAAA0uucS2iD3nG
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pffRRL99h
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\IEEEL88gT
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\BsssWKK7fE
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\pBBBttxP0ycSiv3
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nnnnF44amH5s
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\HzzcuD2obF4pG5Q
2011-11-18 07:09 . 2011-11-18 15:33 -------- d-----w- c:\users\Jordan\AppData\Roaming\FgRRZZqhYXwUelB
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nFF44ammH
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\mFFF4ppmG5sQ6
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\c2oonnF4pmH5sJd

RegNull::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 MrApartment

MrApartment
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 22 November 2011 - 12:09 AM

ComboFix 11-11-21.01 - Jordan 11/21/2011 23:06:27.5.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2944 [GMT -5:00]
Running from: c:\users\Jordan\Desktop\123.exe
Command switches used :: c:\users\Jordan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-22 04:36 . 2011-11-22 04:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-11-22 04:36 . 2011-11-22 04:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\B3GaH6dWKfLgXjC
2011-11-19 18:31 . 2011-11-19 18:31 -------- d-----w- c:\users\Jordan\AppData\Roaming\U9hTXqjUCkBzy0v
2011-11-19 16:51 . 2011-11-19 22:05 -------- d-----w- c:\users\Jordan\AppData\Roaming\083AC
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\ppmH5sQJ7E8R9Yw
2011-11-19 16:50 . 2011-11-19 16:50 -------- d-----w- c:\users\Jordan\AppData\Roaming\FVelOBtzPyAiDoF
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pgRRZZ9hYXwjVeI
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FttzzPNNycAuv2o
2011-11-19 06:46 . 2011-11-19 22:04 -------- d-----w- c:\users\Jordan\AppData\Roaming\FrrrzzONyxA0vSi
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\FAAA0uucS2iD3nG
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\pffRRL99h
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\IEEEL88gT
2011-11-19 06:46 . 2011-11-19 06:46 -------- d-----w- c:\users\Jordan\AppData\Roaming\BsssWKK7fE
2011-11-18 07:10 . 2011-11-19 22:05 -------- d-----w- c:\program files (x86)\AC6E0
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\pBBBttxP0ycSiv3
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nnnnF44amH5s
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\HzzcuD2obF4pG5Q
2011-11-18 07:09 . 2011-11-18 15:33 -------- d-----w- c:\users\Jordan\AppData\Roaming\FgRRZZqhYXwUelB
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\nFF44ammH
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\mFFF4ppmG5sQ6
2011-11-18 07:09 . 2011-11-18 07:09 -------- d-----w- c:\users\Jordan\AppData\Roaming\c2oonnF4pmH5sJd
2011-11-12 01:27 . 2011-11-12 01:27 -------- d-----w- c:\windows\system32\Macromed
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\users\Jordan\AppData\Local\Safe mirror
2011-11-11 20:00 . 2011-11-11 20:00 -------- d-----w- c:\program files (x86)\Cobian Backup 10
2011-11-11 18:42 . 2011-11-11 19:50 -------- d-----w- C:\123
2011-11-11 17:54 . 2011-11-11 17:54 -------- d-----w- c:\users\Jordan\AppData\Roaming\Malwarebytes
2011-11-11 17:53 . 2011-11-11 17:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-11 17:53 . 2011-11-11 18:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-09 11:14 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-09 11:14 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 11:14 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-11-01 20:56 . 2011-11-01 20:56 -------- d-----w- c:\users\Jordan\AppData\Roaming\Adobe Mini Bridge CS5
2011-10-26 15:33 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 15:33 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 15:45 . 2011-05-17 07:25 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-01 02:42 . 2011-10-12 02:15 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-27 05:37 . 2011-10-12 02:16 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-12 02:16 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-12 02:16 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 02:16 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-27 03:38 . 2011-08-27 03:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-11-19_02.19.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-11 18:08 . 2011-11-21 01:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-11-11 18:08 . 2011-11-18 21:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-11-18 09:29 . 2011-11-18 13:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-11-18 09:29 . 2011-11-21 00:41 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-11-20 18:40 . 2011-11-21 00:41 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011112020111121\index.dat
+ 2011-11-19 17:11 . 2011-11-20 01:09 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011111920111120\index.dat
+ 2011-11-11 18:09 . 2011-11-21 01:12 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-04-28 02:48 . 2011-11-20 19:13 20916 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-21 02:50 35802 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-27 01:05 . 2011-11-20 19:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-27 01:05 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-27 01:05 . 2011-11-20 19:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-04-27 01:05 . 2011-11-18 15:35 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-18 15:35 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-20 19:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-11 18:28 . 2011-11-19 02:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-11 18:28 . 2011-11-21 02:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:47 . 2011-11-22 04:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:47 . 2011-11-22 04:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:47 . 2011-11-19 02:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-26 22:55 . 2011-11-19 17:11 3314 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-04-26 22:57 . 2011-11-21 02:50 9448 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1890686147-1497101914-2097041915-1001_UserData.bin
- 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-21 02:48 . 2011-11-21 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-21 02:48 . 2011-11-21 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-19 02:17 . 2011-11-19 02:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-11-21 02:46 344064 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2011-11-18 15:39 636154 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-20 19:15 636154 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-11-18 15:39 110334 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-20 19:15 110334 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:46 . 2011-11-21 02:53 100712 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 05:01 . 2011-11-19 02:16 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-21 02:47 400416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-18 07:10 . 2011-11-18 15:35 223744 c:\windows\assembly\temp\kwrd.dll
+ 2011-11-18 07:10 . 2011-11-20 19:11 223744 c:\windows\assembly\temp\kwrd.dll
+ 2009-07-14 04:54 . 2011-11-21 02:46 4947968 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-21 02:46 1802240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-27 23:23 . 2011-11-21 02:47 54671420 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1890686147-1497101914-2097041915-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files (x86)\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 16:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Jordan\AppData\Roaming\Mozilla\Firefox\Profiles\icmfwg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:12,a4,fc,b8,5d,d7,10,55,19,75,43,3e,f5,23,5b,9d,cd,fd,29,e8,fc,
32,df,7a,4e,84,13,b7,3e,36,4b,fc,fe,6f,24,6a,1c,23,16,98,24,84,9c,d8,7b,a6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-21 23:54:07
ComboFix-quarantined-files.txt 2011-11-22 04:53
ComboFix2.txt 2011-11-21 03:08
ComboFix3.txt 2011-11-19 02:37
ComboFix4.txt 2011-11-15 04:51
ComboFix5.txt 2011-11-22 03:55
.
Pre-Run: 93,764,120,576 bytes free
Post-Run: 93,724,516,352 bytes free
.
- - End Of File - - 2A656CB030ADC5BED3A54A6080FBDEBA

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 22 November 2011 - 08:09 PM

Good news is the conserv.dll file did not return. Bad news was the script I used was wrong. Please rerun Combofix with the following script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Folder::
c:\users\Jordan\AppData\Roaming\B3GaH6dWKfLgXjC
c:\users\Jordan\AppData\Roaming\U9hTXqjUCkBzy0v
c:\users\Jordan\AppData\Roaming\083AC
c:\users\Jordan\AppData\Roaming\ppmH5sQJ7E8R9Yw
c:\users\Jordan\AppData\Roaming\FVelOBtzPyAiDoF
c:\users\Jordan\AppData\Roaming\pgRRZZ9hYXwjVeI
c:\users\Jordan\AppData\Roaming\FttzzPNNycAuv2o
c:\users\Jordan\AppData\Roaming\FrrrzzONyxA0vSi
c:\users\Jordan\AppData\Roaming\FAAA0uucS2iD3nG
c:\users\Jordan\AppData\Roaming\pffRRL99h
c:\users\Jordan\AppData\Roaming\IEEEL88gT
c:\users\Jordan\AppData\Roaming\BsssWKK7fE
c:\users\Jordan\AppData\Roaming\pBBBttxP0ycSiv3
c:\users\Jordan\AppData\Roaming\nnnnF44amH5s
c:\users\Jordan\AppData\Roaming\HzzcuD2obF4pG5Q
c:\users\Jordan\AppData\Roaming\FgRRZZqhYXwUelB
c:\users\Jordan\AppData\Roaming\nFF44ammH
c:\users\Jordan\AppData\Roaming\mFFF4ppmG5sQ6
c:\users\Jordan\AppData\Roaming\c2oonnF4pmH5sJd


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:13 PM

Posted 28 November 2011 - 06:40 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users