Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Kryptik and Aleuron Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 luckie clutse

luckie clutse

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 11 November 2011 - 08:57 PM

Hi, I think I am infected with some malware. I noticed when I tried to download the gmer.exe app some of the functions were greyed out. A pic is attached. Thanks for all you do!

~Luckie

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 12 November 2011 - 10:57 AM

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 12 November 2011 - 10:09 PM

ComboFix 11-11-12.04 - Tanya 11/12/2011 20:45:44.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.2051 [GMT -6:00]
Running from: c:\users\Tanya\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Blinkx
c:\program files (x86)\Blinkx\blinkx.ico
c:\program files (x86)\Blinkx\blinkxss.exe
c:\program files (x86)\Blinkx\blinkxstop.exe
c:\program files (x86)\Blinkx\lang.dll
c:\program files (x86)\Blinkx\templates\beat.ico
c:\program files (x86)\Blinkx\templates\index.html
c:\program files (x86)\Blinkx\templates\noflash.html
c:\program files (x86)\Blinkx\templates\offline.html
c:\program files (x86)\Blinkx\templates\offline.swf
c:\program files (x86)\Blinkx\templates\uninstall.exe
c:\program files (x86)\Object
c:\program files (x86)\Object\cartoonly\build.sh
c:\program files (x86)\Object\cartoonly\config_build.sh
c:\program files (x86)\Object\cartoonly\content\.DS_Store
c:\program files (x86)\Object\cartoonly\content\firefoxOverlay.xul
c:\program files (x86)\Object\cartoonly\defaults\.DS_Store
c:\program files (x86)\Object\cartoonly\defaults\preferences\.DS_Store
c:\program files (x86)\Object\cartoonly\files
c:\program files (x86)\Object\cartoonly\install.rdf
c:\program files (x86)\Object\cartoonly\locale\.DS_Store
c:\program files (x86)\Object\cartoonly\locale\en-US\.DS_Store
c:\program files (x86)\Object\cartoonly\locale\en-US\sudoku.dtd
c:\program files (x86)\Object\cartoonly\readme.txt
c:\program files (x86)\Object\cartoonly\skin\overlay.css
c:\program files (x86)\Object\ChromeAddon.pem
c:\program files (x86)\Object\chromeaddon\background.html
c:\program files (x86)\Object\chromeaddon\manifest.json
c:\program files (x86)\Object\status.txt
c:\program files (x86)\Object\status2.txt
c:\program files (x86)\ShoppingReport2
c:\program files (x86)\ShoppingReport2\Bin\2.7.32\ShoppingReport.dll
c:\program files (x86)\ShoppingReport2\Uninst.exe
c:\users\Christopher\AppData\Local\f890de4d\U
c:\users\Christopher\AppData\Local\f890de4d\U\80000000.@
c:\users\Christopher\AppData\Local\f890de4d\U\800000cb.@
c:\users\Christopher\AppData\Local\f890de4d\U\800000cf.@
c:\users\Christopher\AppData\Local\f890de4d\X
c:\users\Public\4.5.pdf
c:\users\Tanya\Documents\~WRL0217.tmp
c:\users\Tanya\Documents\~WRL0675.tmp
c:\users\Tanya\Documents\~WRL2814.tmp
c:\windows\assembly\tmp\U
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\Tyla\AppData\Local\temp
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\Christopher\AppData\Local\temp
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\AppData\AppData\Local\temp
2011-11-13 03:00 . 2011-11-13 03:00 -------- d-----w- c:\users\Alc\AppData\Local\temp
2011-11-13 02:33 . 2011-11-13 02:33 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\offreg.dll
2011-11-12 04:47 . 2011-11-12 04:47 -------- d-----w- C:\_OTL
2011-11-11 08:22 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\mpengine.dll
2011-11-11 02:16 . 2011-11-11 02:17 -------- d-----w- c:\users\Family
2011-11-11 01:48 . 2011-11-11 01:48 -------- d-----w- c:\program files (x86)\ESET
2011-11-10 23:39 . 2011-09-06 21:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-10 23:39 . 2011-09-06 21:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-10 23:39 . 2011-09-06 21:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-10 23:39 . 2011-09-06 21:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-10 23:38 . 2011-09-06 21:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-10 23:38 . 2011-09-06 21:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-10 23:38 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-10 23:38 . 2011-09-06 21:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-11-10 23:37 . 2011-11-10 23:37 -------- d-----w- c:\programdata\AVAST Software
2011-11-10 23:37 . 2011-11-10 23:37 -------- d-----w- c:\program files\AVAST Software
2011-11-06 05:20 . 2011-11-13 02:59 -------- d-sh--w- c:\users\Christopher\AppData\Local\f890de4d
2011-11-01 22:33 . 2011-11-12 03:55 -------- d-----w- c:\users\Tanya\AppData\Local\Akamai
2011-10-24 11:18 . 2011-11-06 05:19 -------- d-----w- c:\users\Christopher\AppData\Local\AskToolbar
2011-10-23 20:58 . 2011-10-23 20:58 -------- d-----w- c:\users\Christopher\AppData\Roaming\Template
2011-10-16 22:39 . 2011-11-03 22:34 -------- d-----w- c:\users\Christopher\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 21:45 . 2011-01-14 23:15 254400 ----a-w- c:\windows\system32\aswBoot.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 02:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-12 39408]
"OM2_Monitor"="c:\program files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Starfield Updater"="c:\users\Tanya\AppData\Local\Workspace\workspaceupdate.exe" [2011-10-09 34496]
"GameXN (update)"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"GameXN (news)"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"GameXN"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"Akamai NetSession Interface"="c:\users\Tanya\AppData\Local\Akamai\netsession_win.exe" [2011-11-12 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"FaxCenterServer"="c:\program files (x86)\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"OM2_Monitor"="c:\program files (x86)\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-19 560128]
.
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
0.1003200654415819 [2011-10-12 1750]
0.4696527685287186 [2011-10-12 1750]
9.txt [2011-11-6 1750]
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Tanya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kaspersky Security Scan.lnk - c:\program files (x86)\Kaspersky Security Scan\KSS.exe [2010-11-29 2402696]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2011-3-11 610120]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi"=KORGUMDD.DRV
"midi1"=KORGUM64.DRV
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 195336]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-05 88576]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 567024]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21]
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21]
.
2011-11-13 c:\windows\Tasks\Norton Security Scan for Tanya.job
- c:\program files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-17 16:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-05 6963744]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [BU]
"dlbkbmgr.exe"="c:\program files (x86)\Dell AIO Printer A920\dlbkbmgr.exe" [2007-03-28 275952]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"MRT"="c:\windows\system32\MRT.exe" [2011-11-10 52174280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Drivers32]
"midi1"=KORGUM64.DRV
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: Starfield Technologies - hxxp://video.secureserver.net/WSTPlugins/starfield_technologies.CAB
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Tanya\AppData\Roaming\Mozilla\Firefox\Profiles\sczllhmz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&apn_uid=6248D426-A2C2-4F23-B961-E94A00C3D46D&apn_ptnrs=OE&apn_sauid=D492F83C-50F7-4E69-ABC1-D2737093ECD2&apn_dtid=VIN004YYUS&&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Webblog: {C3947F4E-8894-4C04-98E0-DF182C706DDF} - %profile%\extensions\{C3947F4E-8894-4C04-98E0-DF182C706DDF}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-blinkx beat - c:\program files (x86)\Blinkx\templates\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_dac4cfd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-12 21:05:59
ComboFix-quarantined-files.txt 2011-11-13 03:05
ComboFix2.txt 2011-01-09 00:10
.
Pre-Run: 434,582,032,384 bytes free
Post-Run: 439,292,116,992 bytes free
.
- - End Of File - - AE4F8F6610AD88E11B2500FF8AFE9DF3

Attached Files


Edited by RPMcMurphy, 13 November 2011 - 12:34 AM.
Added log


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 13 November 2011 - 12:47 AM

luckie clutse:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.1003200654415819
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.4696527685287186
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.txt
DirLook::
c:\users\Christopher\AppData\Local\f890de4d

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 13 November 2011 - 09:31 AM

Thank you...

ComboFix 11-11-12.04 - Tanya 11/13/2011 8:12.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.1605 [GMT -6:00]
Running from: c:\users\Tanya\Desktop\ComboFix.exe
Command switches used :: c:\users\Tanya\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.1003200654415819"
"c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.4696527685287186"
"c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.txt"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.1003200654415819
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.4696527685287186
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\Tyla\AppData\Local\temp
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\Christopher\AppData\Local\temp
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\AppData\AppData\Local\temp
2011-11-13 14:23 . 2011-11-13 14:23 -------- d-----w- c:\users\Alc\AppData\Local\temp
2011-11-13 02:33 . 2011-11-13 02:33 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\offreg.dll
2011-11-12 04:47 . 2011-11-12 04:47 -------- d-----w- C:\_OTL
2011-11-11 08:22 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\mpengine.dll
2011-11-11 02:16 . 2011-11-11 02:17 -------- d-----w- c:\users\Family
2011-11-11 01:48 . 2011-11-11 01:48 -------- d-----w- c:\program files (x86)\ESET
2011-11-10 23:39 . 2011-09-06 21:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-10 23:39 . 2011-09-06 21:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-10 23:39 . 2011-09-06 21:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-10 23:39 . 2011-09-06 21:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-10 23:38 . 2011-09-06 21:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-10 23:38 . 2011-09-06 21:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-10 23:38 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-10 23:38 . 2011-09-06 21:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-11-10 23:37 . 2011-11-10 23:37 -------- d-----w- c:\programdata\AVAST Software
2011-11-10 23:37 . 2011-11-10 23:37 -------- d-----w- c:\program files\AVAST Software
2011-11-06 05:20 . 2011-11-13 02:59 -------- d-sh--w- c:\users\Christopher\AppData\Local\f890de4d
2011-11-01 22:33 . 2011-11-12 03:55 -------- d-----w- c:\users\Tanya\AppData\Local\Akamai
2011-10-24 11:18 . 2011-11-06 05:19 -------- d-----w- c:\users\Christopher\AppData\Local\AskToolbar
2011-10-23 20:58 . 2011-10-23 20:58 -------- d-----w- c:\users\Christopher\AppData\Roaming\Template
2011-10-16 22:39 . 2011-11-03 22:34 -------- d-----w- c:\users\Christopher\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 21:45 . 2011-01-14 23:15 254400 ----a-w- c:\windows\system32\aswBoot.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Christopher\AppData\Local\f890de4d ----
.
2011-11-06 15:20 . 2011-11-10 23:26 2632 --sha-w- c:\users\Christopher\AppData\Local\f890de4d\loader.tlb
2011-11-06 05:20 . 2011-11-06 05:20 2048 --sha-w- c:\users\Christopher\AppData\Local\f890de4d\@
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-13_03.03.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2011-11-13 10:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-11-13 02:33 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-11-13 02:33 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-11-13 10:34 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-11-13 02:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-11-13 10:34 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-13 18:52 . 2011-11-13 04:49 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-13 18:52 . 2011-11-11 02:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-13 18:52 . 2011-11-13 04:49 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-13 18:52 . 2011-11-11 02:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-13 18:52 . 2011-11-13 04:49 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-13 18:52 . 2011-11-11 02:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 02:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-12 39408]
"OM2_Monitor"="c:\program files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Starfield Updater"="c:\users\Tanya\AppData\Local\Workspace\workspaceupdate.exe" [2011-10-09 34496]
"GameXN (update)"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"GameXN (news)"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"GameXN"="c:\programdata\GameXN\GameXNGO.exe" [2011-09-01 347008]
"Akamai NetSession Interface"="c:\users\Tanya\AppData\Local\Akamai\netsession_win.exe" [2011-11-12 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"FaxCenterServer"="c:\program files (x86)\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"OM2_Monitor"="c:\program files (x86)\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-19 560128]
.
c:\users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Tanya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kaspersky Security Scan.lnk - c:\program files (x86)\Kaspersky Security Scan\KSS.exe [2010-11-29 2402696]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2011-3-11 610120]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi"=KORGUMDD.DRV
"midi1"=KORGUM64.DRV
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 195336]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-05 88576]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 567024]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21]
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21]
.
2011-11-13 c:\windows\Tasks\Norton Security Scan for Tanya.job
- c:\program files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-17 16:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-05 6963744]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [BU]
"dlbkbmgr.exe"="c:\program files (x86)\Dell AIO Printer A920\dlbkbmgr.exe" [2007-03-28 275952]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"MRT"="c:\windows\system32\MRT.exe" [2011-11-10 52174280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Drivers32]
"midi1"=KORGUM64.DRV
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: Starfield Technologies - hxxp://video.secureserver.net/WSTPlugins/starfield_technologies.CAB
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Tanya\AppData\Roaming\Mozilla\Firefox\Profiles\sczllhmz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&apn_uid=6248D426-A2C2-4F23-B961-E94A00C3D46D&apn_ptnrs=OE&apn_sauid=D492F83C-50F7-4E69-ABC1-D2737093ECD2&apn_dtid=VIN004YYUS&&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Webblog: {C3947F4E-8894-4C04-98E0-DF182C706DDF} - %profile%\extensions\{C3947F4E-8894-4C04-98E0-DF182C706DDF}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_dac4cfd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-13 08:26:12
ComboFix-quarantined-files.txt 2011-11-13 14:26
ComboFix2.txt 2011-11-13 03:05
ComboFix3.txt 2011-01-09 00:10
.
Pre-Run: 438,883,237,888 bytes free
Post-Run: 437,843,320,832 bytes free
.
- - End Of File - - CDC65109140813C6D49BB863F2A0A3FB

#6 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 13 November 2011 - 09:42 AM

I don't know if you can use this but I used a scanner can't remember the name sorry....
here's the attached log
(this log was prior to your intervention)

C:\$RECYCLE.BIN\S-1-5-21-3905999189-1878185417-3049929367-1001\$RGRMO4A.zip a variant of Win32/Kryptik.QXA trojan
C:\Drivers\Documents and Settings\Alc\AppData\Local\temp\7441.tmp a variant of Win32/Kryptik.TWK trojan
C:\Drivers\Documents and Settings\Alc\AppData\Local\temp\P5tM1QBI6DSS92.exe.tmp a variant of Win32/Kryptik.TZX trojan
C:\Drivers\Documents and Settings\Alc\AppData\Local\temp\thpm5355444953622111956.tmp a variant of Win32/Kryptik.TWK trojan
C:\Drivers\Documents and Settings\Alc\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\493bef84-41cb02f9 a variant of Java/Agent.DW trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\f890de4d\X Win64/Sirefef.A trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\555D.tmp a variant of Win32/Kryptik.VBD trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\621B.tmp a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\6EF7.tmp a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\P5tM1QBI6DSS92.exe.tmp a variant of Win32/Kryptik.VAL trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm2075245444530195671.tmp a variant of Win32/Kryptik.UQZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm5121452413282474481.tmp a variant of Win32/Kryptik.UTR trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm6639859627891216390.tmp multiple threats
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm7873454743651815924.tmp multiple threats
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm8214940541927671621.tmp multiple threats
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\thpm8533804973889767822.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\~!#3F02.tmp a variant of Win32/Kryptik.VFD trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\~!#44EC.tmp a variant of Win32/Kryptik.UFG trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\~!#5DBB.tmp a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsc1BA0.tmp\a891slk.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsc1BA0.tmp\g1has7.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsc1BA0.tmp\kl12jks.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsf2B67.tmp\001.jgg a variant of Win32/Kryptik.UXS trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsf2B67.tmp\002.jgg Win32/BHO.NZK trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsf2B67.tmp\003.jgg Win32/TrojanDownloader.Tracur.I trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsn4BE7.tmp\tbd.txt a variant of Win32/Kryptik.UQZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsn4BE7.tmp\zip32.dll a variant of Win32/Kryptik.UJM trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nssA75A.tmp\image01.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nssA75A.tmp\image02.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nssA75A.tmp\image03.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsz6769.tmp\be7uhskj.dd a variant of Win32/Kryptik.UZR trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsz6769.tmp\c1jiwoee.cc a variant of Win32/Kryptik.UZR trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsz6769.tmp\di92jlk3.dd Win32/TrojanDownloader.Tracur.I trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Local\temp\nsz6769.tmp\errpoid2.xx a variant of Win32/Kryptik.UZR trojan
C:\Drivers\Documents and Settings\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7b629f1d-3fd56f06 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2b2db8df-2d7dcf1a a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Christopher\AppData\Roaming\privacy.exe a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Public\Documents\19792079 a variant of Win32/Kryptik.VDQ trojan
C:\Drivers\Documents and Settings\Tanya\AppData\Local\temp\sai53B2.exe Win32/TrojanDownloader.Agent.QMS trojan
C:\Drivers\Documents and Settings\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\33df908a-1e914ace probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Drivers\Documents and Settings\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\514fcf8d-5bea05cd multiple threats
C:\Drivers\Documents and Settings\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\2a90d34f-44ec44d6 Java/TrojanDownloader.Agent.NCQ trojan
C:\Drivers\Documents and Settings\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\5c46d844-2456d469 multiple threats
C:\Drivers\Documents and Settings\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\65f91745-27295bec multiple threats
C:\Drivers\Documents and Settings\Tanya\Downloads\backups\backup-20111106-145624-614.dll a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\0.8938672436745441exe a variant of Win32/Kryptik.UOE trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\37A2.tmp a variant of Win32/Kryptik.RRZ trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\6A42.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\959B.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\DDC5.tmp a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\E1EB.tmp a variant of Win32/Kryptik.VEL trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\thpm2834201596832647703.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\thpm4787135411384491871.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\thpm8176920372140983795.tmp a variant of Win32/Kryptik.TGT trojan
C:\Drivers\Documents and Settings\Tyla\AppData\Local\temp\w7e891E.tmp Win32/Agent.TBB trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\4d91d175-492d8778 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-1a5663e0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-398be22d a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-3db4fc54 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-5a301473 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-6afb2be6 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-7f43d7ab a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AH application
C:\Drivers\Documents and Settings\Tyla\Downloads\SetupGamevance2.exe a variant of Win32/Adware.Gamevance.BB application
C:\Program Files (x86)\ShoppingReport2\Bin\2.7.32\ShoppingReport.dll a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Users\Alc\AppData\Local\temp\7441.tmp a variant of Win32/Kryptik.TWK trojan
C:\Users\Alc\AppData\Local\temp\P5tM1QBI6DSS92.exe.tmp a variant of Win32/Kryptik.TZX trojan
C:\Users\Alc\AppData\Local\temp\thpm5355444953622111956.tmp a variant of Win32/Kryptik.TWK trojan
C:\Users\Alc\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\493bef84-41cb02f9 a variant of Java/Agent.DW trojan
C:\Users\Christopher\AppData\Local\f890de4d\X Win64/Sirefef.A trojan
C:\Users\Christopher\AppData\Local\temp\555D.tmp a variant of Win32/Kryptik.VBD trojan
C:\Users\Christopher\AppData\Local\temp\621B.tmp a variant of Win32/Kryptik.VEL trojan
C:\Users\Christopher\AppData\Local\temp\6EF7.tmp a variant of Win32/Kryptik.VEL trojan
C:\Users\Christopher\AppData\Local\temp\P5tM1QBI6DSS92.exe.tmp a variant of Win32/Kryptik.VAL trojan
C:\Users\Christopher\AppData\Local\temp\thpm2075245444530195671.tmp a variant of Win32/Kryptik.UQZ trojan
C:\Users\Christopher\AppData\Local\temp\thpm5121452413282474481.tmp a variant of Win32/Kryptik.UTR trojan
C:\Users\Christopher\AppData\Local\temp\thpm6639859627891216390.tmp multiple threats
C:\Users\Christopher\AppData\Local\temp\thpm7873454743651815924.tmp multiple threats
C:\Users\Christopher\AppData\Local\temp\thpm8214940541927671621.tmp multiple threats
C:\Users\Christopher\AppData\Local\temp\thpm8533804973889767822.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Users\Christopher\AppData\Local\temp\~!#3F02.tmp a variant of Win32/Kryptik.VFD trojan
C:\Users\Christopher\AppData\Local\temp\~!#44EC.tmp a variant of Win32/Kryptik.UFG trojan
C:\Users\Christopher\AppData\Local\temp\~!#5DBB.tmp a variant of Win32/Kryptik.VEL trojan
C:\Users\Christopher\AppData\Local\temp\nsc1BA0.tmp\a891slk.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Users\Christopher\AppData\Local\temp\nsc1BA0.tmp\g1has7.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Users\Christopher\AppData\Local\temp\nsc1BA0.tmp\kl12jks.tmp a variant of Win32/Kryptik.UPZ trojan
C:\Users\Christopher\AppData\Local\temp\nsf2B67.tmp\001.jgg a variant of Win32/Kryptik.UXS trojan
C:\Users\Christopher\AppData\Local\temp\nsf2B67.tmp\002.jgg Win32/BHO.NZK trojan
C:\Users\Christopher\AppData\Local\temp\nsf2B67.tmp\003.jgg Win32/TrojanDownloader.Tracur.I trojan
C:\Users\Christopher\AppData\Local\temp\nsn4BE7.tmp\tbd.txt a variant of Win32/Kryptik.UQZ trojan
C:\Users\Christopher\AppData\Local\temp\nsn4BE7.tmp\zip32.dll a variant of Win32/Kryptik.UJM trojan
C:\Users\Christopher\AppData\Local\temp\nssA75A.tmp\image01.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Users\Christopher\AppData\Local\temp\nssA75A.tmp\image02.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Users\Christopher\AppData\Local\temp\nssA75A.tmp\image03.jpo a variant of Win32/Kryptik.UQZ trojan
C:\Users\Christopher\AppData\Local\temp\nsz6769.tmp\be7uhskj.dd a variant of Win32/Kryptik.UZR trojan
C:\Users\Christopher\AppData\Local\temp\nsz6769.tmp\c1jiwoee.cc a variant of Win32/Kryptik.UZR trojan
C:\Users\Christopher\AppData\Local\temp\nsz6769.tmp\di92jlk3.dd Win32/TrojanDownloader.Tracur.I trojan
C:\Users\Christopher\AppData\Local\temp\nsz6769.tmp\errpoid2.xx a variant of Win32/Kryptik.UZR trojan
C:\Users\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7b629f1d-3fd56f06 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2b2db8df-2d7dcf1a a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Christopher\AppData\Roaming\privacy.exe a variant of Win32/Kryptik.VEL trojan
C:\Users\Public\Documents\19792079 a variant of Win32/Kryptik.VDQ trojan
C:\Users\Tanya\AppData\Local\temp\sai53B2.exe Win32/TrojanDownloader.Agent.QMS trojan
C:\Users\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\33df908a-1e914ace probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Users\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\514fcf8d-5bea05cd multiple threats
C:\Users\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\2a90d34f-44ec44d6 Java/TrojanDownloader.Agent.NCQ trojan
C:\Users\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\5c46d844-2456d469 multiple threats
C:\Users\Tanya\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\65f91745-27295bec multiple threats
C:\Users\Tanya\Downloads\backups\backup-20111106-145624-614.dll a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Users\Tyla\AppData\Local\temp\0.8938672436745441exe a variant of Win32/Kryptik.UOE trojan
C:\Users\Tyla\AppData\Local\temp\37A2.tmp a variant of Win32/Kryptik.RRZ trojan
C:\Users\Tyla\AppData\Local\temp\6A42.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Users\Tyla\AppData\Local\temp\959B.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Users\Tyla\AppData\Local\temp\DDC5.tmp a variant of Win32/Kryptik.VEL trojan
C:\Users\Tyla\AppData\Local\temp\E1EB.tmp a variant of Win32/Kryptik.VEL trojan
C:\Users\Tyla\AppData\Local\temp\thpm2834201596832647703.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Users\Tyla\AppData\Local\temp\thpm4787135411384491871.tmp a variant of Win32/Kryptik.TXQ trojan
C:\Users\Tyla\AppData\Local\temp\thpm8176920372140983795.tmp a variant of Win32/Kryptik.TGT trojan
C:\Users\Tyla\AppData\Local\temp\w7e891E.tmp Win32/Agent.TBB trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\4d91d175-492d8778 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-1a5663e0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-398be22d a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-3db4fc54 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-5a301473 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-6afb2be6 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-7f43d7ab a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AH application
C:\Users\Tyla\Downloads\SetupGamevance2.exe a variant of Win32/Adware.Gamevance.BB application
C:\WINDOWS\temp\_avast_\unp100768256.tmp a variant of Win32/Kryptik.VEL trojan
C:\WINDOWS\temp\_avast_\unp100979155.tmp a variant of Win32/Kryptik.UXS trojan
C:\WINDOWS\temp\_avast_\unp102091229.tmp a variant of Win32/Kryptik.UPZ trojan
C:\WINDOWS\temp\_avast_\unp102654203.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp102863844.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp103204160.tmp a variant of Win32/Kryptik.UXS trojan
C:\WINDOWS\temp\_avast_\unp106979845.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp254390993.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp43714824.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp51659301.tmp a variant of Win32/Kryptik.UQZ trojan
C:\WINDOWS\temp\_avast_\unp57078964.tmp a variant of Win32/Kryptik.UPZ trojan
C:\WINDOWS\temp\_avast_\unp58037724.tmp a variant of Win32/Kryptik.UQZ trojan

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 13 November 2011 - 10:57 AM

luckie clutse:

How is your computer running now? Please do this next:

Posted Image Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c rd /a/f/q "c:\users\Christopher\AppData\Local\f890de4d"

A DOS window may briefly open and close again, this is normal.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • SecurityCheck log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 14 November 2011 - 05:38 PM

I remember now that the last log.txt post I made was from ESET.... anywho, the Java update didn't run
The computer seems to be fine...but still has infected files.....

SecurityCheck Log

Results of screen317's Security Check version 0.99.26
Windows Vista x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
McAfee Security Scan Plus
McAfee Virtual Technician
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 23
Out of date Java installed!
Mozilla Firefox ((3.6.24)) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Mozilla Firefox AvastSvc.exe -?-
AVAST Software Avast AvastUI.exe
Mozilla Firefox AvastUI.exe -?-
``````````End of Log````````````



ESET Log
C:\Drivers\Documents and Settings\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\be2e59f-76356c75 a variant of Win32/TrojanDownloader.Small.PHJ trojan
C:\Drivers\Documents and Settings\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\5297573f-35c31eba probably a variant of Win32/TrojanDownloader.Small.PHJ trojan
C:\Drivers\Documents and Settings\Public\Documents\19792079 a variant of Win32/Kryptik.VDQ trojan
C:\Drivers\Documents and Settings\Tanya\Downloads\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Drivers\Documents and Settings\Tanya\Downloads\winzip155.exe Win32/OpenCandy application
C:\Drivers\Documents and Settings\Tanya\Downloads\backups\backup-20111106-145624-614.dll a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\4d91d175-492d8778 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-1a5663e0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-398be22d a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-3db4fc54 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-5a301473 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-6afb2be6 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-7f43d7ab a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Drivers\Documents and Settings\Tyla\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AH application
C:\Drivers\Documents and Settings\Tyla\Downloads\SetupGamevance2.exe a variant of Win32/Adware.Gamevance.BB application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files (x86)\ShoppingReport2\Bin\2.7.32\ShoppingReport.dll.vir a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Qoobox\Quarantine\C\Users\Christopher\AppData\Local\f890de4d\X.vir Win64/Sirefef.A trojan
C:\Users\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\be2e59f-76356c75 a variant of Win32/TrojanDownloader.Small.PHJ trojan
C:\Users\Christopher\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\5297573f-35c31eba probably a variant of Win32/TrojanDownloader.Small.PHJ trojan
C:\Users\Public\Documents\19792079 a variant of Win32/Kryptik.VDQ trojan
C:\Users\Tanya\Downloads\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Users\Tanya\Downloads\winzip155.exe Win32/OpenCandy application
C:\Users\Tanya\Downloads\backups\backup-20111106-145624-614.dll a variant of Win32/Adware.Toolbar.Shopper.AB application
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\4d91d175-492d8778 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-1a5663e0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-398be22d a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-3db4fc54 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-5a301473 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-6afb2be6 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\55c2cd7a-7f43d7ab a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Tyla\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AH application
C:\Users\Tyla\Downloads\SetupGamevance2.exe a variant of Win32/Adware.Gamevance.BB application

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 14 November 2011 - 10:02 PM

luckie clutse:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 14 November 2011 - 10:18 PM

MBAM log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8164

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

11/14/2011 9:17:14 PM
mbam-log-2011-11-14 (21-17-02).txt

Scan type: Full scan (D:\|E:\|G:\|H:\|I:\|J:\|Q:\|)
Objects scanned: 246384
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\winupd.lnk (Trojan.Downloader) -> No action taken.
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\0.18465919063428105 (Backdoor.Agent) -> No action taken.

#11 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 14 November 2011 - 11:18 PM

Mistakenly misread the thread and posted
Files Infected:
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\winupd.lnk (Trojan.Downloader) -> No action taken.
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\0.18465919063428105 (Backdoor.Agent) -> No action taken

into notepad and ran combofix....here's the log

Combofix.txt log


ComboFix 11-11-14.03 - Tanya 11/14/2011 21:23:50.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.938 [GMT -6:00]
Running from: C:\Users\Tanya\Desktop\ComboFix.exe
Command switches used :: C:\Users\Tanya\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))


2011-11-15 03:46:48 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\Tyla\AppData\Local\temp
2011-11-15 03:46:48 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\Public\AppData\Local\temp
2011-11-15 03:46:48 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-11-15 03:46:48 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\AppData\AppData\Local\temp
2011-11-15 03:46:48 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\Alc\AppData\Local\temp
2011-11-13 14:26:13 . 2011-11-15 03:46:48 -------- d-----w- C:\Users\Christopher\AppData\Local\temp
2011-11-13 02:33:45 . 2011-11-13 02:33:45 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\offreg.dll
2011-11-12 04:47:20 . 2011-11-12 04:47:20 -------- d-----w- C:\_OTL
2011-11-11 08:22:31 . 2011-10-07 04:16:03 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5009631F-8B35-4445-AD9D-8A54C822F02F}\mpengine.dll
2011-11-11 02:16:22 . 2011-11-13 21:01:17 -------- d-----w- C:\Users\Family
2011-11-11 01:48:55 . 2011-11-11 01:48:55 -------- d-----w- C:\Program Files (x86)\ESET
2011-11-10 23:39:07 . 2011-09-06 21:36:14 24408 ----a-w- C:\Windows\system32\drivers\aswFsBlk.sys
2011-11-10 23:39:06 . 2011-09-06 21:38:16 301912 ----a-w- C:\Windows\system32\drivers\aswSP.sys
2011-11-10 23:39:01 . 2011-09-06 21:36:41 58200 ----a-w- C:\Windows\system32\drivers\aswTdi.sys
2011-11-10 23:39:01 . 2011-09-06 21:36:41 42328 ----a-w- C:\Windows\system32\drivers\aswRdr.sys
2011-11-10 23:38:59 . 2011-09-06 21:38:18 601944 ----a-w- C:\Windows\system32\drivers\aswSnx.sys
2011-11-10 23:38:57 . 2011-09-06 21:36:30 65368 ----a-w- C:\Windows\system32\drivers\aswMonFlt.sys
2011-11-10 23:38:05 . 2011-09-06 21:45:29 41184 ----a-w- C:\Windows\avastSS.scr
2011-11-10 23:38:04 . 2011-09-06 21:45:29 199304 ----a-w- C:\Windows\SysWow64\aswBoot.exe
2011-11-10 23:37:29 . 2011-11-10 23:37:29 -------- d-----w- C:\ProgramData\AVAST Software
2011-11-10 23:37:29 . 2011-11-10 23:37:29 -------- d-----w- C:\Program Files\AVAST Software
2011-11-06 05:20:55 . 2011-11-13 02:59:59 -------- d-sh--w- C:\Users\Christopher\AppData\Local\f890de4d
2011-11-01 22:33:38 . 2011-11-12 03:55:17 -------- d-----w- C:\Users\Tanya\AppData\Local\Akamai
2011-10-24 11:18:25 . 2011-11-06 05:19:49 -------- d-----w- C:\Users\Christopher\AppData\Local\AskToolbar
2011-10-23 20:58:47 . 2011-10-23 20:58:47 -------- d-----w- C:\Users\Christopher\AppData\Roaming\Template
2011-10-16 22:39:52 . 2011-11-03 22:34:45 -------- d-----w- C:\Users\Christopher\AppData\Local\Mozilla
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-09-06 21:45:17 . 2011-01-14 23:15:20 254400 ----a-w- C:\Windows\system32\aswBoot.exe
2011-08-31 23:00:50 . 2010-04-25 15:35:39 25416 ----a-w- C:\Windows\system32\drivers\mbam.sys


((((((((((((((((((((((((((((( SnapShot@2011-11-13_03.03.21 )))))))))))))))))))))))))))))))))))))))))

+ 2008-01-21 03:20:35 . 2011-11-15 02:41:32 32768 C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20:35 . 2011-11-13 02:33:49 32768 C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20:34 . 2011-11-13 02:33:49 49152 C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20:34 . 2011-11-15 02:41:32 49152 C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20:35 . 2011-11-15 02:41:32 16384 C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20:35 . 2011-11-13 02:33:49 16384 C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-13 18:52:07 . 2011-11-11 02:16:09 16384 C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-13 18:52:07 . 2011-11-13 04:49:47 16384 C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-13 18:52:07 . 2011-11-11 02:16:09 32768 C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-13 18:52:07 . 2011-11-13 04:49:47 32768 C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-13 18:52:07 . 2011-11-13 04:49:47 16384 C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-13 18:52:07 . 2011-11-11 02:16:09 16384 C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-25 14:46:30 . 2011-11-13 02:31:56 16384 C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-25 14:46:30 . 2011-10-31 23:22:52 16384 C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-25 14:46:30 . 2011-11-13 02:31:56 16384 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-25 14:46:30 . 2011-10-31 23:22:52 16384 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 23040 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 23040 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 27136 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 27136 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 11264 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 11264 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 12288 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 12288 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 4096 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 4096 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 286720 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 286720 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-08-19 05:48:04 . 2011-11-13 19:05:21 135168 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-08-19 05:48:04 . 2011-10-18 01:24:23 135168 C:\Windows\Installer\{901B0409-6000-11D3-8CFE-0150048383C9}\misc.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 02:20:12 1515688]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 02:20:12 1515688 ----a-w- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 02:20:12 1515688]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-12 01:58:15 39408]
"OM2_Monitor"="C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 20:33:36 95536]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:51:33 138240]
"Skype"="C:\Program Files (x86)\Skype\Phone\Skype.exe" [2010-05-13 21:12:40 26192168]
"Starfield Updater"="C:\Users\Tanya\AppData\Local\Workspace\workspaceupdate.exe" [2011-10-09 21:46:36 34496]
"GameXN (update)"="C:\ProgramData\GameXN\GameXNGO.exe" [2011-09-01 01:54:20 347008]
"GameXN (news)"="C:\ProgramData\GameXN\GameXNGO.exe" [2011-09-01 01:54:20 347008]
"GameXN"="C:\ProgramData\GameXN\GameXNGO.exe" [2011-09-01 01:54:20 347008]
"Akamai NetSession Interface"="C:\Users\Tanya\AppData\Local\Akamai\netsession_win.exe" [2011-11-12 07:48:40 3303000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 16:05:56 250192]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 02:26:38 128232]
"FaxCenterServer"="C:\Program Files (x86)\Dell PC Fax\fm3032.exe" [2006-11-03 22:09:24 312200]
"Dell DataSafe Online"="C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 21:29:00 1762032]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 10:08:38 35696]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 18:08:30 935288]
"OM2_Monitor"="C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 20:33:34 54576]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 17:44:46 248552]
"Google Desktop Search"="C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 17:42:46 30192]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"AppleSyncNotifier"="C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 17:48:18 58656]
"ApnUpdater"="C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 02:20:18 887976]
"SwitchBoard"="C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 18:37:14 517096]
"AdobeCS5.5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 12:08:56 1523360]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 23:29:00 421736]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-09-06 21:45:30 3722416]
"Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 23:00:48 449608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-19 21:36:05 560128]
"Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 23:00:48 449608]

C:\Users\Alc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]

C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]

C:\Users\Tanya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Kaspersky Security Scan.lnk - C:\Program Files (x86)\Kaspersky Security Scan\KSS.exe [2010-11-29 2402696]
McAfee Security Scan Plus.lnk - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - C:\Program Files (x86)\WinZip\WZQKPICK.EXE [2011-3-11 610120]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi"=KORGUMDD.DRV
"midi1"=KORGUM64.DRV

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 18:16:28 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 19:27:14 138576]
R3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 00:31:08 195336]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-05 03:13:38 88576]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe [2008-01-21 02:50:24 27648]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [x]
S2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 22:33:20 249648]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 20:23:26 821664]
S2 dlbk_device;dlbk_device;C:\Windows\system32\dlbkcoms.exe [2007-06-26 02:17:18 567024]
S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 19:05:28 155648]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMPROTECTOR

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

Contents of the 'Scheduled Tasks' folder

2011-11-14 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21:36 . 2010-02-10 09:21:23]

2011-11-15 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 09:21:36 . 2010-02-10 09:21:23]

2011-11-15 C:\Windows\Tasks\Norton Security Scan for Tanya.job
- C:\Program Files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-17 23:37:46 . 2010-08-24 16:06:50]


--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45:17 134384 ----a-w- C:\Program Files\AVAST Software\Avast\ashShA64.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 15:03:48 182784]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-05 03:13:44 6963744]
"Skytel"="C:\Program Files\Realtek\Audio\HDA\Skytel.exe" [BU]
"dlbkbmgr.exe"="C:\Program Files (x86)\Dell AIO Printer A920\dlbkbmgr.exe" [2007-03-28 17:09:40 275952]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 02:10:00 2184520]
"CanonSolutionMenu"="C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 01:40:00 767312]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2010-08-26 01:45:04 161304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2010-08-26 01:44:54 386584]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2010-08-26 01:45:00 415256]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 22:42:18 499608]
"MRT"="C:\Windows\system32\MRT.exe" [2011-11-10 09:00:24 52174280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Drivers32]
"midi1"=KORGUM64.DRV

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
LSP: C:\Windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: Starfield Technologies - hxxp://video.secureserver.net/WSTPlugins/starfield_technologies.CAB
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - C:\Users\Tanya\AppData\Roaming\Mozilla\Firefox\Profiles\sczllhmz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&apn_uid=6248D426-A2C2-4F23-B961-E94A00C3D46D&apn_ptnrs=OE&apn_sauid=D492F83C-50F7-4E69-ABC1-D2737093ECD2&apn_dtid=VIN004YYUS&&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: avast! WebRep: wrc@avast.com - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: LimeWire Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Webblog: {C3947F4E-8894-4C04-98E0-DF182C706DDF} - %profile%\extensions\{C3947F4E-8894-4C04-98E0-DF182C706DDF}

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_dac4cfd.dll"

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Completion time: 2011-11-14 22:14:47
ComboFix-quarantined-files.txt 2011-11-15 04:14:42
ComboFix2.txt 2011-11-13 14:26:12
ComboFix3.txt 2011-11-13 03:05:59
ComboFix4.txt 2011-01-09 00:10:04

Pre-Run: 439,753,228,288 bytes free
Post-Run: 439,729,061,888 bytes free

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 15 November 2011 - 03:53 PM

Your ComboFix script was not correct, thus it didn't do anything with those files. Re-run MBAM and let it remove those threats this time.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 November 2011 - 05:48 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8166

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

11/15/2011 4:35:19 PM
mbam-log-2011-11-15 (16-35-16).txt

Scan type: Full scan (D:\|E:\|G:\|H:\|I:\|J:\|Q:\|)
Objects scanned: 246402
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\winupd.lnk (Trojan.Downloader) -> No action taken.
c:\Users\christopher\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\0.18465919063428105 (Backdoor.Agent) -> No action taken.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 15 November 2011 - 11:13 PM

You still didn't let MBAM clean those detections. When the scan completes make sure they are all checked, then click "Remove Selected"

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 luckie clutse

luckie clutse
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 16 November 2011 - 12:12 AM

what am I doing wrong I checked everything you told me....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users