Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS & Google keeps redirecting


  • This topic is locked This topic is locked
10 replies to this topic

#1 nrgstone

nrgstone

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 18 November 2011 - 09:55 PM

Some how my brother installed AV 2012 on his computer. Which I thought I had removed correctly, however it still redirects when searching things in Google.
I have tried using the suggested method : http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

However it didn't come up with anything.

Here is the DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by Adrian at 15:54:26 on 2011-11-18
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2034 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroBar.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: {05e6d3f8-4ba0-4b54-99cc-cbb95ad9d225} - C:\Users\Adrian\AppData\Local\ShellUser.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroBar.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.254
TCP: Interfaces\{1E1829C6-8B6C-4B8D-B708-217E3920F446} : DhcpNameServer = 192.168.2.254
TCP: Interfaces\{1E1829C6-8B6C-4B8D-B708-217E3920F446}\4427F696468713 : DhcpNameServer = 192.168.2.254
TCP: Interfaces\{1E1829C6-8B6C-4B8D-B708-217E3920F446}\4656A7E65747A7 : DhcpNameServer = 192.168.2.254
TCP: Interfaces\{1E1829C6-8B6C-4B8D-B708-217E3920F446}\46A7E65747A713 : DhcpNameServer = 192.168.43.1
TCP: Interfaces\{1E1829C6-8B6C-4B8D-B708-217E3920F446}\5467F6455647 : DhcpNameServer = 192.168.2.254
TCP: Interfaces\{3A74CBCF-7D5B-45B6-831C-DCEA0626AFE1} : DhcpNameServer = 8.8.8.8 8.8.4.4
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
C:\Users\Adrian\AppData\Local\ShellUser.dll
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Adrian\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\Adrian\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-12 366152]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-4-19 315392]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 easytether;easytether;C:\Windows\system32\DRIVERS\easytthr.sys --> C:\Windows\system32\DRIVERS\easytthr.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 pneteth;PdaNet Broadband;C:\Windows\system32\DRIVERS\pneteth.sys --> C:\Windows\system32\DRIVERS\pneteth.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-11-12 1153368]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\system32\drivers\NMgamingms.sys --> C:\Windows\system32\drivers\NMgamingms.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-11-20 98208]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-1-26 354304]
S4 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
S4 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-5-21 140272]
S4 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
S4 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-11-18 21:24:25 -------- d-----w- C:\Program Files (x86)\ESET
2011-11-18 07:19:55 -------- d-----w- C:\Users\Adrian\AppData\Local\{EB9A65D3-E0A2-42A4-B427-DB296599E1D2}
2011-11-18 04:28:32 -------- d-----w- C:\Users\Adrian\AppData\Local\{47339603-6A4D-4201-9C59-44D249CC3A5A}
2011-11-18 03:33:09 -------- d-----w- C:\Users\Adrian\AppData\Local\{5DA07476-BEF8-4952-AE00-FB2B3A3049F1}
2011-11-18 03:32:56 -------- d-----w- C:\Users\Adrian\AppData\Local\{D8DD2F87-59F1-4B4E-B0F7-430BFE5F864C}
2011-11-17 05:58:52 -------- d-----w- C:\Users\Adrian\AppData\Local\{81EBF4E5-FA68-48FF-8C17-E35C1B2755E5}
2011-11-16 07:45:02 -------- d-----w- C:\Users\Adrian\AppData\Local\{381B1EC2-53A6-42D8-A55B-C3DBB73935D9}
2011-11-16 07:10:04 -------- d-----w- C:\Users\Adrian\AppData\Local\{3C0A5763-2153-4E1B-8FA7-711C93A51795}
2011-11-15 20:00:56 -------- d-----w- C:\Program Files (x86)\MSECache
2011-11-14 07:17:04 -------- d-----w- C:\Users\Adrian\AppData\Local\{F4B30211-570E-4927-82DF-02931E9CD6E9}
2011-11-13 06:25:40 -------- d-----w- C:\Users\Adrian\AppData\Local\{6001B535-3DE0-44FB-8544-F9D7AD6862B2}
2011-11-13 06:25:17 -------- d-----w- C:\Users\Adrian\AppData\Local\{22A7717B-D457-420E-9792-D95D24A2CDFB}
2011-11-13 03:57:29 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-11-13 03:57:29 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-11-13 03:53:44 -------- d-----w- C:\Users\Adrian\AppData\Roaming\Malwarebytes
2011-11-13 03:53:32 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-13 03:53:28 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-13 03:53:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-13 01:39:42 -------- d-----w- C:\Users\Adrian\AppData\Roaming\wtxP0ucS1b3n4m6
2011-11-13 01:39:41 -------- d-----w- C:\Users\Adrian\AppData\Roaming\hWK7fEL9gZjCkVl
2011-11-12 23:49:28 -------- d-----w- C:\Program Files (x86)\B9178
2011-11-12 23:49:16 -------- d-----w- C:\Users\Adrian\AppData\Roaming\E24B9
2011-11-12 23:49:12 -------- d-----w- C:\Program Files (x86)\LP
2011-11-12 23:49:08 -------- d-----w- C:\Users\Adrian\AppData\Roaming\oZqqhhYXwkUVl1v
2011-11-12 23:49:08 -------- d-----w- C:\Users\Adrian\AppData\Roaming\m22oonFF4pH5sJd
2011-11-12 23:49:00 -------- d-----w- C:\Users\Adrian\AppData\Roaming\u88ffRLL9hTqjCe
2011-11-12 23:48:58 -------- d-----w- C:\Users\Adrian\AppData\Roaming\uJJ77dEEL
2011-11-12 23:48:52 -------- d-----w- C:\Users\Adrian\AppData\Roaming\WKKK7fLgZYwIrNx
2011-11-12 23:48:46 -------- d-----w- C:\Users\Adrian\AppData\Roaming\XgggTXXqjYCeIVz
2011-11-12 23:22:43 -------- d-----w- C:\Users\Adrian\AppData\Local\{1CE1E178-B53A-442E-BD93-447D4DB162EA}
2011-11-12 23:22:29 -------- d-----w- C:\Users\Adrian\AppData\Local\{F5E95B30-BD8E-4FC8-8CE8-53D104F41949}
2011-11-12 16:15:26 244224 ----a-w- C:\Users\Adrian\AppData\Local\ShellUser.dll
2011-11-11 11:43:05 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3F56A4E8-9D63-4BC7-BA60-DDE81C1DC206}\mpengine.dll
2011-11-11 02:54:41 -------- d-----w- C:\Users\Adrian\AppData\Local\{8DCE229A-295A-4A79-9EC8-F85392C158B7}
2011-11-11 02:54:20 -------- d-----w- C:\Users\Adrian\AppData\Local\{C0E98C1E-CFAA-4A10-B0F5-C98BEF9EADFF}
2011-11-10 03:23:09 -------- d-----w- C:\Users\Adrian\AppData\Local\{8149296A-54F0-48AC-830E-5F6D77FB3FAE}
2011-11-10 03:22:55 -------- d-----w- C:\Users\Adrian\AppData\Local\{2983B964-CD98-4B1A-81DA-DC0DA866BC23}
2011-11-09 00:37:53 -------- d-----w- C:\Program Files (x86)\Steam
2011-11-06 16:37:40 -------- d-----w- C:\Users\Adrian\AppData\Local\{7D513085-E8C0-4476-AAAB-78DAB3AE49EF}
2011-11-06 03:53:26 -------- d-----w- C:\Users\Adrian\AppData\Local\{8A35264C-85F3-47A7-AAB2-F79748713012}
2011-11-06 03:53:12 -------- d-----w- C:\Users\Adrian\AppData\Local\{6DEEF8C3-0D49-4C7B-8084-EF84A4C0B34D}
2011-11-05 02:56:08 -------- d-----w- C:\Users\Adrian\AppData\Local\{38CD8FC7-AA2F-430F-A3B5-D07CBAF5A057}
2011-11-05 02:55:55 -------- d-----w- C:\Users\Adrian\AppData\Local\{3C5BE94B-CBF9-4222-95DF-96CCCEA35B70}
2011-11-03 20:11:19 -------- d-----w- C:\Program Files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£
2011-11-03 16:37:42 -------- d-----w- C:\Tarte
2011-11-03 02:04:57 -------- d-----w- C:\Users\Adrian\AppData\Local\{5A4594F4-43E7-4224-9E3B-A85E76CE352C}
2011-11-03 01:31:04 -------- d-----w- C:\Users\Adrian\AppData\Local\{CE06B3E6-5FC9-457B-B5B4-D61A4860D0E8}
2011-11-03 00:14:14 -------- d-----w- C:\Users\Adrian\AppData\Local\{A8170F9B-1A86-48D8-B505-878802D2A3BE}
2011-11-02 21:05:32 -------- d-----w- C:\Users\Adrian\AppData\Local\{9FF16544-4D2C-4439-A1B3-CCA2ED4DCFDE}
2011-11-02 21:05:05 -------- d-----w- C:\Users\Adrian\AppData\Local\{77E1D4E3-C755-40E9-8E6C-90D157E88386}
2011-11-01 23:52:40 -------- d-----w- C:\Users\Adrian\AppData\Local\{D33657F2-A4E7-4C19-BD81-9239A0CBA33D}
2011-11-01 23:52:26 -------- d-----w- C:\Users\Adrian\AppData\Local\{56319BE7-B3FB-4286-B230-EC9B2513BAF4}
2011-11-01 01:10:48 -------- d-----w- C:\Users\Adrian\AppData\Local\{992069A4-D4C3-4CEC-BA20-84E80835FA75}
2011-10-31 00:13:24 -------- d-----w- C:\Users\Adrian\AppData\Local\{9D61CD39-07F3-4036-BFAB-96CFFE3F6194}
2011-10-31 00:13:11 -------- d-----w- C:\Users\Adrian\AppData\Local\{F046D40A-A4CE-4328-84A0-E2B8C0BFD582}
2011-10-30 06:35:36 -------- d-----w- C:\Users\Adrian\AppData\Local\AOL
2011-10-30 06:35:36 -------- d-----w- C:\Users\Adrian\AppData\Local\AIM
2011-10-30 06:14:56 -------- d-----w- C:\ProgramData\AIM
2011-10-30 06:14:42 -------- d-----w- C:\Program Files (x86)\AIM
2011-10-30 06:14:40 -------- d-----w- C:\Program Files (x86)\Common Files\Software Update Utility
2011-10-30 06:14:20 -------- d-----w- C:\Program Files (x86)\Common Files\AOL
2011-10-29 23:33:31 -------- d-----w- C:\Users\Adrian\AppData\Local\{035EFF88-9AE4-4794-B86C-A0787FE62218}
2011-10-29 23:33:04 -------- d-----w- C:\Users\Adrian\AppData\Local\{F9E195A5-A739-4F2D-AF09-A813E235FF6C}
2011-10-29 19:36:57 -------- d-----w- C:\Users\Adrian\AppData\Local\{C442996E-DCF7-48ED-BA19-D92BB7A11BFE}
2011-10-29 19:36:41 -------- d-----w- C:\Users\Adrian\AppData\Local\{8C11D4C6-23E9-4691-A78F-81BEC41C9677}
2011-10-29 02:00:40 -------- d-----w- C:\Users\Adrian\AppData\Local\{FAFDB3D9-C75F-4D1E-8136-354E653CF2E2}
2011-10-29 02:00:06 -------- d-----w- C:\Users\Adrian\AppData\Local\{C75CA8EA-D4C9-40BA-A711-361388276129}
2011-10-28 06:29:38 -------- d-----w- C:\Users\Adrian\AppData\Local\{B1169692-8EAC-46D1-9D70-86A39BF3CC6E}
2011-10-28 06:29:24 -------- d-----w- C:\Users\Adrian\AppData\Local\{A357F4F2-4A5A-412A-A79A-2418754FA43F}
2011-10-27 21:32:54 -------- d-----w- C:\Users\Adrian\AppData\Local\{C977C417-A788-440D-AC88-EEFD9828514E}
2011-10-27 21:32:41 -------- d-----w- C:\Users\Adrian\AppData\Local\{FED4A2D7-8CC0-40A9-834B-EEBA95DAD00A}
2011-10-26 21:55:08 -------- d-----w- C:\Users\Adrian\AppData\Local\{EDB08C3F-53E3-4C63-B23A-BFCED94FE9E2}
2011-10-26 21:54:54 -------- d-----w- C:\Users\Adrian\AppData\Local\{DF6CE6BD-D2EE-4CFA-A940-32C7A4DABC42}
2011-10-26 00:46:48 -------- d-----w- C:\Users\Adrian\AppData\Local\{E666FAA6-477E-46DB-A316-65BDB658D9BB}
2011-10-26 00:46:34 -------- d-----w- C:\Users\Adrian\AppData\Local\{C142D45A-B172-43FE-9414-D85F370DFF89}
2011-10-25 14:51:28 -------- d-----w- C:\Users\Adrian\AppData\Local\{C56960EA-D67A-4070-8239-4904BF9AC901}
2011-10-25 14:51:15 -------- d-----w- C:\Users\Adrian\AppData\Local\{8DC29018-2B34-49AD-9990-21C1ECD3320B}
2011-10-24 16:46:07 -------- d-----w- C:\Users\Adrian\AppData\Local\{A80A830A-8FB7-45BA-9926-DB6124E91C09}
2011-10-24 16:45:36 -------- d-----w- C:\Users\Adrian\AppData\Local\{29430F7C-7D79-4325-8613-98148B519063}
2011-10-24 03:08:59 -------- d-----w- C:\Users\Adrian\AppData\Local\{FE878873-DE34-4461-8ED3-CE61E88D2FD4}
2011-10-23 07:56:25 -------- d-----w- C:\Users\Adrian\AppData\Local\{44B11C24-076E-47D6-9126-A625F7F6729C}
2011-10-23 07:56:01 -------- d-----w- C:\Users\Adrian\AppData\Local\{77DA9580-BB3A-462F-8EDE-5FA09CFD05B6}
2011-10-22 17:10:44 -------- d-----w- C:\Users\Adrian\AppData\Local\{6447DC14-4737-42A7-A10B-2BA9E25991F1}
2011-10-22 17:10:30 -------- d-----w- C:\Users\Adrian\AppData\Local\{4F86F476-5DE2-49F0-83B5-04835DEF31DA}
2011-10-22 05:04:41 -------- d-----w- C:\Users\Adrian\AppData\Local\{7735D2B4-3CB2-418A-BEEE-15FCF9C232BB}
2011-10-22 05:04:27 -------- d-----w- C:\Users\Adrian\AppData\Local\{A8951B11-6BAD-4DFB-BB1A-703D8CD966F5}
2011-10-21 03:36:15 -------- d-----w- C:\Users\Adrian\AppData\Local\{5885E255-810F-4F1A-8F5D-F5879A5B34EA}
2011-10-21 03:35:57 -------- d-----w- C:\Users\Adrian\AppData\Local\{4228CBBC-792B-4CF3-8D52-C88D219B2E1E}
2011-10-20 00:57:57 -------- d-----w- C:\Users\Adrian\AppData\Local\{4461C114-4A52-4D33-A532-C31369DC8A77}
2011-10-20 00:57:41 -------- d-----w- C:\Users\Adrian\AppData\Local\{97FFA2DD-9665-40DE-B0F5-9F8FEA6E413F}
.
==================== Find3M ====================
.
2011-11-18 16:23:35 202008 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-11-18 16:23:35 202008 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-01 04:36:30 2755072 ----a-w- C:\Windows\SysWow64\themeui.dll
2011-10-01 04:36:28 245760 ----a-w- C:\Windows\SysWow64\uxtheme.dll
2011-10-01 04:36:23 758040 ----a-w- C:\Windows\UTP.exe
2011-10-01 03:23:19 332288 ----a-w- C:\Windows\System32\uxtheme.dll
2011-10-01 03:23:15 2851328 ----a-w- C:\Windows\System32\themeui.dll
2011-10-01 03:23:12 44544 ----a-w- C:\Windows\System32\themeservice.dll
2011-08-31 04:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 04:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 04:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 04:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 04:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 04:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 04:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
.
============= FINISH: 15:56:14.63 ===============

Attached Files


Posted Image


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 19 November 2011 - 11:27 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes are complete.

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 nrgstone

nrgstone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 19 November 2011 - 01:56 PM

I would first like to say thank you in advance for helping me with this.

As for the P2P software, I shall try to convince my brother to remove it, however for now it will not be used as the laptop is with me.

I did note that when I ran it it said that Avast! was running, however Avast! was removed from the computer a while back.

Here is the Combofix log:

ComboFix 11-11-19.04 - Adrian 11/19/2011 12:28:57.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2607 [GMT -6:00]
Running from: c:\users\Adrian\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\A65E\7CFE.tmp
c:\program files (x86)\LP\A65E\8A73.tmp
c:\program files (x86)\LP\A65E\A67E.tmp
c:\program files (x86)\LP\A65E\FC9A.tmp
c:\users\Adrian\AppData\Local\ShellUser.dll
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome.manifest
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome\xulcache.jar
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\defaults\preferences\xulcache.js
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\install.rdf
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome.manifest
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome\xulcache.jar
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\defaults\preferences\xulcache.js
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\install.rdf
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome.manifest
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome\xulcache.jar
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\defaults\preferences\xulcache.js
c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\install.rdf
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome.manifest
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome\xulcache.jar
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\defaults\preferences\xulcache.js
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\install.rdf
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome.manifest
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome\xulcache.jar
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\defaults\preferences\xulcache.js
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\install.rdf
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome.manifest
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome\xulcache.jar
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\defaults\preferences\xulcache.js
c:\users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\install.rdf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2011-11-18 21:24 . 2011-11-18 21:24 -------- d-----w- c:\program files (x86)\ESET
2011-11-15 20:00 . 2011-11-15 20:00 -------- d-----w- c:\program files (x86)\MSECache
2011-11-13 08:28 . 2011-11-14 17:55 -------- d-----w- c:\users\Other ACcount\AppData\Roaming\B9178
2011-11-13 08:27 . 2011-11-14 17:55 -------- d-----w- c:\users\Other ACcount\AppData\Roaming\E24B9
2011-11-13 03:57 . 2011-11-18 05:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-13 03:57 . 2011-11-13 03:57 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\users\Adrian\AppData\Roaming\Malwarebytes
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-13 03:53 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-13 01:39 . 2011-11-13 01:39 -------- d-----w- c:\users\Adrian\AppData\Roaming\wtxP0ucS1b3n4m6
2011-11-13 01:39 . 2011-11-13 01:39 -------- d-----w- c:\users\Adrian\AppData\Roaming\hWK7fEL9gZjCkVl
2011-11-12 23:49 . 2011-11-14 06:38 -------- d-----w- c:\program files (x86)\B9178
2011-11-12 23:49 . 2011-11-14 06:21 -------- d-----w- c:\users\Adrian\AppData\Roaming\E24B9
2011-11-12 23:49 . 2011-11-12 23:49 -------- d-----w- c:\users\Adrian\AppData\Roaming\oZqqhhYXwkUVl1v
2011-11-12 23:49 . 2011-11-12 23:49 -------- d-----w- c:\users\Adrian\AppData\Roaming\m22oonFF4pH5sJd
2011-11-12 23:49 . 2011-11-12 23:49 -------- d-----w- c:\users\Adrian\AppData\Roaming\u88ffRLL9hTqjCe
2011-11-12 23:48 . 2011-11-12 23:48 -------- d-----w- c:\users\Adrian\AppData\Roaming\uJJ77dEEL
2011-11-12 23:48 . 2011-11-12 23:48 -------- d-----w- c:\users\Adrian\AppData\Roaming\WKKK7fLgZYwIrNx
2011-11-12 23:48 . 2011-11-12 23:48 -------- d-----w- c:\users\Adrian\AppData\Roaming\XgggTXXqjYCeIVz
2011-11-11 11:43 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3F56A4E8-9D63-4BC7-BA60-DDE81C1DC206}\mpengine.dll
2011-11-09 00:37 . 2011-11-18 16:13 -------- d-----w- c:\program files (x86)\Steam
2011-11-03 20:11 . 2011-11-03 20:11 -------- d-----w- c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£
2011-11-03 16:37 . 2011-11-03 16:37 -------- d-----w- C:\Tarte
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Roaming\acccore
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AIM
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AOL
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\programdata\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\AOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-01 04:36 . 2009-07-13 23:39 2755072 ----a-w- c:\windows\SysWow64\themeui.dll
2011-10-01 04:36 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-10-01 04:36 . 2011-10-01 04:36 758040 ----a-w- c:\windows\UTP.exe
2011-10-01 03:23 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-10-01 03:23 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-10-01 03:23 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-09-13 02:52 . 2011-09-13 02:52 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-06 20:45 . 2011-03-19 19:26 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-31 04:05 . 2011-08-31 04:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AeroBar.exe [2009-9-7 364032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-04-20 315392]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-03 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2011-01-31 11:03]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000Core.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000UA.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
"combofix"="c:\combofix\CF3599.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {AEA3991E-3109-4C98-989E-33994FEB1A91}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{5e5ab302-7f65-44cd-8211-c1d4caaccea3} - (no file)
Notify-WB - (no file)
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3821131493-4221013046-2506907180-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CA32844D-7DBB-317C-C882-6BF38E6290E9}*]
"abpiaikikpaopmeddchnkojlignmgpikoi"=hex:65,62,70,69,68,65,66,61,67,6d,62,67,
6f,63,6b,63,61,62,6b,67,6a,63,68,6d,6a,62,6a,65,61,6f,63,67,70,6d,70,6c,6f,\
"bbpiaikikpaopmeddcmnfphgfelecfbdplpd"=hex:61,62,61,6c,6b,61,6b,66,67,70,61,6f,
66,6a,69,68,69,6f,67,69,65,65,6d,66,62,66,6c,6a,6f,62,67,64,67,62,00,6c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroBar.exe
.
**************************************************************************
.
Completion time: 2011-11-19 12:50:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-19 18:50
.
Pre-Run: 107,606,974,464 bytes free
Post-Run: 106,866,704,384 bytes free
.
- - End Of File - - 236B8DED830D8214D18093D6DA2A96D2

Posted Image


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 19 November 2011 - 03:06 PM

nrgstone:

Please do this next:
Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\users\Adrian\AppData\Roaming\wtxP0ucS1b3n4m6
c:\users\Adrian\AppData\Roaming\hWK7fEL9gZjCkVl
c:\program files (x86)\B9178
c:\users\Adrian\AppData\Roaming\E24B9
c:\users\Adrian\AppData\Roaming\oZqqhhYXwkUVl1v
c:\users\Adrian\AppData\Roaming\m22oonFF4pH5sJd
c:\users\Adrian\AppData\Roaming\u88ffRLL9hTqjCe
c:\users\Adrian\AppData\Roaming\uJJ77dEEL
c:\users\Adrian\AppData\Roaming\WKKK7fLgZYwIrNx
c:\users\Adrian\AppData\Roaming\XgggTXXqjYCeIVz
DirLook::
c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£
C:\Tarte
SecCenter::
{2B2D1395-420B-D5C9-657E-930FE358FC3C}
{904CF271-6431-DA47-5FCE-A87D98DFB681}

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 nrgstone

nrgstone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 19 November 2011 - 07:36 PM

Here is Combofix Log with the Script :


ComboFix 11-11-19.04 - Adrian 11/19/2011 16:29:28.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2644 [GMT -6:00]
Running from: c:\users\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\users\Adrian\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\B9178
c:\users\Adrian\AppData\Roaming\E24B9
c:\users\Adrian\AppData\Roaming\E24B9\9178.24B
c:\users\Adrian\AppData\Roaming\hWK7fEL9gZjCkVl
c:\users\Adrian\AppData\Roaming\m22oonFF4pH5sJd
c:\users\Adrian\AppData\Roaming\m22oonFF4pH5sJd\AV Security 2012.ico
c:\users\Adrian\AppData\Roaming\oZqqhhYXwkUVl1v
c:\users\Adrian\AppData\Roaming\u88ffRLL9hTqjCe
c:\users\Adrian\AppData\Roaming\uJJ77dEEL
c:\users\Adrian\AppData\Roaming\WKKK7fLgZYwIrNx
c:\users\Adrian\AppData\Roaming\wtxP0ucS1b3n4m6
c:\users\Adrian\AppData\Roaming\wtxP0ucS1b3n4m6\AV Security 2012.ico
c:\users\Adrian\AppData\Roaming\XgggTXXqjYCeIVz
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2011-11-19 22:41 . 2011-11-19 22:41 -------- d-----w- c:\users\Other ACcount\AppData\Local\temp
2011-11-19 22:41 . 2011-11-19 22:41 -------- d-----w- c:\users\Mcx1-ADRIAN-HP\AppData\Local\temp
2011-11-18 21:24 . 2011-11-18 21:24 -------- d-----w- c:\program files (x86)\ESET
2011-11-15 20:00 . 2011-11-15 20:00 -------- d-----w- c:\program files (x86)\MSECache
2011-11-13 08:28 . 2011-11-14 17:55 -------- d-----w- c:\users\Other ACcount\AppData\Roaming\B9178
2011-11-13 08:27 . 2011-11-14 17:55 -------- d-----w- c:\users\Other ACcount\AppData\Roaming\E24B9
2011-11-13 03:57 . 2011-11-18 05:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-13 03:57 . 2011-11-13 03:57 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\users\Adrian\AppData\Roaming\Malwarebytes
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-13 03:53 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-11 11:43 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3F56A4E8-9D63-4BC7-BA60-DDE81C1DC206}\mpengine.dll
2011-11-09 00:37 . 2011-11-18 16:13 -------- d-----w- c:\program files (x86)\Steam
2011-11-03 20:11 . 2011-11-03 20:11 -------- d-----w- c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£
2011-11-03 16:37 . 2011-11-03 16:37 -------- d-----w- C:\Tarte
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Roaming\acccore
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AIM
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AOL
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\programdata\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\AOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-01 04:36 . 2009-07-13 23:39 2755072 ----a-w- c:\windows\SysWow64\themeui.dll
2011-10-01 04:36 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-10-01 04:36 . 2011-10-01 04:36 758040 ----a-w- c:\windows\UTP.exe
2011-10-01 03:23 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-10-01 03:23 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-10-01 03:23 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-09-13 02:52 . 2011-09-13 02:52 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-06 20:45 . 2011-03-19 19:26 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-31 04:05 . 2011-08-31 04:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£ ----
.
.
---- Directory of C:\Tarte ----
.
2011-11-03 16:41 . 2011-11-08 06:00 31102 ----a-w- c:\tarte\HinataBokko\Hinata98.SAW
2011-11-03 16:41 . 2011-11-06 06:31 137324 ----a-w- c:\tarte\HinataBokko\Hinata01.SAV
2011-11-03 16:41 . 2011-11-08 06:00 65664 ----a-w- c:\tarte\HinataBokko\HinataCF.SAW
2011-11-03 16:35 . 2008-07-19 03:05 10716387 ----a-w- c:\tarte\HinataBokko\SYSTEM.PAK
2011-11-03 16:35 . 2098-01-01 06:00 41962323 ----a-w- c:\tarte\HinataBokko\BGM.PAK
2011-11-03 16:35 . 2098-01-01 06:00 2190454 ----a-w- c:\tarte\HinataBokko\CHAR.PAK
2011-11-03 16:35 . 2098-01-01 06:00 545121 ----a-w- c:\tarte\HinataBokko\HinataBokko.exe
2011-11-03 16:34 . 2098-01-01 06:00 177246362 ----a-w- c:\tarte\HinataBokko\SCRIPT.PAK
2011-11-03 16:34 . 2098-01-01 06:00 264110089 ----a-w- c:\tarte\HinataBokko\GRP.PAK
2011-11-03 16:34 . 2098-01-01 06:00 55691268 ----a-w- c:\tarte\HinataBokko\MOVIE\hinata_OP.mpg
2011-11-03 16:34 . 2098-01-01 06:00 62648324 ----a-w- c:\tarte\HinataBokko\MOVIE\hinata_ED.mpg
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-19_18.43.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-19 22:42 . 2011-11-19 22:42 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2011-11-19 18:42 . 2011-11-19 18:42 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-07-11 03:12 . 2011-11-19 19:09 50462 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-11-19 18:45 46820 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-19 22:45 46820 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-11 03:12 . 2011-11-19 19:09 50462 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-11-19 05:16 46820 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-19 19:09 46820 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-09 03:04 . 2011-11-19 22:45 6154 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3821131493-4221013046-2506907180-1000_UserData.bin
+ 2011-01-09 03:04 . 2011-11-19 19:09 6122 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3821131493-4221013046-2506907180-1000_UserData.bin
+ 2011-11-19 22:43 . 2011-11-19 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-11-19 18:43 . 2011-11-19 18:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-19 22:43 . 2011-11-19 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-19 18:43 . 2011-11-19 18:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-01-09 05:56 . 2011-11-19 22:22 399708 c:\windows\system64\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-11-19 22:24 636294 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-11-19 06:31 636294 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-19 22:24 111578 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-11-19 06:31 111578 c:\windows\system64\perfc009.dat
+ 2011-01-09 05:56 . 2011-11-19 22:22 399708 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2011-11-19 06:31 636294 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-19 22:24 636294 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-11-19 06:31 111578 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-19 22:24 111578 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2011-11-19 22:42 480452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-11-19 18:42 480452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:34 . 2011-11-19 19:48 9961472 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-11-16 09:58 9961472 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-11-16 09:58 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-11-19 19:48 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2010-11-20 09:25 . 2011-11-19 22:42 1664728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-11-20 09:25 . 2011-11-19 18:42 1664728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-03-29 18:07 . 2011-11-19 22:42 14196384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3821131493-4221013046-2506907180-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AeroBar.exe [2009-9-7 364032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
[BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-04-20 315392]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-03 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2011-01-31 11:03]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000Core.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000UA.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
"combofix"="c:\combofix\CF18261.3XE" [2009-07-14 344576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {AEA3991E-3109-4C98-989E-33994FEB1A91}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3821131493-4221013046-2506907180-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CA32844D-7DBB-317C-C882-6BF38E6290E9}*]
"abpiaikikpaopmeddchnkojlignmgpikoi"=hex:65,62,70,69,68,65,66,61,67,6d,62,67,
6f,63,6b,63,61,62,6b,67,6a,63,68,6d,6a,62,6a,65,61,6f,63,67,70,6d,70,6c,6f,\
"bbpiaikikpaopmeddcmnfphgfelecfbdplpd"=hex:61,62,61,6c,6b,61,6b,66,67,70,61,6f,
66,6a,69,68,69,6f,67,69,65,65,6d,66,62,66,6c,6a,6f,62,67,64,67,62,00,6c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroBar.exe
.
**************************************************************************
.
Completion time: 2011-11-19 16:49:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-19 22:49
ComboFix2.txt 2011-11-19 18:50
.
Pre-Run: 106,966,040,576 bytes free
Post-Run: 106,629,861,376 bytes free
.
- - End Of File - - 46F611EEDDF193186D0B6680E5C12329



Here is the MBAM Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8192

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

11/19/2011 5:45:55 PM
mbam-log-2011-11-19 (17-45-55).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 447995
Time elapsed: 52 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Posted Image


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 20 November 2011 - 11:04 AM

nrgstone:

How is the computer running now? Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\users\Other ACcount\AppData\Roaming\B9178
c:\users\Other ACcount\AppData\Roaming\E24B9
c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ComboFix log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 nrgstone

nrgstone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 November 2011 - 05:21 PM

I tried to update Java, however there wasn't an Update Tab.

When I tried using Google search, it doesn't seem to redirect anymore.

Here is the Combofix Log :

ComboFix 11-11-20.01 - Adrian 11/20/2011 11:24:44.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2326 [GMT -6:00]
Running from: c:\users\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\users\Adrian\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Adrian\AppData\Roaming\mIRC\logs\status.log
c:\users\Other ACcount\AppData\Roaming\B9178
c:\users\Other ACcount\AppData\Roaming\E24B9
c:\users\Other ACcount\AppData\Roaming\E24B9\9178.24B
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\drivers\etc\hosts1
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 17:32 . 2011-11-20 17:32 -------- d-----w- c:\users\Other ACcount\AppData\Local\temp
2011-11-20 17:32 . 2011-11-20 17:32 -------- d-----w- c:\users\Mcx1-ADRIAN-HP\AppData\Local\temp
2011-11-20 17:32 . 2011-11-20 17:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-20 17:32 . 2011-11-20 17:32 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-11-18 21:24 . 2011-11-18 21:24 -------- d-----w- c:\program files (x86)\ESET
2011-11-15 20:00 . 2011-11-15 20:00 -------- d-----w- c:\program files (x86)\MSECache
2011-11-13 03:57 . 2011-11-18 05:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-13 03:57 . 2011-11-13 03:57 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\users\Adrian\AppData\Roaming\Malwarebytes
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\programdata\Malwarebytes
2011-11-13 03:53 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 03:53 . 2011-11-13 03:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-11 11:43 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3F56A4E8-9D63-4BC7-BA60-DDE81C1DC206}\mpengine.dll
2011-11-09 00:37 . 2011-11-18 16:13 -------- d-----w- c:\program files (x86)\Steam
2011-11-03 20:11 . 2011-11-03 20:11 -------- d-----w- c:\program files (x86)\‚ ‚©‚Χ‚₯‚»‚Σ‚Ζ‚Β‚£
2011-11-03 16:37 . 2011-11-03 16:37 -------- d-----w- C:\Tarte
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Roaming\acccore
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AIM
2011-10-30 06:35 . 2011-10-30 06:35 -------- d-----w- c:\users\Adrian\AppData\Local\AOL
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\programdata\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\AIM
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-10-30 06:14 . 2011-10-30 06:14 -------- d-----w- c:\program files (x86)\Common Files\AOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-11-18 16:23 . 2011-01-27 03:33 202008 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-01 04:36 . 2009-07-13 23:39 2755072 ----a-w- c:\windows\SysWow64\themeui.dll
2011-10-01 04:36 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-10-01 04:36 . 2011-10-01 04:36 758040 ----a-w- c:\windows\UTP.exe
2011-10-01 03:23 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-10-01 03:23 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-10-01 03:23 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-09-13 02:52 . 2011-09-13 02:52 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-06 20:45 . 2011-03-19 19:26 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-31 04:05 . 2011-08-31 04:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-19_18.43.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-11-19 18:42 . 2011-11-19 18:42 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-11-20 17:33 . 2011-11-20 17:33 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-07-11 03:12 . 2011-11-19 22:52 50582 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-19 22:52 46820 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-11-19 18:45 46820 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-11 03:12 . 2011-11-19 22:52 50582 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-11-19 05:16 46820 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-19 22:52 46820 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-20 14:58 . 2011-11-19 22:50 6384 c:\windows\system64\wdi\ERCQueuedResolutions.dat
+ 2011-01-09 03:04 . 2011-11-19 22:52 6352 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3821131493-4221013046-2506907180-1000_UserData.bin
+ 2011-01-20 14:58 . 2011-11-19 22:50 6384 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-01-09 03:04 . 2011-11-19 22:52 6352 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3821131493-4221013046-2506907180-1000_UserData.bin
- 2011-11-19 18:43 . 2011-11-19 18:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-20 17:33 . 2011-11-20 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-11-19 18:43 . 2011-11-19 18:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-11-20 17:33 . 2011-11-20 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-01-09 05:56 . 2011-11-20 10:31 399724 c:\windows\system64\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2011-11-19 06:31 636294 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-20 10:34 636294 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-11-19 06:31 111578 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-20 10:34 111578 c:\windows\system64\perfc009.dat
+ 2011-01-09 05:56 . 2011-11-20 10:31 399724 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2011-11-19 06:31 636294 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-20 10:34 636294 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-20 10:34 111578 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-11-19 06:31 111578 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-11-19 18:42 480452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-20 17:33 480452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:34 . 2011-11-16 09:58 9961472 c:\windows\system64\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-11-19 19:48 9961472 c:\windows\system64\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-11-19 19:48 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-11-16 09:58 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2010-11-20 09:25 . 2011-11-19 18:42 1664728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-11-20 09:25 . 2011-11-20 17:33 1664728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-03-29 18:07 . 2011-11-20 17:33 14228092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3821131493-4221013046-2506907180-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AeroBar.exe [2009-9-7 364032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
[BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-04-20 315392]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-03 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2011-01-31 11:03]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000Core.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
2011-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3821131493-4221013046-2506907180-1000UA.job
- c:\users\Adrian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 03:25]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Adrian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
"combofix"="c:\combofix\CF11431.3XE" [2009-07-14 344576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {AEA3991E-3109-4C98-989E-33994FEB1A91}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3821131493-4221013046-2506907180-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CA32844D-7DBB-317C-C882-6BF38E6290E9}*]
"abpiaikikpaopmeddchnkojlignmgpikoi"=hex:65,62,70,69,68,65,66,61,67,6d,62,67,
6f,63,6b,63,61,62,6b,67,6a,63,68,6d,6a,62,6a,65,61,6f,63,67,70,6d,70,6c,6f,\
"bbpiaikikpaopmeddcmnfphgfelecfbdplpd"=hex:61,62,61,6c,6b,61,6b,66,67,70,61,6f,
66,6a,69,68,69,6f,67,69,65,65,6d,66,62,66,6c,6a,6f,62,67,64,67,62,00,6c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:dc,52,68,03,ee,c8,f1,d1,0f,48,12,06,76,63,ee,c6,c4,e8,1d,74,dc,
63,7e,71,3b,c5,00,7a,f4,8d,a5,29,bb,88,37,7b,af,f7,db,cf,3f,0b,a7,f1,e4,47,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroBar.exe
.
**************************************************************************
.
Completion time: 2011-11-20 11:39:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 17:39
ComboFix2.txt 2011-11-19 22:49
ComboFix3.txt 2011-11-19 18:50
.
Pre-Run: 106,438,647,808 bytes free
Post-Run: 106,352,304,128 bytes free
.
- - End Of File - - 015A7A46A8F955CEB0325D0AEF12DB5C



Here is the ESET Log:


C:\Program Files (x86)\Cheat Engine 6.1\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB application
C:\Qoobox\Quarantine\C\Users\Adrian\AppData\Local\ShellUser.dll.vir a variant of Win32/Kryptik.VLU trojan
C:\Qoobox\Quarantine\C\Users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\7qyxt5i9.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{0d90ab9d-065b-4867-866a-6aab5e11d83a}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{4d11f0b2-d3b9-45ca-bd7f-22501409e131}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Other ACcount\AppData\Roaming\Mozilla\Firefox\Profiles\lyxzjs8c.default\extensions\{7e43b5d8-5104-4397-8473-102ca839f525}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Adrian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk Win32/Adware.ADON application
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Start Menu\QuickStores.lnk Win32/Adware.ADON application

Posted Image


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 20 November 2011 - 05:42 PM

nrgstone:

Your logs look good! ESET is flagging that game cheat and the quick store IE add on as adware. I'll leave removing them up to you if you non longer want them. The rest of those ESET detections are already in quarantine and will be removed when we uninstall ComboFix. To update Java go to this site click the "Free Java Download" button and follow the prompts.

Posted Image Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Now I have some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 nrgstone

nrgstone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 November 2011 - 07:53 PM

Everything seems to be in order.
Java was updated and cleaned out.
I removed Combofix and all tools used to fix this problem.
I ended up going with MSE for the anti-virus program.

I want to say thank you so much for helping me with this!

Posted Image


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 20 November 2011 - 09:02 PM

You're welcome, nrgstone. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 21 November 2011 - 07:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users