Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Google Redirect that dodges TDSSkiller


  • This topic is locked This topic is locked
24 replies to this topic

#1 agentshades

agentshades

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 December 2011 - 08:16 AM

My computer has been infected with some sort of malware that redirects some of my google searches. I've tried multiple means of fixing it and the person helping me at this link: http://www.bleepingcomputer.com/forums/topic433293.html/page__gopid__2520814#entry2520814, asked me to run a DDS log and post it here in a new topic.

The DDS log is as follows:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by David at 8:07:44 on 2011-12-24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3958.2188 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
StartupFolder: C:\Users\David\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\David\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GAMERS~1.LNK - C:\Program Files (x86)\GamersFirst\LIVE!\Live.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Free YouTube to iPod Converter - C:\Users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to Mp3 Converter - C:\Users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\2456C6B696E6F585 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\2556769637475627 : DhcpNameServer = 10.1.0.6 10.1.0.3
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\34F66756E616E647D27457563747 : DhcpNameServer = 10.1.0.6 10.1.0.3
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\34F66756E616E647D2E4 : DhcpNameServer = 10.1.0.6 10.1.0.3
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\353484D294530303F523137303 : DhcpNameServer = 192.168.16.1
TCP: Interfaces\{B915C896-04F7-4D9F-AC5F-FFD021C8CF23}\D4162797C616E6460224C65756 : DhcpNameServer = 68.87.73.246 68.87.71.230
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\d9pliic5.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Download Manager\npfpdlm.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\d9pliic5.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\system32\drivers\AppleHFS.sys --> C:\Windows\system32\drivers\AppleHFS.sys [?]
R0 AppleMNT;AppleMNT;C:\Windows\system32\drivers\AppleMNT.sys --> C:\Windows\system32\drivers\AppleMNT.sys [?]
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe --> C:\Windows\system32\AppleOSSMgr.exe [?]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe --> C:\Windows\system32\AppleTimeSrv.exe [?]
R2 KeyAgent;KeyAgent;\??\C:\Windows\system32\drivers\KeyAgent.sys --> C:\Windows\system32\drivers\KeyAgent.sys [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-12-12 2152152]
R2 MacHALDriver;Mac HAL;\??\C:\Windows\system32\drivers\MacHALDriver.sys --> C:\Windows\system32\drivers\MacHALDriver.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-16 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-11-25 2253120]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-12-1 206120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-12-1 185640]
R3 acpials;ALS Sensor Filter;C:\Windows\system32\DRIVERS\acpials.sys --> C:\Windows\system32\DRIVERS\acpials.sys [?]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\system32\DRIVERS\AppleBtBc.sys --> C:\Windows\system32\DRIVERS\AppleBtBc.sys [?]
R3 applemtm;Apple Multitouch Mouse;C:\Windows\system32\DRIVERS\applemtm.sys --> C:\Windows\system32\DRIVERS\applemtm.sys [?]
R3 applemtp;Apple Multitouch;C:\Windows\system32\DRIVERS\applemtp.sys --> C:\Windows\system32\DRIVERS\applemtp.sys [?]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\system32\DRIVERS\CS420x64.sys --> C:\Windows\system32\DRIVERS\CS420x64.sys [?]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys --> C:\Windows\system32\DRIVERS\IRFilter.sys [?]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys --> C:\Windows\system32\DRIVERS\KeyMagic.sys [?]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-12-19 17152]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2011-11-25 21712]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-21 18:33:29 -------- d-----w- C:\Users\David\AppData\Local\SupportSoft
2011-12-21 18:33:05 -------- d-----w- C:\Program Files (x86)\VERIZONDM
2011-12-21 18:32:55 9795072 ----a-w- C:\Windows\VerizonDM.msi
2011-12-21 18:32:52 -------- d-----w- C:\Windows\VDM
2011-12-21 18:32:52 -------- d-----w- C:\Program Files (x86)\Verizon
2011-12-21 18:32:52 -------- d-----w- C:\Program Files (x86)\Common Files\SupportSoft
2011-12-21 04:22:51 -------- d-----w- C:\Sun
2011-12-20 03:18:20 -------- d-----w- C:\Users\David\AppData\Local\CrashDumps
2011-12-19 18:49:34 -------- d-----w- C:\Users\David\AppData\Local\THQ
2011-12-19 15:55:29 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-12-19 13:03:04 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-12-19 12:56:45 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-12-19 12:56:16 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-12-19 04:15:39 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-12-19 03:52:54 -------- d-----w- C:\Users\David\AppData\Local\NPE
2011-12-19 03:52:54 -------- d-----w- C:\ProgramData\Norton
2011-12-16 23:27:45 -------- d-----w- C:\Users\David\AppData\Roaming\Malwarebytes
2011-12-16 23:27:34 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-16 23:27:31 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-16 23:27:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-16 23:06:06 -------- d-----we C:\Windows\system64
2011-12-16 22:49:11 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E2F44DFD-1AFD-48CE-9427-FE50EDE3A141}\mpengine.dll
2011-12-16 02:03:17 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-16 02:01:43 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 02:01:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-16 02:01:17 -------- d-----w- C:\Users\David\AppData\Local\SWTOR
2011-11-26 01:00:40 837952 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll
2011-11-26 01:00:10 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-11-25 23:37:18 -------- d-----w- C:\Program Files\DriverTuner
2011-11-25 23:32:41 21712 ----a-w- C:\Windows\SysWow64\drivers\DrvAgent64.SYS
2011-11-25 23:32:41 -------- d-----w- C:\Users\David\AppData\Local\eSupport.com
2011-11-24 14:39:36 -------- d-----w- C:\Program Files (x86)\Bethesda Softworks
.
==================== Find3M ====================
.
2011-12-02 21:16:09 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-11-15 19:29:56 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-05 05:26:29 1197568 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-11-05 04:35:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 06:25:12 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:54:52 321856 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2011-10-15 05:48:52 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-10-08 16:05:07 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-08 16:05:06 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 8:08:44.52 ===============

The attach.txt file is zipped and attached to this post.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 24 December 2011 - 02:23 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 December 2011 - 03:07 PM

I just finished running combofix, but instead of producing a log, it just finished its run and closed. I ran it a second time just to check I hadn't done anything wrong and the same thing happened. Is there something I'm doing wrong? I just clicked on combofix.exe and let it go.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 24 December 2011 - 05:41 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 December 2011 - 09:01 PM

Here's the TDSSkiller report. It did not find any threats when it ran.

21:00:06.0852 3352 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
21:00:07.0164 3352 ============================================================
21:00:07.0164 3352 Current date / time: 2011/12/24 21:00:07.0164
21:00:07.0164 3352 SystemInfo:
21:00:07.0164 3352
21:00:07.0164 3352 OS Version: 6.1.7600 ServicePack: 0.0
21:00:07.0164 3352 Product type: Workstation
21:00:07.0164 3352 ComputerName: DAVID-PC
21:00:07.0164 3352 UserName: David
21:00:07.0164 3352 Windows directory: C:\Windows
21:00:07.0164 3352 System windows directory: C:\Windows
21:00:07.0164 3352 Running under WOW64
21:00:07.0164 3352 Processor architecture: Intel x64
21:00:07.0164 3352 Number of processors: 4
21:00:07.0164 3352 Page size: 0x1000
21:00:07.0164 3352 Boot type: Normal boot
21:00:07.0164 3352 ============================================================
21:00:08.0209 3352 Initialize success
21:00:09.0504 5084 ============================================================
21:00:09.0504 5084 Scan started
21:00:09.0504 5084 Mode: Manual;
21:00:09.0504 5084 ============================================================
21:00:10.0003 5084 1394ohci - ok
21:00:10.0034 5084 ACPI - ok
21:00:10.0065 5084 acpials - ok
21:00:10.0065 5084 AcpiPmi - ok
21:00:10.0081 5084 adp94xx - ok
21:00:10.0097 5084 adpahci - ok
21:00:10.0097 5084 adpu320 - ok
21:00:10.0128 5084 AFD - ok
21:00:10.0128 5084 agp440 - ok
21:00:10.0128 5084 aliide - ok
21:00:10.0143 5084 amdide - ok
21:00:10.0143 5084 AmdK8 - ok
21:00:10.0159 5084 AmdPPM - ok
21:00:10.0175 5084 amdsata - ok
21:00:10.0175 5084 amdsbs - ok
21:00:10.0190 5084 amdxata - ok
21:00:10.0206 5084 AppID - ok
21:00:10.0299 5084 AppleBtBc - ok
21:00:10.0331 5084 AppleHFS - ok
21:00:10.0331 5084 AppleMNT - ok
21:00:10.0362 5084 applemtm - ok
21:00:10.0362 5084 applemtp - ok
21:00:10.0409 5084 arc - ok
21:00:10.0409 5084 arcsas - ok
21:00:10.0471 5084 AsyncMac - ok
21:00:10.0471 5084 atapi - ok
21:00:10.0487 5084 b06bdrv - ok
21:00:10.0502 5084 b57nd60a - ok
21:00:10.0518 5084 BCM43XX - ok
21:00:10.0518 5084 Beep - ok
21:00:10.0533 5084 blbdrive - ok
21:00:10.0565 5084 bowser - ok
21:00:10.0565 5084 BrFiltLo - ok
21:00:10.0565 5084 BrFiltUp - ok
21:00:10.0565 5084 Brserid - ok
21:00:10.0565 5084 BrSerWdm - ok
21:00:10.0580 5084 BrUsbMdm - ok
21:00:10.0580 5084 BrUsbSer - ok
21:00:10.0596 5084 BthEnum - ok
21:00:10.0596 5084 BTHMODEM - ok
21:00:10.0596 5084 BthPan - ok
21:00:10.0611 5084 BTHPORT - ok
21:00:10.0611 5084 BTHUSB - ok
21:00:10.0611 5084 cdfs - ok
21:00:10.0611 5084 cdrom - ok
21:00:10.0627 5084 circlass - ok
21:00:10.0627 5084 CirrusFilter - ok
21:00:10.0643 5084 CLFS - ok
21:00:10.0674 5084 CmBatt - ok
21:00:10.0689 5084 cmdide - ok
21:00:10.0689 5084 CNG - ok
21:00:10.0705 5084 Compbatt - ok
21:00:10.0721 5084 CompositeBus - ok
21:00:10.0721 5084 crcdisk - ok
21:00:10.0752 5084 DfsC - ok
21:00:10.0752 5084 discache - ok
21:00:10.0767 5084 Disk - ok
21:00:10.0830 5084 drmkaud - ok
21:00:10.0908 5084 DrvAgent64 - ok
21:00:10.0955 5084 dump_wmimmc - ok
21:00:10.0970 5084 DXGKrnl - ok
21:00:10.0970 5084 ebdrv - ok
21:00:10.0986 5084 elxstor - ok
21:00:11.0001 5084 ErrDev - ok
21:00:11.0001 5084 exfat - ok
21:00:11.0001 5084 fastfat - ok
21:00:11.0017 5084 fdc - ok
21:00:11.0064 5084 FileInfo - ok
21:00:11.0064 5084 Filetrace - ok
21:00:11.0064 5084 flpydisk - ok
21:00:11.0064 5084 FltMgr - ok
21:00:11.0079 5084 FsDepends - ok
21:00:11.0079 5084 Fs_Rec - ok
21:00:11.0079 5084 fvevol - ok
21:00:11.0079 5084 gagp30kx - ok
21:00:11.0126 5084 GEARAspiWDM - ok
21:00:11.0126 5084 hcw85cir - ok
21:00:11.0142 5084 HdAudAddService - ok
21:00:11.0142 5084 HDAudBus - ok
21:00:11.0142 5084 HidBatt - ok
21:00:11.0157 5084 HidBth - ok
21:00:11.0157 5084 HidIr - ok
21:00:11.0173 5084 HidUsb - ok
21:00:11.0173 5084 HpSAMD - ok
21:00:11.0189 5084 HTTP - ok
21:00:11.0189 5084 hwpolicy - ok
21:00:11.0189 5084 i8042prt - ok
21:00:11.0189 5084 iaStorV - ok
21:00:11.0204 5084 iirsp - ok
21:00:11.0220 5084 intelide - ok
21:00:11.0220 5084 intelppm - ok
21:00:11.0220 5084 IpFilterDriver - ok
21:00:11.0220 5084 IPMIDRV - ok
21:00:11.0235 5084 IPNAT - ok
21:00:11.0267 5084 IRENUM - ok
21:00:11.0282 5084 IRRemoteFlt - ok
21:00:11.0282 5084 isapnp - ok
21:00:11.0298 5084 iScsiPrt - ok
21:00:11.0298 5084 kbdclass - ok
21:00:11.0298 5084 kbdhid - ok
21:00:11.0313 5084 KeyAgent - ok
21:00:11.0313 5084 KeyMagic - ok
21:00:11.0313 5084 KSecDD - ok
21:00:11.0313 5084 KSecPkg - ok
21:00:11.0329 5084 ksthunk - ok
21:00:11.0376 5084 Lbd - ok
21:00:11.0391 5084 lltdio - ok
21:00:11.0407 5084 LSI_FC - ok
21:00:11.0423 5084 LSI_SAS - ok
21:00:11.0423 5084 LSI_SAS2 - ok
21:00:11.0423 5084 LSI_SCSI - ok
21:00:11.0454 5084 luafv - ok
21:00:11.0454 5084 MacHALDriver - ok
21:00:11.0454 5084 MBAMProtector - ok
21:00:11.0469 5084 megasas - ok
21:00:11.0485 5084 MegaSR - ok
21:00:11.0501 5084 Modem - ok
21:00:11.0501 5084 monitor - ok
21:00:11.0516 5084 mouclass - ok
21:00:11.0532 5084 mouhid - ok
21:00:11.0532 5084 mountmgr - ok
21:00:11.0532 5084 mpio - ok
21:00:11.0532 5084 mpsdrv - ok
21:00:11.0547 5084 MRxDAV - ok
21:00:11.0547 5084 mrxsmb - ok
21:00:11.0547 5084 mrxsmb10 - ok
21:00:11.0547 5084 mrxsmb20 - ok
21:00:11.0547 5084 msahci - ok
21:00:11.0563 5084 msdsm - ok
21:00:11.0563 5084 Msfs - ok
21:00:11.0563 5084 mshidkmdf - ok
21:00:11.0563 5084 msisadrv - ok
21:00:11.0579 5084 MSKSSRV - ok
21:00:11.0579 5084 MSPCLOCK - ok
21:00:11.0579 5084 MSPQM - ok
21:00:11.0594 5084 MsRPC - ok
21:00:11.0594 5084 mssmbios - ok
21:00:11.0594 5084 MSTEE - ok
21:00:11.0594 5084 MTConfig - ok
21:00:11.0594 5084 Mup - ok
21:00:11.0610 5084 NativeWifiP - ok
21:00:11.0625 5084 NDIS - ok
21:00:11.0641 5084 NdisCap - ok
21:00:11.0641 5084 NdisTapi - ok
21:00:11.0641 5084 Ndisuio - ok
21:00:11.0641 5084 NdisWan - ok
21:00:11.0641 5084 NDProxy - ok
21:00:11.0657 5084 NetBIOS - ok
21:00:11.0657 5084 NetBT - ok
21:00:11.0719 5084 nfrd960 - ok
21:00:11.0735 5084 Npfs - ok
21:00:11.0750 5084 NPPTNT2 - ok
21:00:11.0750 5084 nsiproxy - ok
21:00:11.0766 5084 Ntfs - ok
21:00:11.0766 5084 Null - ok
21:00:11.0781 5084 NVHDA - ok
21:00:11.0797 5084 nvlddmkm - ok
21:00:11.0813 5084 nvraid - ok
21:00:11.0813 5084 nvstor - ok
21:00:11.0844 5084 nv_agp - ok
21:00:11.0844 5084 ohci1394 - ok
21:00:11.0859 5084 Parport - ok
21:00:11.0859 5084 partmgr - ok
21:00:11.0859 5084 pci - ok
21:00:11.0859 5084 pciide - ok
21:00:11.0875 5084 pcmcia - ok
21:00:11.0875 5084 pcw - ok
21:00:11.0875 5084 PEAUTH - ok
21:00:11.0922 5084 PptpMiniport - ok
21:00:11.0922 5084 Processor - ok
21:00:11.0937 5084 Psched - ok
21:00:11.0937 5084 ql2300 - ok
21:00:11.0953 5084 ql40xx - ok
21:00:11.0953 5084 QWAVEdrv - ok
21:00:11.0953 5084 RasAcd - ok
21:00:11.0953 5084 RasAgileVpn - ok
21:00:11.0969 5084 Rasl2tp - ok
21:00:11.0969 5084 RasPppoe - ok
21:00:11.0969 5084 RasSstp - ok
21:00:11.0969 5084 rdbss - ok
21:00:11.0969 5084 rdpbus - ok
21:00:11.0984 5084 RDPCDD - ok
21:00:11.0984 5084 RDPENCDD - ok
21:00:12.0000 5084 RDPREFMP - ok
21:00:12.0000 5084 RDPWD - ok
21:00:12.0000 5084 rdyboost - ok
21:00:12.0015 5084 RFCOMM - ok
21:00:12.0015 5084 rspndr - ok
21:00:12.0031 5084 sbp2port - ok
21:00:12.0031 5084 scfilter - ok
21:00:12.0031 5084 secdrv - ok
21:00:12.0047 5084 Serenum - ok
21:00:12.0047 5084 Serial - ok
21:00:12.0047 5084 sermouse - ok
21:00:12.0062 5084 sffdisk - ok
21:00:12.0062 5084 sffp_mmc - ok
21:00:12.0062 5084 sffp_sd - ok
21:00:12.0062 5084 sfloppy - ok
21:00:12.0078 5084 SiSRaid2 - ok
21:00:12.0078 5084 SiSRaid4 - ok
21:00:12.0093 5084 Smb - ok
21:00:12.0140 5084 spldr - ok
21:00:12.0171 5084 srv - ok
21:00:12.0187 5084 srv2 - ok
21:00:12.0187 5084 srvnet - ok
21:00:12.0343 5084 stexstor - ok
21:00:12.0359 5084 swenum - ok
21:00:12.0374 5084 Tcpip - ok
21:00:12.0374 5084 TCPIP6 - ok
21:00:12.0374 5084 tcpipreg - ok
21:00:12.0374 5084 TDPIPE - ok
21:00:12.0390 5084 TDTCP - ok
21:00:12.0390 5084 tdx - ok
21:00:12.0390 5084 TermDD - ok
21:00:12.0405 5084 tssecsrv - ok
21:00:12.0421 5084 tunnel - ok
21:00:12.0421 5084 uagp35 - ok
21:00:12.0421 5084 udfs - ok
21:00:12.0437 5084 uliagpkx - ok
21:00:12.0437 5084 umbus - ok
21:00:12.0437 5084 UmPass - ok
21:00:12.0452 5084 USBAAPL64 - ok
21:00:12.0468 5084 usbaudio - ok
21:00:12.0468 5084 usbccgp - ok
21:00:12.0468 5084 usbcir - ok
21:00:12.0468 5084 usbehci - ok
21:00:12.0483 5084 usbhub - ok
21:00:12.0483 5084 usbohci - ok
21:00:12.0499 5084 usbprint - ok
21:00:12.0499 5084 USBSTOR - ok
21:00:12.0499 5084 usbuhci - ok
21:00:12.0515 5084 usbvideo - ok
21:00:12.0530 5084 vdrvroot - ok
21:00:12.0530 5084 vga - ok
21:00:12.0530 5084 VgaSave - ok
21:00:12.0530 5084 vhdmp - ok
21:00:12.0546 5084 viaide - ok
21:00:12.0546 5084 volmgr - ok
21:00:12.0546 5084 volmgrx - ok
21:00:12.0546 5084 volsnap - ok
21:00:12.0561 5084 vsmraid - ok
21:00:12.0561 5084 vwifibus - ok
21:00:12.0577 5084 WacomPen - ok
21:00:12.0577 5084 WANARP - ok
21:00:12.0577 5084 Wanarpv6 - ok
21:00:12.0593 5084 Wd - ok
21:00:12.0593 5084 Wdf01000 - ok
21:00:12.0608 5084 WfpLwf - ok
21:00:12.0624 5084 WIMMount - ok
21:00:12.0671 5084 WinUsb - ok
21:00:12.0686 5084 WmiAcpi - ok
21:00:12.0717 5084 ws2ifsl - ok
21:00:12.0717 5084 WudfPf - ok
21:00:12.0733 5084 WUDFRd - ok
21:00:12.0749 5084 xnacc - ok
21:00:12.0780 5084 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
21:00:12.0842 5084 \Device\Harddisk0\DR0 - ok
21:00:12.0842 5084 Boot (0x1200) (485ae92de5485569ff7d50ac30fbc08f) \Device\Harddisk0\DR0\Partition0
21:00:12.0842 5084 \Device\Harddisk0\DR0\Partition0 - ok
21:00:12.0873 5084 Boot (0x1200) (9ad995c743e7424e7645a6a611673f0f) \Device\Harddisk0\DR0\Partition1
21:00:12.0873 5084 \Device\Harddisk0\DR0\Partition1 - ok
21:00:12.0889 5084 Boot (0x1200) (07b834d2751165ed24359caeba328ec2) \Device\Harddisk0\DR0\Partition2
21:00:12.0889 5084 \Device\Harddisk0\DR0\Partition2 - ok
21:00:12.0889 5084 Boot (0x1200) (5af0282f2aa1253a65bb60b55512758d) \Device\Harddisk0\DR0\Partition3
21:00:12.0889 5084 \Device\Harddisk0\DR0\Partition3 - ok
21:00:12.0889 5084 ============================================================
21:00:12.0889 5084 Scan finished
21:00:12.0889 5084 ============================================================
21:00:12.0905 4744 Detected object count: 0
21:00:12.0905 4744 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 24 December 2011 - 10:51 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 27 December 2011 - 03:13 PM

I've tried running it several times (it always finds things like "malware-gen", "DNSchanger" and "sirefef") but before the scan finishes the program always crashes with a "this program has stopped working" dialog box.

#8 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 27 December 2011 - 09:46 PM

I tried one last time and this time the scan did finish. Here's the quickscan (the default scan) results. If you'd like me to run a full scan please let me know. I started running one and it seemed to find 3 things instead of 1 before it crashed.

aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-27 18:12:11
-----------------------------
18:12:11.897 OS Version: Windows x64 6.1.7600
18:12:11.897 Number of processors: 4 586 0x2502
18:12:11.897 ComputerName: DAVID-PC UserName: David
18:12:13.208 Initialize success
18:12:17.055 AVAST engine defs: 11122401
18:12:17.706 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:12:17.722 Disk 0 Vendor: TOSHIBA_MK3255GSXF FH315B Size: 305245MB BusType: 3
18:12:17.784 Disk 0 MBR read successfully
18:12:17.784 Disk 0 MBR scan
18:12:17.784 Disk 0 Windows 7 default MBR code
18:12:17.800 Disk 0 Partition 1 00 EE GPT 200 MB offset 1
18:12:17.831 Disk 0 Partition 2 00 AF HFS / HFS+ 180757 MB offset 409640
18:12:17.878 Disk 0 Partition 3 00 AB Darwin boot 619 MB offset 370600152
18:12:17.909 Disk 0 Partition 4 80 (A) 07 HPFS/NTFS NTFS 123668 MB offset 371869696
18:12:17.909 Service scanning
18:12:19.376 Modules scanning
18:12:19.376 Disk 0 trace - called modules:
18:12:19.407 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:12:19.407 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005560060]
18:12:19.422 3 CLASSPNP.SYS[fffff8800141743f] -> nt!IofCallDriver -> [0xfffffa80052b1670]
18:12:19.422 5 ACPI.sys[fffff88000f64781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80052d6060]
18:12:20.312 AVAST engine scan C:\Windows
18:12:23.042 AVAST engine scan C:\Windows\system32
18:12:34.102 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
18:13:56.252 AVAST engine scan C:\Windows\system32\drivers
18:14:04.551 AVAST engine scan C:\Users\David
18:20:40.932 AVAST engine scan C:\ProgramData
18:23:28.710 Scan finished successfully
21:44:18.328 Disk 0 MBR has been saved successfully to "C:\Users\David\Desktop\MBR.dat"
21:44:18.328 The log file has been saved successfully to "C:\Users\David\Desktop\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 27 December 2011 - 11:06 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 27 December 2011 - 11:56 PM

Here's the log from the combofix run:


ComboFix 11-12-24.07 - David 12/27/2011 23:37:45.1.4 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3958.2739 [GMT -5:00]
Running from: c:\users\David\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\David\GoToAssistDownloadHelper.exe
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 04:44 . 2011-12-28 04:44 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-28 04:44 . 2011-12-28 04:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 22:08 . 2011-12-27 22:08 -------- d-----w- c:\users\David\AppData\Local\ElevatedDiagnostics
2011-12-27 21:59 . 2011-12-27 21:59 -------- d-----w- c:\users\David\AppData\Local\Citrix
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\users\David\AppData\Local\SupportSoft
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\program files (x86)\VERIZONDM
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\programdata\SupportSoft
2011-12-21 18:32 . 2011-12-06 17:37 9795072 ----a-w- c:\windows\VerizonDM.msi
2011-12-21 18:32 . 2011-12-21 18:33 -------- d-----w- c:\program files (x86)\Common Files\SupportSoft
2011-12-21 18:32 . 2011-12-21 18:32 -------- d-----w- c:\windows\VDM
2011-12-21 18:32 . 2011-12-21 18:32 -------- d-----w- c:\program files (x86)\Verizon
2011-12-21 04:22 . 2011-12-21 04:22 -------- d-----w- C:\Sun
2011-12-20 03:18 . 2011-12-27 20:08 -------- d-----w- c:\users\David\AppData\Local\CrashDumps
2011-12-19 18:49 . 2011-12-19 18:49 -------- d-----w- c:\users\David\AppData\Local\THQ
2011-12-19 15:55 . 2011-12-19 13:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-19 13:03 . 2011-12-19 13:03 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-19 12:56 . 2011-12-12 15:07 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-19 12:56 . 2011-12-19 12:56 -------- d-----w- c:\program files (x86)\Lavasoft
2011-12-19 12:56 . 2011-12-19 12:56 -------- d-----w- c:\programdata\Lavasoft
2011-12-19 04:15 . 2011-12-19 04:15 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-12-19 03:52 . 2011-12-19 04:03 -------- d-----w- c:\users\David\AppData\Local\NPE
2011-12-19 03:52 . 2011-12-19 03:53 -------- d-----w- c:\programdata\Norton
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\users\David\AppData\Roaming\Malwarebytes
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\programdata\Malwarebytes
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-16 23:27 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 22:49 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2F44DFD-1AFD-48CE-9427-FE50EDE3A141}\mpengine.dll
2011-12-16 02:03 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 02:01 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 02:01 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 02:01 . 2011-12-16 02:01 -------- d-----w- c:\users\David\AppData\Local\SWTOR
2011-12-02 21:15 . 2011-12-02 21:15 -------- d-----w- c:\windows\system32\Macromed
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-02 21:16 . 2011-11-04 00:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-25 23:32 . 2011-11-25 23:32 21712 ----a-w- c:\windows\SysWow64\drivers\DrvAgent64.SYS
2011-11-15 19:29 . 2010-08-11 01:28 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-10-15 08:53 . 2011-11-26 01:00 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-11-26 00:58 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-11-26 00:58 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-11-26 00:58 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-11-26 00:58 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-11-26 00:58 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-11-26 00:58 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-11-26 00:58 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-11-26 00:58 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-11-26 00:58 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-11-26 00:58 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-11-26 00:58 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-11-26 00:58 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-11-26 00:58 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-11-26 00:58 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-11-26 00:58 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-15 08:53 . 2011-11-26 00:58 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-11-26 00:58 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2010-02-25 02:36 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2010-02-25 02:36 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2010-02-25 02:36 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2010-02-25 02:36 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2010-01-12 03:19 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2010-01-12 03:19 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-10-15 08:53 . 2010-01-12 03:19 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2010-01-12 03:19 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2010-01-12 03:19 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2010-01-12 03:19 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 05:54 . 2011-10-15 05:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2011-10-08 16:05 . 2010-09-07 19:52 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-08 16:05 . 2010-09-07 19:52 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-29 16:24 . 2011-11-09 13:30 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-08 1242448]
"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-10-27 1103216]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-06-12 3071384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files (x86)\GamersFirst\LIVE!\Live.exe [2011-6-7 2586736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [x]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [x]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-12-01 206120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-12-01 185640]
R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [x]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [x]
R3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2011-11-25 21712]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-12-19 17152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-12-19 2152152]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [x]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [x]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [x]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-12 13:02]
.
2011-12-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2010-11-21 02:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2010-11-12 740152]
"combofix"="c:\combofix\CF31219.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\combofix\CF31219.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to iPod Converter - c:\users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to Mp3 Converter - c:\users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\d9pliic5.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PunkBusterSvc - c:\program files (x86)\Steam\steamapps\common\Assassins Creed Brotherhood\pbsvc.exe
AddRemove-SOE-DC Universe Online Live - c:\users\Public\Sony Online Entertainment\Installed Games\DC Universe Online Live\Uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-679397843-2567356324-2801450882-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8d,f8,75,30,5d,82,8e,dc,a3,d2,b5,2f,f7,7a,94,e1,f4,8f,80,98,b9,7a,2b,
d4,b3,b4,ac,af,aa,81,4c,55,49,d6,7c,2a,aa,f6,64,8d,44,7f,c5,ed,5c,56,ea,91,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
[HKEY_USERS\S-1-5-21-679397843-2567356324-2801450882-1000\Software\SecuROM\License information*]
"datasecu"=hex:c2,5d,30,73,1d,31,e9,59,a2,11,a7,dc,c2,d4,6a,37,7b,24,1f,c9,ee,
84,c5,f6,4b,72,bd,51,7b,67,15,50,85,fc,4b,6b,fc,52,d8,5d,06,3c,cf,da,be,1a,\
"rkeysecu"=hex:84,a4,ea,d9,bc,2f,ef,18,4f,c6,77,d6,54,36,ef,57
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files (x86)\Lavasoft\Ad-Aware\AWSC.exe
.
**************************************************************************
.
Completion time: 2011-12-27 23:51:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 04:51
.
Pre-Run: 23,585,984,512 bytes free
Post-Run: 23,439,728,640 bytes free
.
- - End Of File - - 1F30CDB914C1AD0A3455FE05DCC98AC2

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 28 December 2011 - 12:06 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 28 December 2011 - 08:23 AM

Ok, Here's the combofix log (it ran without any problems:

ComboFix 11-12-24.07 - David 12/28/2011 8:10.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3958.2431 [GMT -5:00]
Running from: c:\users\David\Desktop\ComboFix.exe
Command switches used :: c:\users\David\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 13:19 . 2011-12-28 13:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-28 13:19 . 2011-12-28 13:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 22:08 . 2011-12-27 22:08 -------- d-----w- c:\users\David\AppData\Local\ElevatedDiagnostics
2011-12-27 21:59 . 2011-12-27 21:59 -------- d-----w- c:\users\David\AppData\Local\Citrix
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\users\David\AppData\Local\SupportSoft
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\program files (x86)\VERIZONDM
2011-12-21 18:33 . 2011-12-21 18:33 -------- d-----w- c:\programdata\SupportSoft
2011-12-21 18:32 . 2011-12-06 17:37 9795072 ----a-w- c:\windows\VerizonDM.msi
2011-12-21 18:32 . 2011-12-21 18:33 -------- d-----w- c:\program files (x86)\Common Files\SupportSoft
2011-12-21 18:32 . 2011-12-21 18:32 -------- d-----w- c:\windows\VDM
2011-12-21 18:32 . 2011-12-21 18:32 -------- d-----w- c:\program files (x86)\Verizon
2011-12-21 04:22 . 2011-12-21 04:22 -------- d-----w- C:\Sun
2011-12-20 03:18 . 2011-12-27 20:08 -------- d-----w- c:\users\David\AppData\Local\CrashDumps
2011-12-19 18:49 . 2011-12-19 18:49 -------- d-----w- c:\users\David\AppData\Local\THQ
2011-12-19 15:55 . 2011-12-19 13:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-19 13:03 . 2011-12-19 13:03 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-19 12:56 . 2011-12-12 15:07 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-19 12:56 . 2011-12-19 12:56 -------- d-----w- c:\program files (x86)\Lavasoft
2011-12-19 12:56 . 2011-12-19 12:56 -------- d-----w- c:\programdata\Lavasoft
2011-12-19 04:15 . 2011-12-19 04:15 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-12-19 03:52 . 2011-12-19 04:03 -------- d-----w- c:\users\David\AppData\Local\NPE
2011-12-19 03:52 . 2011-12-19 03:53 -------- d-----w- c:\programdata\Norton
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\users\David\AppData\Roaming\Malwarebytes
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\programdata\Malwarebytes
2011-12-16 23:27 . 2011-12-16 23:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-16 23:27 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 22:49 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2F44DFD-1AFD-48CE-9427-FE50EDE3A141}\mpengine.dll
2011-12-16 02:03 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 02:01 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 02:01 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 02:01 . 2011-12-16 02:01 -------- d-----w- c:\users\David\AppData\Local\SWTOR
2011-12-02 21:15 . 2011-12-02 21:15 -------- d-----w- c:\windows\system32\Macromed
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-02 21:16 . 2011-11-04 00:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-25 23:32 . 2011-11-25 23:32 21712 ----a-w- c:\windows\SysWow64\drivers\DrvAgent64.SYS
2011-11-15 19:29 . 2010-08-11 01:28 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-10-15 08:53 . 2011-11-26 01:00 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-11-26 00:58 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-11-26 00:58 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-11-26 00:58 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-11-26 00:58 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-11-26 00:58 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-11-26 00:58 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-11-26 00:58 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-11-26 00:58 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-11-26 00:58 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-11-26 00:58 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-11-26 00:58 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-11-26 00:58 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-11-26 00:58 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-11-26 00:58 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-11-26 00:58 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-15 08:53 . 2011-11-26 00:58 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-11-26 00:58 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2010-02-25 02:36 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2010-02-25 02:36 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2010-02-25 02:36 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2010-02-25 02:36 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2010-01-12 03:19 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2010-01-12 03:19 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-10-15 08:53 . 2010-01-12 03:19 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2010-01-12 03:19 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2010-01-12 03:19 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2010-01-12 03:19 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 05:54 . 2011-10-15 05:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2011-10-08 16:05 . 2010-09-07 19:52 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-08 16:05 . 2010-09-07 19:52 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-29 16:24 . 2011-11-09 13:30 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-28_04.46.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 01:09 . 2011-12-28 13:06 51648 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-27 21:35 32368 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-28 13:06 32368 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-08-11 12:59 . 2011-12-28 13:06 29034 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-679397843-2567356324-2801450882-1000_UserData.bin
+ 2010-08-19 00:04 . 2011-12-28 13:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-19 00:04 . 2011-12-28 04:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-19 00:04 . 2011-12-28 13:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-19 00:04 . 2011-12-28 04:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-28 04:46 . 2011-12-28 04:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-28 13:04 . 2011-12-28 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-28 13:04 . 2011-12-28 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-28 04:46 . 2011-12-28 04:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2011-12-28 04:46 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-12-28 13:04 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 05:01 . 2011-12-28 04:32 281920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-28 04:56 281920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2011-12-28 04:46 6963200 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-28 13:04 6963200 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-28 04:46 4964352 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-28 13:04 4964352 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-11 13:21 . 2011-12-28 04:32 16866894 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-679397843-2567356324-2801450882-1000-8192.dat
+ 2010-08-11 13:21 . 2011-12-28 04:56 16866894 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-679397843-2567356324-2801450882-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-08 1242448]
"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-10-27 1103216]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-06-12 3071384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files (x86)\GamersFirst\LIVE!\Live.exe [2011-6-7 2586736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2011-11-25 21712]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [x]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [x]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-12-19 2152152]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-12-01 206120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-12-01 185640]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [x]
S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [x]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [x]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [x]
S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [x]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [x]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-12-19 17152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2010-11-21 02:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2010-11-12 740152]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to iPod Converter - c:\users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to Mp3 Converter - c:\users\David\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\d9pliic5.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-679397843-2567356324-2801450882-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8d,f8,75,30,5d,82,8e,dc,a3,d2,b5,2f,f7,7a,94,e1,f4,8f,80,98,b9,7a,2b,
d4,b3,b4,ac,af,aa,81,4c,55,49,d6,7c,2a,aa,f6,64,8d,44,7f,c5,ed,5c,56,ea,91,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
[HKEY_USERS\S-1-5-21-679397843-2567356324-2801450882-1000\Software\SecuROM\License information*]
"datasecu"=hex:c2,5d,30,73,1d,31,e9,59,a2,11,a7,dc,c2,d4,6a,37,7b,24,1f,c9,ee,
84,c5,f6,4b,72,bd,51,7b,67,15,50,85,fc,4b,6b,fc,52,d8,5d,06,3c,cf,da,be,1a,\
"rkeysecu"=hex:84,a4,ea,d9,bc,2f,ef,18,4f,c6,77,d6,54,36,ef,57
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-28 08:21:23
ComboFix-quarantined-files.txt 2011-12-28 13:21
ComboFix2.txt 2011-12-28 04:51
.
Pre-Run: 23,573,295,104 bytes free
Post-Run: 23,311,773,696 bytes free
.
- - End Of File - - C6EEEEDF987D59F577318FA18E2FEB2A

I've tried a couple of google searches and so far nothing's redirected.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 28 December 2011 - 01:33 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 agentshades

agentshades
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 28 December 2011 - 05:18 PM

Here it is:

7-Zip 9.20
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X
Apple Application Support
Apple Software Update
Audacity 1.2.6
Dead Island
Download Manager 2.3.10
Dropbox
Fallout: New Vegas
Free Audio CD Burner version 1.4.7
Free YouTube to iPod Converter version 3.9.28
Free YouTube to MP3 Converter version 3.10.11.923
GameFly
GamersFirst LIVE!
Glary Utilities 2.29.0.1032
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 26
Java™ SE Development Kit 6 Update 26
LAME v3.98.3 for Audacity
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Microsoft XML Parser
Microsoft XNA Framework Redistributable 3.1
Mozilla Firefox 8.0 (x86 en-US)
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenAL
OpenOffice.org 3.3
PakkISO 0.4
Pando Media Booster
Picasa 3
Project64 1.6
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
Saints Row 2
Sam and Max Season 1 Episode 101
Sam and Max Season 1 Episode 102
Sam and Max Season 1 Episode 103
Sam and Max Season 1 Episode 104
Sam and Max Season 1 Episode 105
Sam and Max Season 1 Episode 106
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Skype Toolbars
Skype™ 5.0
Star Wars: The Old Republic
Steam
System Requirements Lab
System Requirements Lab CYRI
Ubisoft Game Launcher
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Verizon Activation
Verizon Download Manager
VLC media player 1.1.7
Windows Media Player Firefox Plugin

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 28 December 2011 - 09:04 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 22
Java™ 6 Update 26


and click on remove

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users