Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help on removing trojan.zeroaccess.b


  • This topic is locked This topic is locked
9 replies to this topic

#1 slik0

slik0

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 16 January 2012 - 01:08 AM

Cant remove this virus tried utilizing hijack this to disable certain programs from start up and still no dice. Any help would be much appreciated. Tried malwarebytes, super anti spyware, and norton 360. Attached my DDS log file.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 17 January 2012 - 12:25 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 slik0

slik0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 20 January 2012 - 01:24 AM

So the virus that my computer has been infected with is a trojan.zeroacces.b and if I shut down my pc and start it it will go into an infinite loop with a bluescreen that flashes to fast for me to make out the report and the best way to solve it is to press F8 and click last known good config. the system repair solves the problem and after a slower then normal boot the system will run fine albeit there will be a lot of processes running in the background such as sprtsvc.exe *32, tgsrvc.exe *32 (both are for SupportSoft Agent Service which im sure is a virus)
After super anti spyware scans that removed approx. 30 trojan viruses and like 500 adware/malware.

My Norton 360 though is telling me my computer is infected with tidserv. and trojan.zeroaccess.b and when i go on google links sometimes it will link me to a website with a virus. So the virus is still here. And the fact that my computer doesnt start unless i hit last known good config solidifies it. Also my Norton 360 options will change on there own every other day of the computer being on. Just how do I go about removing this virus ive tried almost everything.

Attached Below is my HJT Report:

Attached Files


Edited by slik0, 20 January 2012 - 01:24 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 20 January 2012 - 01:32 AM

I would like you to read my last post and run the program I asked you to run

If you can not download from this computer then do it from another


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 slik0

slik0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 20 January 2012 - 02:03 AM

Below is COMBO FIX LOG AND DDS INFO LOG:
COMBO FIX LOG
_____________________________________________________________________________________________________
ComboFix 12-01-19.02 - ELIA 01/20/2012 1:28.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.3400 [GMT -5:00]
Running from: c:\users\ELIA\Downloads\malak.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ELIA\AppData\Roaming\mIRC\logs\status.log
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\system32\consrv.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\System64
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 06:39 . 2012-01-20 06:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-20 06:39 . 2012-01-20 06:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-01-16 15:47 . 2012-01-16 15:49 -------- d-----w- c:\program files\Unlocker
2012-01-16 07:15 . 2012-01-16 10:53 -------- d-----w- C:\dad
2012-01-16 06:36 . 2012-01-16 07:59 -------- d-----w- c:\users\ELIA\AppData\Local\NPE
2012-01-16 05:08 . 2012-01-16 05:08 -------- d-----w- c:\windows\SysWow64\N360_BACKUP
2012-01-15 21:48 . 2012-01-15 21:48 -------- d-----w- c:\users\ELIA\AppData\Local\Symantec
2012-01-10 05:42 . 2012-01-10 07:01 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-01-10 05:42 . 2012-01-10 05:43 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-01-10 02:22 . 2012-01-10 02:22 -------- d-----w- c:\users\ELIA\AppData\Roaming\FixTDSS
2012-01-09 09:03 . 2012-01-09 09:03 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-01-09 08:20 . 2012-01-09 08:36 -------- d-----w- c:\program files\Symantec
2012-01-09 08:20 . 2012-01-09 08:36 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-01-09 08:20 . 2012-01-09 08:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-01-09 08:19 . 2012-01-09 08:42 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-01-09 08:19 . 2012-01-09 08:19 -------- d-----w- c:\program files (x86)\Norton 360
2012-01-09 01:22 . 2012-01-09 01:22 -------- d-----w- c:\users\ELIA\AppData\Roaming\SUPERAntiSpyware.com
2012-01-09 01:14 . 2012-01-09 01:14 -------- d-----w- c:\users\Administrator\AppData\Local\ElevatedDiagnostics
2012-01-06 02:26 . 2012-01-06 02:26 -------- d--h--w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-01-06 02:25 . 2012-01-15 21:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 02:25 . 2012-01-06 02:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-03 22:29 . 2012-01-05 08:44 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Skype
2012-01-01 09:49 . 2012-01-01 09:49 -------- d--h--w- c:\users\Administrator\AppData\Local\Realmware
2011-12-31 02:26 . 2011-12-31 12:12 -------- d--h--w- c:\users\Administrator\AppData\Local\ESN Sonar
2011-12-31 00:47 . 2011-12-31 00:47 -------- d--h--w- c:\users\Administrator\AppData\Local\Adobe
2011-12-30 08:28 . 2011-12-30 08:28 -------- d--h--w- c:\users\Administrator\AppData\Local\HP
2011-12-29 12:18 . 2012-01-08 09:45 -------- d--h--w- c:\users\Administrator\AppData\Local\CrashDumps
2011-12-29 09:04 . 2011-12-29 09:04 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-12-29 08:57 . 2011-12-29 08:57 -------- d--h--w- c:\users\Administrator\AppData\Local\PunkBuster
2011-12-29 08:55 . 2011-12-29 08:56 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Origin
2011-12-29 04:53 . 2011-12-29 05:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-29 03:44 . 2011-12-29 03:44 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2011-12-29 03:05 . 2011-12-29 03:05 -------- d--h--w- c:\users\Administrator\AppData\Local\Origin
2011-12-28 04:16 . 2011-09-22 22:41 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-12-28 04:16 . 2011-09-22 22:41 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-12-28 04:16 . 2011-09-22 22:41 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-12-28 04:16 . 2011-09-22 22:41 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-12-28 04:16 . 2011-09-22 22:41 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-12-28 04:16 . 2011-09-22 22:41 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-12-28 04:16 . 2011-05-21 11:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-28 04:16 . 2011-12-28 04:16 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-28 04:15 . 2011-12-28 04:15 -------- d-----w- C:\NVIDIA
2011-12-28 01:14 . 2011-12-28 01:14 -------- d-----w- c:\users\ELIA\AppData\Local\Realmware
2011-12-28 01:14 . 2011-12-28 01:14 -------- d-----w- c:\program files\Realmware
2011-12-27 23:45 . 2011-12-27 23:46 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2011-12-27 23:27 . 2011-12-27 23:27 53248 ----a-r- c:\users\ELIA\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-27 23:27 . 2011-12-27 23:40 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-12-27 23:26 . 2011-12-27 23:27 -------- d-----w- c:\programdata\Logishrd
2011-12-27 21:45 . 2011-02-26 06:23 2870272 ----a-w- c:\windows\explorer.exe
2011-12-27 21:44 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-12-27 21:42 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-27 21:42 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\users\ELIA\AppData\Roaming\Origin
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\users\ELIA\AppData\Local\Origin
2011-12-26 23:53 . 2012-01-16 13:32 -------- d-----w- c:\programdata\Origin
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\program files (x86)\Origin Games
2011-12-26 23:53 . 2012-01-19 02:00 -------- d-----w- c:\program files (x86)\Origin
2011-12-26 02:54 . 2011-12-26 02:54 -------- d-----w- c:\program files\iPod
2011-12-26 02:54 . 2011-12-26 02:55 -------- d-----w- c:\program files\iTunes
2011-12-26 02:54 . 2011-12-26 02:55 -------- d-----w- c:\program files (x86)\iTunes
2011-12-26 02:52 . 2011-12-26 02:52 -------- d-----w- c:\program files\Bonjour
2011-12-26 02:52 . 2011-12-26 02:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-26 02:51 . 2011-12-26 02:51 -------- d-----w- c:\program files (x86)\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-10 07:01 . 2010-02-02 05:28 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-01-10 05:42 . 2010-02-02 05:27 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-01-10 05:41 . 2010-02-02 05:27 840264 ----a-w- c:\windows\SysWow64\pbsvc.exe
2011-12-10 20:24 . 2010-02-02 02:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 15:02 . 2011-12-09 15:02 271424 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-25 21:24 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-11-25 21:24 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE" [2012-01-09 2424192]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2012-01-11 28201096]
.
c:\users\ELIA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111223.001_3e3\BHDrvx64.sys [2011-12-24 1157240]
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120119.006\IDSvia64.sys [2012-01-10 488568]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-09-16 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
R2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe [2009-08-24 126392]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-06-11 206120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-09-22 381248]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-06-11 185640]
R3 ALSysIO;ALSysIO;c:\users\ELIA\AppData\Local\Temp\ALSysIO64.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-16 138360]
R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
R3 RivaTuner64;RivaTuner64;d:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-09-01 19952]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 MBAMService;MBAMService;e:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R4 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\SymcPCCULaunchSvc.exe [2010-11-05 118128]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001Core.job
- c:\users\ELIA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-22 20:47]
.
2012-01-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001UA.job
- c:\users\ELIA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-22 20:47]
.
2012-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001Core.job
- c:\users\ELIA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-08 04:31]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001UA.job
- c:\users\ELIA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-08 04:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="d:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-31 8095776]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"combofix"="c:\malak\CF21557.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\malak\CF21557.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ELIA\AppData\Roaming\Mozilla\Firefox\Profiles\2e4fg34l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IP2TDF&PC=IP2TDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=PLTV5-DL&o=16684&locale=en_US&apn_uid=0AC00BF2-93C3-4D56-8806-A3F7D1C70FBA&apn_ptnrs=2I&apn_sauid=574C9524-63AD-49C5-852B-D281285D4CCF&apn_dtid=YYYYYYYYUS&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe
AddRemove-HijackThis - d:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-Passware Kit Enterprise - c:\program files (x86)\Passware\un-kit_ent.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1348709205-2046332959-3345379082-1001\Software\SecuROM\License information*]
"datasecu"=hex:3b,6d,51,2a,66,e3,56,a0,cf,6d,13,ae,49,b9,7c,0b,e5,ca,ff,6a,21,
93,75,1d,e1,63,94,4d,38,94,ae,cb,7a,9b,ee,61,09,d8,2f,6f,97,da,ae,d1,9c,1a,\
"rkeysecu"=hex:b2,4e,7d,d8,43,fb,99,5c,69,b1,3e,59,f2,d9,c4,14
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-20 01:47:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-20 06:47
.
Pre-Run: 33,976,651,776 bytes free
Post-Run: 33,671,102,464 bytes free
.
- - End Of File - - C0381BDF1E30AAEDDA164E7B483416AC

DDS INFO LOG
______________________________________________________________________

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by ELIA at 1:03:18 on 2012-01-16
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.3036 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ELIA\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\ELIA\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
mRun: [<NO NAME>]
StartupFolder: C:\Users\ELIA\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E836FE6-7A77-4D4F-8643-604565C8CF91} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{71161337-8E70-41CB-9B45-6E16B2F4F035} : DhcpNameServer = 172.16.145.103 172.16.145.103
TCP: Interfaces\{D1F99277-6283-405E-B120-0E25CECFC402} : DhcpNameServer = 192.168.1.1 68.237.161.12
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office12\GR469A~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [(Default)]
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\ELIA\AppData\Roaming\Mozilla\Firefox\Profiles\2e4fg34l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IP2TDF&PC=IP2TDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=PLTV5-DL&o=16684&locale=en_US&apn_uid=0AC00BF2-93C3-4D56-8806-A3F7D1C70FBA&apn_ptnrs=2I&apn_sauid=574C9524-63AD-49C5-852B-D281285D4CCF&apn_dtid=YYYYYYYYUS&q=
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.104.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\ELIA\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\ELIA\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\ELIA\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\ELIA\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111223.001_3e3\BHDrvx64.sys [2011-12-23 1157240]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120113.002\IDSviA64.sys [2012-1-13 488568]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccsvchst.exe [2012-1-9 130008]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-27 2253120]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe [2010-11-16 126392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-9-22 381248]
R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\DRIVERS\LVUSBS64.sys --> C:\Windows\system32\DRIVERS\LVUSBS64.sys [?]
R3 RivaTuner64;RivaTuner64;D:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-8-22 19952]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S1 SASDIFSV;SASDIFSV;D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-7-28 12872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-6-11 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-6-11 185640]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MBAMService;MBAMService;E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2010-2-1 652872]
S4 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2010-7-6 517632]
S4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.8.5\SymcPCCULaunchSvc.exe [2010-11-16 118128]
.
=============== Created Last 30 ================
.
2012-01-16 05:08:15 -------- d-----w- C:\Windows\SysWow64\N360_BACKUP
2012-01-15 21:48:56 -------- d-----w- C:\Users\ELIA\AppData\Local\Symantec
2012-01-10 05:42:25 281880 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-01-10 05:42:25 281880 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-01-10 02:22:06 -------- d-----w- C:\Users\ELIA\AppData\Roaming\FixTDSS
2012-01-09 09:03:32 103736 ----a-w- C:\Windows\System32\PnkBstrB.exe
2012-01-09 08:36:35 912504 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symefa64.sys
2012-01-09 08:36:35 744568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtsp64.sys
2012-01-09 08:36:35 450680 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symds64.sys
2012-01-09 08:36:35 40568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtspx64.sys
2012-01-09 08:36:35 386168 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symnets.sys
2012-01-09 08:36:35 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0501000.01D\ironx64.sys
2012-01-09 08:36:18 -------- d-----w- C:\Windows\System32\drivers\N360x64\0501000.01D
2012-01-09 08:20:08 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-01-09 08:20:08 -------- d-----w- C:\Program Files\Symantec
2012-01-09 08:20:08 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-01-09 08:19:36 -------- d-----w- C:\Windows\System32\drivers\N360x64
2012-01-09 08:19:31 -------- d-----w- C:\Program Files (x86)\Norton 360
2012-01-09 01:22:23 -------- d-----w- C:\Users\ELIA\AppData\Roaming\SUPERAntiSpyware.com
2012-01-06 02:25:51 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-01-06 02:25:51 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-12-29 09:04:09 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-12-29 08:49:58 -------- d-----we C:\Windows\system64
2011-12-29 04:53:35 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-12-28 04:16:57 837952 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll
2011-12-28 04:16:57 5067584 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-12-28 04:16:57 2560616 ----a-w- C:\Windows\System32\nvsvcr.dll
2011-12-28 04:16:57 222528 ----a-w- C:\Windows\System32\nvmctray.dll
2011-12-28 04:16:57 1640768 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-12-28 04:16:57 137536 ----a-w- C:\Windows\System32\nvshext.dll
2011-12-28 04:16:57 10406208 ----a-w- C:\Windows\System32\nvcpl.dll
2011-12-28 04:16:17 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-12-28 04:15:39 -------- d-----w- C:\NVIDIA
2011-12-28 01:14:35 -------- d-----w- C:\Users\ELIA\AppData\Local\Realmware
2011-12-28 01:14:19 -------- d-----w- C:\Program Files\Realmware
2011-12-27 23:45:58 -------- d-----w- C:\Program Files (x86)\Battlelog Web Plugins
2011-12-27 23:27:34 53248 ----a-r- C:\Users\ELIA\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-27 23:27:17 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-12-27 21:45:59 2870272 ----a-w- C:\Windows\explorer.exe
2011-12-27 21:44:49 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2011-12-27 21:42:58 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-27 21:42:58 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-26 23:53:41 -------- d-----w- C:\Users\ELIA\AppData\Roaming\Origin
2011-12-26 23:53:34 -------- d-----w- C:\Users\ELIA\AppData\Local\Origin
2011-12-26 23:53:28 -------- d-----w- C:\ProgramData\Origin
2011-12-26 23:53:28 -------- d-----w- C:\Program Files (x86)\Origin Games
2011-12-26 23:53:13 -------- d-----w- C:\Program Files (x86)\Origin
2011-12-26 02:54:59 -------- d-----w- C:\Program Files\iPod
2011-12-26 02:54:58 -------- d-----w- C:\Program Files\iTunes
2011-12-26 02:54:58 -------- d-----w- C:\Program Files (x86)\iTunes
2011-12-26 02:52:45 -------- d-----w- C:\Program Files\Bonjour
2011-12-26 02:52:45 -------- d-----w- C:\Program Files (x86)\Bonjour
.
==================== Find3M ====================
.
2012-01-10 07:01:11 281880 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-01-10 05:42:04 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-01-10 05:41:23 840264 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-09 15:02:22 271424 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:17:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:30:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:19:07 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-10-24 19:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
.
============= FINISH: 1:03:47.35 ===============

Attached Files


Edited by slik0, 20 January 2012 - 02:15 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 20 January 2012 - 02:26 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

FireFox::
FF - ProfilePath - c:\users\ELIA\AppData\Roaming\Mozilla\Firefox\Profiles\2e4fg34l.default\
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=PLTV5-DL&o=16684&locale=en_US&apn_uid=0AC00BF2-93C3-4D56-8806-A3F7D1C70FBA&apn_ptnrs=2I&apn_sauid=574C9524-63AD-49C5-852B-D281285D4CCF&apn_dtid=YYYYYYYYUS&q=


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 slik0

slik0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 20 January 2012 - 03:53 AM

Here is the new combofix using the script. Going to go to sleep as i have work very early hopefully this information helps you help me ;) thanks bro i appreciate it.


ComboFix 12-01-19.02 - ELIA 01/20/2012 3:34.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.1391 [GMT -5:00]
Running from: c:\users\ELIA\Contacts\Desktop\malak.exe
Command switches used :: c:\users\ELIA\Contacts\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 08:44 . 2012-01-20 08:44 -------- d-----we c:\windows\system64
2012-01-20 08:42 . 2012-01-20 08:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-20 08:42 . 2012-01-20 08:42 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-20 08:42 . 2012-01-20 08:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 15:47 . 2012-01-16 15:49 -------- d-----w- c:\program files\Unlocker
2012-01-16 07:15 . 2012-01-16 10:53 -------- d-----w- C:\dad
2012-01-16 06:36 . 2012-01-16 07:59 -------- d-----w- c:\users\ELIA\AppData\Local\NPE
2012-01-16 05:08 . 2012-01-16 05:08 -------- d-----w- c:\windows\SysWow64\N360_BACKUP
2012-01-15 21:48 . 2012-01-15 21:48 -------- d-----w- c:\users\ELIA\AppData\Local\Symantec
2012-01-10 05:42 . 2012-01-10 07:01 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-01-10 05:42 . 2012-01-10 05:43 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-01-10 02:22 . 2012-01-10 02:22 -------- d-----w- c:\users\ELIA\AppData\Roaming\FixTDSS
2012-01-09 09:03 . 2012-01-09 09:03 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-01-09 08:20 . 2012-01-09 08:36 -------- d-----w- c:\program files\Symantec
2012-01-09 08:20 . 2012-01-09 08:36 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-01-09 08:20 . 2012-01-09 08:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-01-09 08:19 . 2012-01-09 08:42 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-01-09 08:19 . 2012-01-09 08:19 -------- d-----w- c:\program files (x86)\Norton 360
2012-01-09 01:22 . 2012-01-09 01:22 -------- d-----w- c:\users\ELIA\AppData\Roaming\SUPERAntiSpyware.com
2012-01-09 01:14 . 2012-01-09 01:14 -------- d-----w- c:\users\Administrator\AppData\Local\ElevatedDiagnostics
2012-01-06 02:26 . 2012-01-06 02:26 -------- d--h--w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-01-06 02:25 . 2012-01-15 21:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 02:25 . 2012-01-06 02:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-03 22:29 . 2012-01-05 08:44 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Skype
2012-01-01 09:49 . 2012-01-01 09:49 -------- d--h--w- c:\users\Administrator\AppData\Local\Realmware
2011-12-31 02:26 . 2011-12-31 12:12 -------- d--h--w- c:\users\Administrator\AppData\Local\ESN Sonar
2011-12-31 00:47 . 2011-12-31 00:47 -------- d--h--w- c:\users\Administrator\AppData\Local\Adobe
2011-12-30 08:28 . 2011-12-30 08:28 -------- d--h--w- c:\users\Administrator\AppData\Local\HP
2011-12-29 12:18 . 2012-01-08 09:45 -------- d--h--w- c:\users\Administrator\AppData\Local\CrashDumps
2011-12-29 09:04 . 2011-12-29 09:04 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-12-29 08:57 . 2011-12-29 08:57 -------- d--h--w- c:\users\Administrator\AppData\Local\PunkBuster
2011-12-29 08:55 . 2011-12-29 08:56 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Origin
2011-12-29 04:53 . 2011-12-29 05:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-29 03:44 . 2011-12-29 03:44 -------- d--h--w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2011-12-29 03:05 . 2011-12-29 03:05 -------- d--h--w- c:\users\Administrator\AppData\Local\Origin
2011-12-28 04:16 . 2011-09-22 22:41 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-12-28 04:16 . 2011-09-22 22:41 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-12-28 04:16 . 2011-09-22 22:41 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-12-28 04:16 . 2011-09-22 22:41 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-12-28 04:16 . 2011-09-22 22:41 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-12-28 04:16 . 2011-09-22 22:41 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-12-28 04:16 . 2011-05-21 11:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-28 04:16 . 2011-12-28 04:16 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-28 04:15 . 2011-12-28 04:15 -------- d-----w- C:\NVIDIA
2011-12-28 01:14 . 2011-12-28 01:14 -------- d-----w- c:\users\ELIA\AppData\Local\Realmware
2011-12-28 01:14 . 2011-12-28 01:14 -------- d-----w- c:\program files\Realmware
2011-12-27 23:45 . 2011-12-27 23:46 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2011-12-27 23:27 . 2011-12-27 23:27 53248 ----a-r- c:\users\ELIA\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-27 23:27 . 2011-12-27 23:40 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-12-27 23:26 . 2011-12-27 23:27 -------- d-----w- c:\programdata\Logishrd
2011-12-27 21:45 . 2011-02-26 06:23 2870272 ----a-w- c:\windows\explorer.exe
2011-12-27 21:44 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-12-27 21:42 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-27 21:42 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\users\ELIA\AppData\Roaming\Origin
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\users\ELIA\AppData\Local\Origin
2011-12-26 23:53 . 2012-01-16 13:32 -------- d-----w- c:\programdata\Origin
2011-12-26 23:53 . 2011-12-26 23:53 -------- d-----w- c:\program files (x86)\Origin Games
2011-12-26 23:53 . 2012-01-19 02:00 -------- d-----w- c:\program files (x86)\Origin
2011-12-26 02:54 . 2011-12-26 02:54 -------- d-----w- c:\program files\iPod
2011-12-26 02:54 . 2011-12-26 02:55 -------- d-----w- c:\program files\iTunes
2011-12-26 02:54 . 2011-12-26 02:55 -------- d-----w- c:\program files (x86)\iTunes
2011-12-26 02:52 . 2011-12-26 02:52 -------- d-----w- c:\program files\Bonjour
2011-12-26 02:52 . 2011-12-26 02:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-26 02:51 . 2011-12-26 02:51 -------- d-----w- c:\program files (x86)\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-10 07:01 . 2010-02-02 05:28 281880 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-01-10 05:42 . 2010-02-02 05:27 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-01-10 05:41 . 2010-02-02 05:27 840264 ----a-w- c:\windows\SysWow64\pbsvc.exe
2011-12-10 20:24 . 2010-02-02 02:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 15:02 . 2011-12-09 15:02 271424 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-25 21:24 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-11-25 21:24 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE" [2012-01-09 2424192]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2012-01-11 28201096]
.
c:\users\ELIA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120113.002\IDSvia64.sys [x]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-09-16 12872]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MBAMService;MBAMService;e:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R4 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\SymcPCCULaunchSvc.exe [2010-11-05 118128]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111223.001_3e3\BHDrvx64.sys [2011-12-24 1157240]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe [2009-08-24 126392]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-06-11 206120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-09-22 381248]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-06-11 185640]
S3 ALSysIO;ALSysIO;c:\users\ELIA\AppData\Local\Temp\ALSysIO64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-16 138360]
S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys [x]
S3 RivaTuner64;RivaTuner64;d:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-09-01 19952]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001Core.job
- c:\users\ELIA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-22 20:47]
.
2012-01-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001UA.job
- c:\users\ELIA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-22 20:47]
.
2012-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001Core.job
- c:\users\ELIA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-08 04:31]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1348709205-2046332959-3345379082-1001UA.job
- c:\users\ELIA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-08 04:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="d:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-31 8095776]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"combofix"="c:\malak10722m\CF13611.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ELIA\AppData\Roaming\Mozilla\Firefox\Profiles\2e4fg34l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IP2TDF&PC=IP2TDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.8.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1348709205-2046332959-3345379082-1001\Software\SecuROM\License information*]
"datasecu"=hex:3b,6d,51,2a,66,e3,56,a0,cf,6d,13,ae,49,b9,7c,0b,e5,ca,ff,6a,21,
93,75,1d,e1,63,94,4d,38,94,ae,cb,7a,9b,ee,61,09,d8,2f,6f,97,da,ae,d1,9c,1a,\
"rkeysecu"=hex:b2,4e,7d,d8,43,fb,99,5c,69,b1,3e,59,f2,d9,c4,14
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Completion time: 2012-01-20 03:51:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-20 08:51
ComboFix2.txt 2012-01-20 06:47
.
Pre-Run: 33,104,023,552 bytes free
Post-Run: 33,123,495,936 bytes free
.
- - End Of File - - A4C19CA766A94726068A53A66A7B45CD

Edited by slik0, 20 January 2012 - 03:54 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 20 January 2012 - 07:24 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 23 January 2012 - 02:05 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 PM

Posted 26 January 2012 - 05:35 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users