Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer is infected with Ukash/Metropolitan Police Malware.


  • This topic is locked This topic is locked
24 replies to this topic

#1 clitonme

clitonme

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 03 March 2012 - 03:56 PM

I turned on my computer today and found that Ukash/Metropolitan Police Malware was installed. I have tried to eliminate it with Malwarebytes Anti-Malware, updated, but without any success.

I googled possible ways of removing the malware and came across Combofix. I have, without being asked, or without reading first the guidelines, been able, using Combofix, to produce a log.

Sadly, I don't have a clue on how to decifer it.

Is there someone out there, that can help me descifer the log? I'd b very grateful.

Kind regards Clitonme

Attached Files


Edited by clitonme, 03 March 2012 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 AM

Posted 04 March 2012 - 09:04 PM

Hi

Please delete the copy of ComboFix that you have on your desktop (it's outdated) and download a fresh copy from the link below and run it

post the resulting log (don't forget to disable your security programs)

Link 1

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 05:16 AM

Hi

Please delete the copy of ComboFix that you have on your desktop (it's outdated) and download a fresh copy from the link below and run it

post the resulting log (don't forget to disable your security programs)

Link 1


O.k. Thanks, I'll do this tonight and send you the log.

#4 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 03:07 PM

ComboFix 12-03-04.02 - pop 05/03/2012 20:24:24.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.34.3082.18.3070.1885 [GMT 1:00]
Running from: H:\ComboFix.exe
AV: AVG Internet Security Business Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security Business Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\OfferBox
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
c:\users\pop\AppData\Roaming\inst.exe
c:\windows\7Loader.TAG
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-02-05 to 2012-03-05 )))))))))))))))))))))))))))))))
.
.
2012-03-05 19:35 . 2012-03-05 19:40 -------- d-----w- c:\users\pop\AppData\Local\temp
2012-03-05 19:35 . 2012-03-05 19:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-03 09:53 . 2012-03-03 09:54 -------- d-----w- c:\users\pop\AppData\Roaming\kodak
2012-02-28 19:01 . 2012-02-28 19:01 -------- d-----w- c:\program files\iPod
2012-02-28 19:01 . 2012-02-28 19:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-02-28 19:01 . 2012-02-28 19:02 -------- d-----w- c:\program files\iTunes
2012-02-22 18:31 . 2012-02-22 18:31 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-22 18:31 . 2012-02-22 18:31 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-22 18:31 . 2012-02-22 18:31 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-22 18:31 . 2012-02-22 18:31 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-20 14:24 . 2012-02-28 20:36 -------- d-----w- c:\users\pop\AppData\Roaming\Mp3tag
2012-02-20 14:24 . 2012-02-20 14:24 -------- d-----w- c:\program files\Mp3tag
2012-02-16 15:12 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-02-16 15:11 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 07:09 . 2011-06-01 23:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-16 21:16 . 2011-12-16 21:16 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2011-12-10 14:24 . 2011-03-15 20:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-22 18:31 . 2011-05-06 09:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-17 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-04-15 10:33 2515552 ----a-w- c:\program files\Freecorder\tbFree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 14:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
2011-12-16 21:16 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
2010-11-29 14:26 3908192 ----a-w- c:\program files\BittorrentBar_ES\tbBitt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{AD06FB5F-FEF7-4A84-8C58-DCA34F8E3D36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-04 39408]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"PowerSuite"="c:\progra~1\Uniblue\POWERS~1\launcher.exe" [2011-09-12 67448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"PRD"="c:\program files\Pointstone\System Cleaner 5\SystemCleaner.exe" [2010-02-03 2515968]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-12-23 9972328]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-17 2339168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2010-9-19 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Users^pop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
c:\program files\SlySoft\AnyDVD\AnyDVD.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-17 19:03 2339168 ----a-w- c:\program files\AVG\AVG10\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
c:\program files\Internet Download Manager\IDMan.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 13:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2010-03-26 09:52 1234216 ----a-w- c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
c:\program files\Skype\Phone\Skype.exe [BU]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Servicio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 135664]
R3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\ExpatTrayService.EXE [2011-12-16 77520]
R3 gupdatem;Servicio de Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-04-02 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RRNetCap;RRNetCap Service;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-01-06 27168]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-01-06 27168]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2008-10-21 548864]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-22 691696]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-07-12 54112]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-04 297168]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-10-27 759072]
S2 avgfws;Cortafuegos de AVG;c:\program files\AVG\AVG10\avgfws.exe [2011-03-09 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;WatchDog de AVG;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [2011-12-21 331096]
S2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [2011-12-16 363336]
S2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe [2011-12-16 329544]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2011-01-12 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-01-12 68928]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]
S3 netw5v32;Controlador del adaptador Intel® Wireless WiFi Link 5000 Series para Windows Vista de 32 bits;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Controlador NT de Realtek 8167;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 14:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-04-04 02:22]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 22:05]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 22:05]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3501618298-324249603-3419398366-1000Core.job
- c:\users\pop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 22:53]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3501618298-324249603-3419398366-1000UA.job
- c:\users\pop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 22:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.expatshield.com/g/?c=h
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Enlace de descarga usando Mega Manager...
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
FF - ProfilePath - c:\users\pop\AppData\Roaming\Mozilla\Firefox\Profiles\ya1ztrvk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2849812&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
Toolbar-10 - (no file)
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3501618298-324249603-3419398366-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6660B5E0-7381-27CE-E0AD-EB906800443A}*]
"haakmaenedagkdma"=hex:6b,61,70,69,68,66,6e,65,63,64,68,67,61,63,65,69,6e,67,
6d,6f,6b,70,00,00
"galkjcmgllkdih"=hex:61,63,70,6c,67,69,68,70,6d,6e,6b,62,66,69,61,67,6d,6a,66,
69,6b,6b,6d,67,65,6a,6f,63,6e,6f,64,67,68,67,66,6a,6a,67,69,68,6b,63,62,62,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
c:\windows\system32\AUDIODG.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-03-05 20:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-05 19:56
ComboFix2.txt 2012-03-03 20:23
.
Pre-Run: 5.606.526.976 bytes libres
Post-Run: 5.606.854.656 bytes libres
.
- - End Of File - - 3390FA0DC5E3900B78618F6D65C5C303

#5 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 03:09 PM

Could you please give me an idea of what you are looking for?

Thanks, in advance.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 AM

Posted 05 March 2012 - 06:18 PM

Could you please give me an idea of what you are looking for?

Indications of leftover malware on your machine


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll | c:\windows\System32\user32.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 07:56 PM

It says, System file is infectd!! Attempting to remove
"C:\Windows\system32\userinit.exe"
Successfully restored :)

#8 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 07:58 PM

Combofix is still open, on my computer. Am i expected to wait for Combofix to close and reboot my computer?

Edited by clitonme, 05 March 2012 - 08:00 PM.


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 AM

Posted 05 March 2012 - 07:59 PM

Please wait, it will do it on it's own eventually

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 08:07 PM

You are being vry helpful, If I may add. I see you're in Canada, nice weather?

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 AM

Posted 05 March 2012 - 08:10 PM

I see you're in Canada, nice weather?

Yes! It's not snowing :lol:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 05 March 2012 - 08:15 PM

Oh! We had snow here last week, and the last time it did snow here, was 1957. I'm in Mallorca, Spain. I do love the snow, it used to mean that school would be closed, when I lived in Scotland. But now I have to work, come rain or shine.
In which part of Canada are you?

#13 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 06 March 2012 - 04:06 AM

ComboFix 12-03-04.02 - pop 06/03/2012 9:42.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.34.3082.18.3070.1896 [GMT 1:00]
Running from: c:\users\pop\Desktop\ComboFix.exe
Command switches used :: c:\users\pop\Desktop\CFScript.txt
AV: AVG Internet Security Business Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security Business Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 08:53 . 2012-03-06 08:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-05 19:35 . 2012-03-06 08:53 -------- d-----w- c:\users\pop\AppData\Local\temp
2012-03-05 19:01 . 2012-03-05 19:01 -------- d-----w- c:\users\pop\AppData\Roaming\AVG10
2012-03-03 09:53 . 2012-03-03 09:54 -------- d-----w- c:\users\pop\AppData\Roaming\kodak
2012-02-28 19:01 . 2012-02-28 19:01 -------- d-----w- c:\program files\iPod
2012-02-28 19:01 . 2012-02-28 19:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-02-28 19:01 . 2012-02-28 19:02 -------- d-----w- c:\program files\iTunes
2012-02-22 18:31 . 2012-02-22 18:31 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-22 18:31 . 2012-02-22 18:31 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-22 18:31 . 2012-02-22 18:31 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-22 18:31 . 2012-02-22 18:31 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-20 14:24 . 2012-02-28 20:36 -------- d-----w- c:\users\pop\AppData\Roaming\Mp3tag
2012-02-20 14:24 . 2012-02-20 14:24 -------- d-----w- c:\program files\Mp3tag
2012-02-16 15:12 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-02-16 15:11 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 07:09 . 2011-06-01 23:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-16 21:16 . 2011-12-16 21:16 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2011-12-10 14:24 . 2011-03-15 20:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-22 18:31 . 2011-05-06 09:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-17 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-04-15 10:33 2515552 ----a-w- c:\program files\Freecorder\tbFree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 14:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
2011-12-16 21:16 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
2010-11-29 14:26 3908192 ----a-w- c:\program files\BittorrentBar_ES\tbBitt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-04-15 2515552]
"{AD06FB5F-FEF7-4A84-8C58-DCA34F8E3D36}"= "c:\program files\BittorrentBar_ES\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{ad06fb5f-fef7-4a84-8c58-dca34f8e3d36}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-04 39408]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"PowerSuite"="c:\progra~1\Uniblue\POWERS~1\launcher.exe" [2011-09-12 67448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"PRD"="c:\program files\Pointstone\System Cleaner 5\SystemCleaner.exe" [2010-02-03 2515968]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-12-23 9972328]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-17 2339168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2010-9-19 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Users^pop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
c:\program files\SlySoft\AnyDVD\AnyDVD.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-17 19:03 2339168 ----a-w- c:\program files\AVG\AVG10\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
c:\program files\Internet Download Manager\IDMan.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 13:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2010-03-26 09:52 1234216 ----a-w- c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
c:\program files\Skype\Phone\Skype.exe [BU]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Servicio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 135664]
R3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
R3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\ExpatTrayService.EXE [2011-12-16 77520]
R3 gupdatem;Servicio de Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-04-02 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RRNetCap;RRNetCap Service;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-01-06 27168]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-01-06 27168]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2008-10-21 548864]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-22 691696]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-07-12 54112]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-04 297168]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-10-27 759072]
S2 avgfws;Cortafuegos de AVG;c:\program files\AVG\AVG10\avgfws.exe [2011-03-09 2708024]
S2 avgwd;WatchDog de AVG;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [2011-12-21 331096]
S2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [2011-12-16 363336]
S2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe [2011-12-16 329544]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2011-01-12 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-01-12 68928]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]
S3 netw5v32;Controlador del adaptador Intel® Wireless WiFi Link 5000 Series para Windows Vista de 32 bits;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Controlador NT de Realtek 8167;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 14:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-04-04 02:22]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 22:05]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 22:05]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3501618298-324249603-3419398366-1000Core.job
- c:\users\pop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 22:53]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3501618298-324249603-3419398366-1000UA.job
- c:\users\pop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 22:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.expatshield.com/g/?c=h
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Enlace de descarga usando Mega Manager...
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
FF - ProfilePath - c:\users\pop\AppData\Roaming\Mozilla\Firefox\Profiles\ya1ztrvk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2849812&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3501618298-324249603-3419398366-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6660B5E0-7381-27CE-E0AD-EB906800443A}*]
"haakmaenedagkdma"=hex:6b,61,70,69,68,66,6e,65,63,64,68,67,61,63,65,69,6e,67,
6d,6f,6b,70,00,00
"galkjcmgllkdih"=hex:61,63,70,6c,67,69,68,70,6d,6e,6b,62,66,69,61,67,6d,6a,66,
69,6b,6b,6d,67,65,6a,6f,63,6e,6f,64,67,68,67,66,6a,6a,67,69,68,6b,63,62,62,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4352)
c:\users\pop\AppData\Local\FLVService\lib\FLVSrvLib.dll
.
Completion time: 2012-03-06 09:55:54
ComboFix-quarantined-files.txt 2012-03-06 08:55
ComboFix2.txt 2012-03-05 19:56
ComboFix3.txt 2012-03-03 20:23
.
Pre-Run: 5.816.242.176 bytes libres
Post-Run: 5.762.166.784 bytes libres
.
- - End Of File - - D336A8AD24B95066C0FC3656617980D6

#14 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 06 March 2012 - 04:28 AM

Malwarebytes Anti-Malware Log (Versión de Prueba) 1.60.1.1000

It seems that Malwarebytes, has not detected any thing malicious.

Attached Files


Edited by clitonme, 06 March 2012 - 12:49 PM.


#15 clitonme

clitonme
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 06 March 2012 - 12:42 PM

ESETSCAN Log

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users