Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Screen goes blank, sound away, no regular shut down possible, pc light stays on after forced shutdown


  • This topic is locked This topic is locked
14 replies to this topic

#1 2dudeinkela

2dudeinkela

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 05 May 2012 - 07:34 AM

Hello guys, i recently got infected by some nasty something.
I ran malwarebytes full scan and combofix (which deleted some files in SysWoW64 and SimpleScreenShot.exe), after having done a system restore (restored to state of 4 days ago).
Before all that, my PC opened CMD after booting for a sec, then closed it again, 5 to 10 mins later, the screen went blank and there was no sound anymore. As neither screen nor sound got back, i forced the pc to shut down, but it's light still remained on. Most off that is gone, since i restored system and used combofix, but i read, that i should post my log, so one of you could review it and make sure my pc's clean again.

Hope it's not that bad and,
Thank you very much in advance, greez.

ComboFix 12-05-05.05 - pc 05/05/2012 13:53:09.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.9207.7187 [GMT 2:00]
Running from: c:\users\pc\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2012-05-05 12:00 . 2012-05-05 12:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-05 11:43 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6832ADE-E1A2-4230-A351-F12C75FC3600}\mpengine.dll
2012-05-05 11:40 . 2012-05-05 11:40 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-05-05 09:41 . 1998-09-02 08:28 155408 ----a-w- c:\windows\SysWow64\LMRT.dll
2012-05-05 09:41 . 1998-08-27 04:51 182032 ----a-w- c:\windows\SysWow64\dxtmsft3.dll
2012-05-05 09:41 . 1998-08-20 11:02 140800 ----a-w- c:\windows\SysWow64\tm20dec.ax
2012-05-05 09:41 . 1998-09-02 08:28 63488 ----a-w- c:\windows\SysWow64\unam4ie.exe
2012-05-05 09:41 . 1998-09-02 08:02 109840 ----a-w- c:\program files (x86)\Windows Media Player\mplayer2.exe
2012-05-05 09:41 . 1998-08-20 10:38 217984 ----a-w- c:\windows\SysWow64\strmdll.dll
2012-05-05 09:40 . 1998-09-02 08:02 194320 ----a-w- c:\windows\SysWow64\qcut.dll
2012-05-05 09:40 . 1998-08-17 09:21 5672 ----a-w- c:\windows\SysWow64\quartz.vxd
2012-05-05 09:40 . 1998-08-17 09:21 10240 ----a-w- c:\windows\SysWow64\vidx16.dll
2012-05-05 09:40 . 1998-08-17 09:21 11776 ----a-w- c:\windows\SysWow64\mciqtz.drv
2012-05-05 09:40 . 2012-05-05 09:40 4608 ----a-w- c:\windows\SysWow64\w95inf32.dll
2012-05-05 09:40 . 2012-05-05 09:40 2272 ----a-w- c:\windows\SysWow64\w95inf16.dll
2012-05-05 09:37 . 2012-05-05 09:44 -------- d-----w- c:\program files (x86)\ThiefG
2012-05-04 12:53 . 2012-05-05 09:03 -------- d-----w- c:\program files (x86)\Real
2012-05-04 12:51 . 2012-05-04 12:51 -------- d-----w- c:\users\pc\AppData\Roaming\OpenCandy
2012-05-03 14:22 . 2012-05-05 09:03 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-02 19:05 . 2012-05-02 19:05 -------- d-----w- c:\users\pc\AppData\Roaming\YourFileDownloader
2012-05-02 15:17 . 1998-09-02 08:28 38160 ----a-w- c:\windows\SysWow64\LMRTREND.dll
2012-05-02 15:06 . 2012-05-03 02:23 -------- d-----w- c:\program files (x86)\Fox
2012-04-28 15:49 . 2012-04-28 15:49 -------- d-----w- c:\programdata\ATI
2012-04-28 15:49 . 2012-04-28 15:49 -------- d-----w- c:\program files (x86)\AMD AVT
2012-04-28 15:49 . 2012-04-28 15:49 -------- d-----w- c:\program files (x86)\AMD APP
2012-04-27 23:49 . 2012-04-27 23:49 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-04-25 23:13 . 2012-04-25 23:24 -------- d-----w- c:\users\pc\AppData\Local\Temporary Projects
2012-04-25 23:09 . 2012-04-25 23:09 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2012-04-25 23:09 . 2012-04-25 23:09 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-04-25 23:09 . 2012-04-25 23:09 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-04-25 23:08 . 2012-04-25 23:08 -------- d-----w- c:\users\pc\AppData\Local\Microsoft Help
2012-04-25 23:07 . 2012-04-27 23:50 -------- d-----w- c:\programdata\Microsoft Help
2012-04-25 23:07 . 2012-04-25 23:09 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
2012-04-25 23:07 . 2012-04-25 23:07 -------- d-----w- c:\program files (x86)\Microsoft SDKs
2012-04-25 23:06 . 2012-04-25 23:06 -------- d-----w- c:\program files\Microsoft SDKs
2012-04-25 23:06 . 2012-04-25 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2012-04-25 15:46 . 2012-05-05 09:03 -------- d-----w- c:\users\pc\AppData\Roaming\SimpleScreenshot
2012-04-25 15:46 . 2008-01-28 12:51 330336 ----a-w- c:\windows\SSSUn.EXE
2012-04-21 13:21 . 2012-04-21 14:09 -------- d-----w- c:\programdata\eMule
2012-04-21 13:19 . 2012-04-21 14:09 -------- d-----w- c:\users\pc\AppData\Local\eMule
2012-04-12 01:03 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 01:03 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-12 01:03 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-12 01:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 01:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 01:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 01:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 01:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 01:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-12 01:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-06 05:22 . 2012-04-06 05:22 11174400 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-04-06 02:22 . 2012-04-06 02:22 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-04-06 02:16 . 2012-04-06 02:16 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-04-06 02:16 . 2012-04-06 02:16 503808 ----a-w- c:\windows\system32\atieclxx.exe
2012-04-06 02:16 . 2012-04-06 02:16 236544 ----a-w- c:\windows\system32\atiesrxx.exe
2012-04-06 02:14 . 2012-04-06 02:14 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-04-06 02:14 . 2012-04-06 02:14 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-04-06 02:14 . 2012-04-06 02:14 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-04-06 02:14 . 2012-04-06 02:14 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-04-06 02:13 . 2012-04-06 02:13 6800896 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-04-06 02:10 . 2012-04-06 02:10 26181632 ----a-w- c:\windows\system32\atio6axx.dll
2012-04-06 01:50 . 2012-04-06 01:50 19753984 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-04-06 01:35 . 2012-04-06 01:35 1120768 ----a-w- c:\windows\system32\atiumd6v.dll
2012-04-06 01:34 . 2012-04-06 01:34 1831424 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-04-06 01:34 . 2012-04-06 01:34 4731904 ----a-w- c:\windows\system32\atiumd6a.dll
2012-04-06 01:30 . 2012-04-06 01:30 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-04-06 01:30 . 2012-04-06 01:30 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-04-06 01:30 . 2012-04-06 01:30 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-04-06 01:30 . 2012-04-06 01:30 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-04-06 01:29 . 2012-04-06 01:29 16090624 ----a-w- c:\windows\system32\aticaldd64.dll
2012-04-06 01:25 . 2012-04-06 01:25 13764096 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-04-06 01:23 . 2012-04-06 01:23 7431680 ----a-w- c:\windows\system32\atiumd64.dll
2012-04-06 01:11 . 2012-04-06 01:11 514560 ----a-w- c:\windows\system32\atiadlxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-04-06 01:11 . 2012-04-06 01:11 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-04-06 01:10 . 2012-04-06 01:10 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-04-06 01:10 . 2012-04-06 01:10 343040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-04-06 01:09 . 2012-04-06 01:09 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-04-06 01:09 . 2012-04-06 01:09 44544 ----a-w- c:\windows\system32\atiu9p64.dll
2012-04-06 01:09 . 2012-04-06 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\atimpc64.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-04-05 20:34 . 2012-04-05 20:34 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-04-05 20:34 . 2012-04-05 20:34 74752 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-04-05 20:34 . 2012-04-05 20:34 64512 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-04-05 20:33 . 2012-04-05 20:33 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-04-05 20:33 . 2012-04-05 20:33 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-04-05 20:33 . 2012-04-05 20:33 16457216 ----a-w- c:\windows\system32\amdocl64.dll
2012-04-05 20:32 . 2012-04-05 20:32 13007872 ----a-w- c:\windows\SysWow64\amdocl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 10:17 . 2012-04-03 13:42 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-05 10:17 . 2011-06-03 22:22 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 10:16 . 2012-04-03 14:16 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-13 08:46 . 2010-11-21 00:57 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-06 02:21 . 2011-12-06 03:17 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-04-06 02:20 . 2010-10-27 01:54 1067520 ----a-w- c:\windows\system32\aticfx64.dll
2012-04-06 02:00 . 2010-10-27 01:15 64000 ----a-w- c:\windows\system32\coinst.dll
2012-04-06 01:54 . 2010-10-27 01:38 7479296 ----a-w- c:\windows\system32\atidxx64.dll
2012-04-06 01:34 . 2011-12-06 02:33 6203392 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-04-06 01:22 . 2011-12-06 02:28 4795904 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-04-06 01:09 . 2010-10-27 01:13 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-04-06 01:09 . 2011-12-06 02:11 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-04-04 13:56 . 2010-12-12 20:22 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 18:44 . 2010-10-24 20:25 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 18:44 . 2010-03-25 20:30 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-09 12:07 . 2012-03-09 12:07 29184 ----a-w- c:\windows\system32\kdbsdk64.dll
2012-03-09 12:06 . 2012-03-09 12:06 24576 ----a-w- c:\windows\SysWow64\kdbsdk32.dll
2012-03-07 21:39 . 2010-11-26 14:48 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-06 21:07 . 2012-03-06 21:07 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-02-23 12:32 . 2012-02-23 12:32 95760 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2012-02-20 08:24 . 2011-08-12 04:11 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-02-20 08:24 . 2011-08-12 04:11 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-02-20 08:24 . 2011-08-12 04:11 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-02-20 08:24 . 2011-08-12 04:11 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-02-17 06:38 . 2012-03-14 20:05 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 06:38 . 2012-03-14 20:05 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 20:05 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 20:05 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 20:05 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 21:03 . 2012-02-14 21:03 54272 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-14 21:03 . 2012-02-14 21:03 48128 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-02-10 23:51 . 2012-02-10 23:53 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D3DD1D38-0F60-4C40-81B3-53EF782712EA}\gapaengine.dll
2012-02-10 06:36 . 2012-03-14 20:05 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 20:05 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-05_11.23.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-19 22:58 . 2012-05-05 11:44 49238 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-05 11:44 31602 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-11-19 22:38 . 2012-05-05 11:44 18660 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1354787433-710350489-348376673-1000_UserData.bin
+ 2010-11-20 03:16 . 2012-05-05 11:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-20 03:16 . 2012-05-05 10:55 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-20 03:16 . 2012-05-05 10:55 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-11-20 03:16 . 2012-05-05 11:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-05 10:55 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-05 11:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-19 22:25 . 2012-05-05 11:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-19 22:25 . 2012-05-05 10:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-19 22:25 . 2012-05-05 10:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-11-19 22:25 . 2012-05-05 11:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-19 22:25 . 2012-05-05 10:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-19 22:25 . 2012-05-05 11:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-11-19 22:25 . 2012-05-05 11:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-19 22:25 . 2012-05-05 11:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-19 22:25 . 2012-05-05 11:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-19 22:25 . 2012-05-05 11:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-24 01:08 . 2012-05-05 11:41 3392 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-05-05 12:01 . 2012-05-05 12:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-05 11:23 . 2012-05-05 11:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-05 11:23 . 2012-05-05 11:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-05-05 12:01 . 2012-05-05 12:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-05-05 11:41 632044 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-05 11:41 110112 c:\windows\system32\perfc009.dat
- 2009-07-14 05:12 . 2012-05-05 10:55 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-05-05 11:45 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:01 . 2012-05-05 11:22 284384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-05-05 12:00 284384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-05-05 11:41 . 2012-05-05 11:41 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\SCEP.exe
- 2012-05-01 22:51 . 2012-05-01 22:51 123352 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\MSE.exe
+ 2012-05-01 22:51 . 2012-05-05 11:41 123352 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\MSE.exe
+ 2012-05-05 11:41 . 2012-05-05 11:41 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\INTUNE.exe
+ 2012-05-05 11:41 . 2012-05-05 11:41 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\FEP.exe
+ 2012-05-05 11:41 . 2012-05-05 11:41 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\EPP.exe
- 2011-01-30 07:28 . 2012-05-05 11:22 2272032 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-01-30 07:28 . 2012-05-05 12:00 2272032 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-03-26 17:21 . 2012-03-26 17:21 7622656 c:\windows\Installer\f7d7a.msi
- 2011-05-12 23:49 . 2012-05-05 11:22 42114272 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1354787433-710350489-348376673-1000-8192.dat
+ 2011-05-12 23:49 . 2012-05-05 12:00 42114272 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1354787433-710350489-348376673-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files (x86)\Reganam\tbRega.dll" [2010-11-13 3913000]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "c:\program files (x86)\softonic-de3\tbsoft.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-13 20:58 3913000 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
2010-10-18 11:26 3908192 ----a-w- c:\program files (x86)\softonic-de3\tbsoft.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 14:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
2010-11-13 20:58 3913000 ----a-w- c:\program files (x86)\Reganam\tbRega.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files (x86)\Reganam\tbRega.dll" [2010-11-13 3913000]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "c:\program files (x86)\softonic-de3\tbsoft.dll" [2010-10-18 3908192]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KPeerNexonEU"="//~c:\nexon\nexon_eu_downloader\nxeulauncher.exe" [BU]
"RadeonPro"="c:\program files (x86)\RadeonPro\RadeonPro.exe" [2011-02-10 1832448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"PriFinitty2"="c:\games\ImagesToolsetc\PriFinitty\PriFinitty2.exe" [2012-05-05 503808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"FILSHtray"="c:\program files (x86)\FILSHtray\FILSHtray.exe" [2012-01-26 597504]
"Boxore Client"="c:\program files (x86)\Boxore\BoxoreClient\boxore.exe" [2012-05-04 544432]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"SimpleScreenshot"="c:\progra~2\SSS\SIMPLESCREENSHOT.EXE" [BU]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - c:\program files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 ISODisk;ISODisk; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 supdate;Software Update Service (supdate);c:\program files (x86)\Software\Update\SoftwareUpdate.exe [2012-01-29 138416]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
R3 dsnpfd;Dsnpfd Service;c:\windows\system32\DRIVERS\dsnpfd.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2011-01-24 19952]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BWMeterConSvc;BWMeter Connections Service;c:\program files (x86)\BWMeter\BWMeterConSvc.exe [2011-03-17 64512]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-28 2343816]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 RadeonPro Support Service;RadeonPro Support Service;c:\program files (x86)\RadeonPro\RadeonProSupport.exe [2011-02-10 12800]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 dsnpfdMP;dsnpfdMP;c:\windows\system32\DRIVERS\dsnpfd.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 10:17]
.
2012-05-05 c:\windows\Tasks\SoftwareUpdateTaskMachineCore.job
- c:\program files (x86)\Software\Update\SoftwareUpdate.exe [2012-01-29 01:09]
.
2012-05-05 c:\windows\Tasks\SoftwareUpdateTaskMachineUA.job
- c:\program files (x86)\Software\Update\SoftwareUpdate.exe [2012-01-29 01:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-02 10038304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.babylon.com/?AF=111863&tt=171011_prot~171011_prot&babsrc=HP_ss&mntrId=cae85288000000000000a4badbfe6dc6
mStart Page = hxxp://www.maxiwe.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &Download by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/202
IE: Download with &Media Finder - c:\program files (x86)\Media Finder\hook.html
IE: Free YouTube to MP3 Converter - c:\users\pc\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Résumer avec Copernic Summarizer - c:\program files (x86)\Copernic Summarizer\Web\SummarizePage.htm
IE: {{0F2D17A0-E7DF-4847-995B-6F3ABF5BF187} - {961ACDBF-A8DE-454B-896F-FC9EA8A697EC} - c:\progra~2\COPERN~1\COPERN~1.DLL
IE: {{6170AB22-F1E5-4D4F-8F6C-826C73838581} - {30E44B64-8FCD-43BC-BB6A-84BD312B8E0C} - c:\program files (x86)\Copernic Summarizer\CopernicSummarizerApp.dll
IE: {{B533C4C2-3FE2-4728-8661-AC93DF5D35A2} - {961ACDBF-A8DE-454B-896F-FC9EA8A697EC} - c:\progra~2\COPERN~1\COPERN~1.DLL
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\tdvxhvi7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1601497&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?babsrc=HP_Prot
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?AF=111863&tt=171011_prot~171011_prot&babsrc=adbartrp&mntrId=cae85288000000000000a4badbfe6dc6&q=
user_pref(foxlingo.fulllogo,false);
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111863
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - cae85288000000000000a4badbfe6dc6
FF - user.js: extensions.BabylonToolbar_i.hardId - cae85288000000000000a4badbfe6dc6
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15429
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.174:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{DB9D7A78-A76C-4BF2-97C6-258925EE1542} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-05 14:06:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-05 12:06
ComboFix2.txt 2012-05-05 11:28
ComboFix3.txt 2012-05-05 00:25
.
Pre-Run: 507,503,538,176 bytes free
Post-Run: 507,061,288,960 bytes free
.
- - End Of File - - D021B9B9DAA8408CFDBBDC7348BA216B



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 08 May 2012 - 05:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 09 May 2012 - 10:00 AM

Hi m0le, thank you for answering :thumbup2:

as you said i didnt install or change anything on my pc since i posted this topic (in fact i didnt even use the pc, bcause i found my old n64-console and was playing mario64 all day :wink: )

I hope you can help my with my problem,

thx again,
greez dude

edit: Uh, I forgot to mention Malwarebytes is constantly telling me firefox and svchost ar calling a dangerous ip (83.243.11.170) (or in fact 83.243.11.1xx).

Edited by 2dudeinkela, 09 May 2012 - 04:28 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 09 May 2012 - 05:34 PM

I can't see anything so far so please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 10 May 2012 - 06:33 PM

heres the log (i did a quickscan, was that right?)

Attached Files


Edited by 2dudeinkela, 10 May 2012 - 06:33 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 10 May 2012 - 07:19 PM

This means that we could be looking at a non-malware problem. Please run MiniToolBox

Please download MiniToolBox, save it to your desktop and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List Winsock Entries
  • List devices
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size.
  • List Minidump Files.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Posted Image
m0le is a proud member of UNITE

#7 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 May 2012 - 05:20 PM

sorry for the delay,

i did the minitoolbox scan, but i thought that i might also check the ff scans (as i am using firefox, not internet explorer). i hope that doesn't disturb you, just in case. anyway, here's the result.txt.

Attached Files


Edited by 2dudeinkela, 11 May 2012 - 05:22 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 11 May 2012 - 05:58 PM

Wow, okay this is not malware. The errors point to a driver file problem.

Visit this site and check the Microsoft engineer Martin's reply which utilises the system file checker tool.

It is not the exact same file but the solution should work. If that does not help then I would strongly suggest you post a query on the Windows 7 forum here
Posted Image
m0le is a proud member of UNITE

#9 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 May 2012 - 06:20 PM

"Windows Resource Protection did not find any integrity violations."

So, what shall I do now???

edit: Do you think the connections through ff or svchost to 83.243.11.1xx is safe, or shall i keep blocking 'em?

anyway, thx again for your accurate help dude!

greez, me.

Edited by 2dudeinkela, 11 May 2012 - 06:22 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 11 May 2012 - 06:39 PM

Do you think the connections through ff or svchost to 83.243.11.1xx is safe, or shall i keep blocking 'em?


Where in the logs are these connections?
Posted Image
m0le is a proud member of UNITE

#11 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 May 2012 - 09:09 PM

again, sry dude for the delay, but i've got some friends in here and we're drinking,

these connections are not in the logs, but in one of my posts I said that Malwarebytes keeps blocking a connection (through firefox and svchost) to 83.243.11.170 (or actually 83.243.11."160 to 179"), but also to other ips and i'd like to know your opinion if these connections are safe or not (especially because those programs are also trying to reach them when i'm not actively using my pc).

Once again a big fat thx to you and your endless patience with me and my stupid questions

(I also want to apologize for my bad english, but it's not my mother tongue) :lol:


off topic:

one thing i'd like to ask you, is this actually your job or is it some kind of hobby???
:huh:

edit:

if you do understand german, this is what Malwarebytes keeps telling me:

"Zugang zu einer potentiell gefaehrlichen Website erfolgreich gestoppt: 83.243.11.1xx
Art: Ausgehend
Port: 50972 Prozess:firefox.exe"

or, if you'd like to read it in english:

"Access to a potentially dangerous site successfully blocked: 83.243.11.1xx
Kind: Outgoing
Port: 50972 Process:firefox.exe" (or also svchost in some cases) [freely translated by me]


edit2:

i'm gonna sleep now, so good eve and good night dude, hope you're enjoyin' ya time and read of you tomorrow hopefully... :busy:
g' night!

Edited by 2dudeinkela, 11 May 2012 - 09:51 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 12 May 2012 - 04:33 PM

these connections are not in the logs, but in one of my posts I said that Malwarebytes keeps blocking a connection (through firefox and svchost) to 83.243.11.170 (or actually 83.243.11."160 to 179")


That's akamai and is legitimate.

one thing i'd like to ask you, is this actually your job or is it some kind of hobby???[/i] :huh:

This is a kind of hobby for me.

I think we're back to posting on a non-malware forum here. The link is above, four posts up.
Posted Image
m0le is a proud member of UNITE

#13 2dudeinkela

2dudeinkela
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 12 May 2012 - 05:24 PM

Thank you very very much for your very accurate and determined help m0le,
I just got my pc a year ago and I'm just happy it's now fully funcionable again.
My last one is not capable of saving anything nomore since I was infected for a very long time and couldn't bring it up again.

Once more, thx, I'll not forget you this.

Wishing you a great evening,
so long,
me
Greez

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 12 May 2012 - 05:34 PM

Have a good evening too, Greez :)
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 PM

Posted 16 May 2012 - 08:02 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users