Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Antiviruses don't work


  • This topic is locked This topic is locked
20 replies to this topic

#1 Logan91

Logan91

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 18 June 2012 - 11:32 PM

Was sent here from http://www.bleepingcomputer.com/forums/topic454929.html/page__st__15__gopid__2735455#entry2735455

Basically I have had this problem for a few days. I had ESET Smart Security 5 64-bit and all of a sudden it stopped working and advised me to reinstall, I uninstalled and when I tried to install it again it would just start reverting the installation midway through, so I decided to download Avast, installed fine but none of the shields work.

As explained in that post, I found a strange exe with randomized characters in my User folder which I seem to have deleted after several tries. After running lots of tools as I was asked, I'm still left with no antivirus. No pc/internet bandwidth hit so I'm just worried I might get more severe infections. SUPER Antispypare found a backdoor and keylogger. I don't know if it's a false positive or not (also covered in that other thread). No GMER report because I have Win 64bits


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Usuario at 1:04:31 on 2012-06-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.54.3082.18.8174.5942 [GMT -3:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Last.fm\LastFM.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Program Files\Media Player Classic - Home Cinema\mpc-hc64.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?AF=109989&babsrc=HP_ss&mntrId=3857c39e0000000000005404a6f1e24a
uInternet Settings,ProxyOverride = <local>
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xportar a Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: line6.net
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 208.67.220.220 208.67.222.222
TCP: Interfaces\{DC794F30-8E02-40C7-9411-830F137786A6} : DhcpNameServer = 208.67.220.220 208.67.222.222
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Usuario\AppData\Roaming\Mozilla\Firefox\Profiles\any33b4u.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxps://www.google.com/#hl=en&output=search&sclient=psy-ab&q=
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-3-9 361984]
R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-1-3 55936]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Servicio (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-21 136176]
S3 gupdatem;Google Update Servicio (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-21 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-2 113120]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-8-22 12288]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Servicio de tecnologías de activación de Windows;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2012-6-8 14544]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-06-18 15:15:30 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-18 15:15:30 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-16 16:05:59 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{14230769-3715-464A-A2CF-C67266A1F978}\offreg.dll
2012-06-16 14:37:12 -------- d-----w- C:\Users\Usuario\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 14:37:02 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-06-16 14:37:02 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-06-14 10:59:08 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{14230769-3715-464A-A2CF-C67266A1F978}\mpengine.dll
2012-06-09 12:02:14 -------- d-----w- C:\Users\Usuario\AppData\Local\Chromium
2012-06-08 08:05:52 -------- d-----w- C:\Users\Usuario\AppData\Local\Microsoft Games
2012-06-08 07:08:47 -------- d-----w- C:\ProgramData\IObit
2012-06-08 07:08:47 -------- d-----w- C:\Program Files (x86)\IObit
2012-06-07 16:24:36 -------- d-----w- C:\Program Files (x86)\Sonnox
2012-06-05 05:15:43 258352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\pSX_1_13-1220\unicows.dll
2012-06-05 05:15:43 1912832 ----a-r- C:\Program Files (x86)\Mozilla Firefox\pSX_1_13-1220\psxfin.exe
2012-06-05 05:15:43 155648 ----a-r- C:\Program Files (x86)\Mozilla Firefox\pSX_1_13-1220\utils\cdztool.exe
2012-06-04 19:23:36 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-04 04:03:56 -------- d-----w- C:\Users\Usuario\AppData\Roaming\fltk.org
2012-05-27 15:11:03 -------- d-s---w- C:\Windows\SysWow64\Microsoft
2012-05-27 09:00:14 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5DED260A-CF5E-4078-A38D-70AB1E5D8102}\gapaengine.dll
2012-05-27 06:45:18 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-05-27 06:45:16 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-05-26 19:58:14 41184 ----a-w- C:\Windows\avastSS.scr
2012-05-26 19:56:28 -------- d-----w- C:\Users\Usuario\AppData\Local\EA Games
2012-05-26 19:44:19 7 ----a-w- C:\Users\Usuario\69p20cfih3.exe
2012-05-26 19:37:51 -------- d-----w- C:\Program Files (x86)\R.G. Catalyst
2012-05-21 16:58:28 -------- d-----w- C:\Program Files (x86)\Silent Hill 2
2012-05-21 12:52:36 -------- d-----w- C:\Juegos
2012-05-21 11:36:01 -------- d-----w- C:\Users\Usuario\AppData\Roaming\QuickScan
2012-05-21 10:39:27 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-21 10:04:08 98816 ----a-w- C:\Windows\sed.exe
2012-05-21 10:04:08 518144 ----a-w- C:\Windows\SWREG.exe
2012-05-21 10:04:08 256000 ----a-w- C:\Windows\PEV.exe
2012-05-21 10:04:08 208896 ----a-w- C:\Windows\MBR.exe
2012-05-21 08:41:11 -------- d-----w- C:\Users\Usuario\AppData\Local\Google
2012-05-21 02:25:14 -------- d-----w- C:\Grabar
2012-05-20 04:23:50 -------- d-----w- C:\Users\Usuario\AppData\Roaming\Malwarebytes
2012-05-20 04:23:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-05-20 04:23:40 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-20 04:23:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-05-05 19:57:09 431104 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-05-05 19:57:09 409600 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-05-05 19:57:09 136192 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-05-05 19:57:09 114688 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-03-28 08:33:55 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2012-03-28 04:55:47 3851784 ----a-w- C:\Windows\SysWow64\d3dx9_39.dll
2012-03-27 21:20:45 0 ----a-w- C:\Windows\ativpsrm.bin
2012-03-27 16:52:50 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-03-27 16:52:50 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2012-03-27 16:52:50 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2012-03-27 16:51:11 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 1:04:51,20 ===============

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 21 June 2012 - 08:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

#3 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 24 June 2012 - 02:25 AM

ComboFix 12-06-23.06 - Usuario 24/06/2012 4:08.2.6 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.54.3082.18.8174.6217 [GMT -3:00]
Running from: c:\users\Usuario\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\juegos
c:\juegos\Alan Wake.lnk
c:\juegos\Batman Arkham Asylum.lnk
c:\juegos\Battlefield 2.lnk
c:\juegos\Battlefield 3.lnk
c:\juegos\Battlefield Bad Company 2.lnk
c:\juegos\Binary Domain.lnk
c:\juegos\Counter-Strike Source.lnk
c:\juegos\Cry of Fear.lnk
c:\juegos\Crysis.lnk
c:\juegos\Dead Space 2.lnk
c:\juegos\Dead Space.lnk
c:\juegos\Doom 3.lnk
c:\juegos\Driver San Francisco.lnk
c:\juegos\F.E.A.R. Extraction Point.lnk
c:\juegos\F.E.A.R. Perseus Mandate.lnk
c:\juegos\F.E.A.R..lnk
c:\juegos\Gears of War.lnk
c:\juegos\Grand Theft Auto IV.lnk
c:\juegos\Left 4 Dead 2.lnk
c:\juegos\Mirror's Edge.lnk
c:\juegos\Need for Speed Hot Pursuit.lnk
c:\juegos\Need For Speed The Run.lnk
c:\juegos\Portal 2.lnk
c:\juegos\Pro Evolution Soccer 2012.lnk
c:\juegos\Silent Hill 2.lnk
c:\juegos\Silent Hill 3.lnk
c:\juegos\Sniper Elite V2.lnk
c:\juegos\Spider-Man™ - Shattered Dimensions.lnk
c:\juegos\SWAT 4.lnk
c:\programdata\ntuser.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-24 07:12 . 2012-06-24 07:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-20 17:07 . 2012-02-09 16:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-20 17:07 . 2012-02-09 16:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AFCD64FA-191D-4B44-B812-BA7C78FB932E}\gapaengine.dll
2012-06-19 04:14 . 2012-06-19 04:14 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-06-19 04:14 . 2012-06-19 04:13 772592 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-06-18 15:15 . 2012-06-18 15:15 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-18 15:15 . 2012-06-18 15:15 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-16 14:37 . 2012-06-16 14:37 -------- d-----w- c:\users\Usuario\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 14:37 . 2012-06-16 14:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-16 14:37 . 2012-06-16 14:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-14 10:59 . 2012-05-15 04:41 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{14230769-3715-464A-A2CF-C67266A1F978}\mpengine.dll
2012-06-09 12:02 . 2012-06-09 12:02 -------- d-----w- c:\users\Usuario\AppData\Local\Chromium
2012-06-08 08:05 . 2012-06-08 08:05 -------- d-----w- c:\users\Usuario\AppData\Local\Microsoft Games
2012-06-08 07:08 . 2012-06-08 07:08 -------- d-----w- c:\programdata\IObit
2012-06-08 07:08 . 2012-06-08 07:08 -------- d-----w- c:\program files (x86)\IObit
2012-06-07 16:24 . 2012-06-07 16:24 -------- d-----w- c:\program files (x86)\Sonnox
2012-06-05 05:15 . 2007-08-28 00:47 1912832 ----a-r- c:\program files (x86)\Mozilla Firefox\pSX_1_13-1220\psxfin.exe
2012-06-05 05:15 . 2007-07-23 02:06 155648 ----a-r- c:\program files (x86)\Mozilla Firefox\pSX_1_13-1220\utils\cdztool.exe
2012-06-05 05:15 . 2004-12-07 14:11 258352 ----a-w- c:\program files (x86)\Mozilla Firefox\pSX_1_13-1220\unicows.dll
2012-06-04 19:23 . 2012-05-15 04:41 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-04 04:03 . 2012-06-05 04:58 -------- d-----w- c:\users\Usuario\AppData\Roaming\fltk.org
2012-05-27 15:11 . 2012-05-27 15:11 -------- d-s---w- c:\windows\SysWow64\Microsoft
2012-05-27 06:45 . 2012-05-27 06:45 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-05-27 06:45 . 2012-05-27 06:45 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-26 19:58 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
2012-05-26 19:58 . 2012-03-07 00:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-05-26 19:56 . 2012-05-26 19:56 -------- d-----w- c:\users\Usuario\AppData\Local\EA Games
2012-05-26 19:44 . 2012-05-26 19:44 7 ----a-w- c:\users\Usuario\69p20cfih3.exe
2012-05-26 19:37 . 2012-05-26 19:37 -------- d-----w- c:\program files (x86)\R.G. Catalyst
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-19 04:13 . 2012-03-27 16:51 687600 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-05 19:57 . 2012-05-01 04:17 431104 ----a-w- c:\windows\system32\wrap_oal.dll
2012-05-05 19:57 . 2012-05-01 04:17 409600 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-05-05 19:57 . 2012-05-01 04:17 136192 ----a-w- c:\windows\system32\OpenAL32.dll
2012-05-05 19:57 . 2012-05-01 04:17 114688 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-04-25 10:26 . 2012-04-25 10:26 53248 ----a-r- c:\users\Usuario\AppData\Roaming\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
2012-04-20 06:21 . 2012-04-20 06:21 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-04-20 06:21 . 2012-04-20 06:21 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-04-20 06:21 . 2012-04-20 06:21 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2012-04-20 06:21 . 2012-04-20 06:21 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-04-20 06:21 . 2012-04-20 06:21 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-04-20 06:21 . 2012-04-20 06:21 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-04-20 06:21 . 2012-04-20 06:21 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-04-20 06:21 . 2012-04-20 06:21 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-04-20 06:21 . 2012-04-20 06:21 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-04-20 06:21 . 2012-04-20 06:21 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-04-20 06:21 . 2012-04-20 06:21 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-04-20 06:21 . 2012-04-20 06:21 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-04-20 06:21 . 2012-04-20 06:21 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-04-20 06:21 . 2012-04-20 06:21 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-20 06:21 . 2012-04-20 06:21 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-20 06:21 . 2012-04-20 06:21 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-04-20 06:21 . 2012-04-20 06:21 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-20 06:21 . 2012-04-20 06:21 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-04-20 06:21 . 2012-04-20 06:21 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-04-20 06:21 . 2012-04-20 06:21 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-04-20 06:21 . 2012-04-20 06:21 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-20 06:21 . 2012-04-20 06:21 2303488 ----a-w- c:\windows\system32\jscript9.dll
2012-04-20 06:21 . 2012-04-20 06:21 222208 ----a-w- c:\windows\system32\msls31.dll
2012-04-20 06:21 . 2012-04-20 06:21 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-20 06:21 . 2012-04-20 06:21 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-04-20 06:21 . 2012-04-20 06:21 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-04-20 06:21 . 2012-04-20 06:21 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-04-20 06:21 . 2012-04-20 06:21 1389056 ----a-w- c:\windows\system32\wininet.dll
2012-04-20 06:21 . 2012-04-20 06:21 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-20 06:21 . 2012-04-20 06:21 12288 ----a-w- c:\windows\system32\mshta.exe
2012-04-20 06:21 . 2012-04-20 06:21 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-04-20 06:21 . 2012-04-20 06:21 114176 ----a-w- c:\windows\system32\admparse.dll
2012-04-20 06:21 . 2012-04-20 06:21 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-04-20 06:21 . 2012-04-20 06:21 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-04-20 06:21 . 2012-04-20 06:21 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-04-20 06:21 . 2012-04-20 06:21 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-04-20 06:21 . 2012-04-20 06:21 448512 ----a-w- c:\windows\system32\html.iec
2012-04-20 06:21 . 2012-04-20 06:21 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-20 06:21 . 2012-04-20 06:21 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-04-20 06:21 . 2012-04-20 06:21 160256 ----a-w- c:\windows\system32\wextract.exe
2012-04-20 06:21 . 2012-04-20 06:21 1492992 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-20 06:21 . 2012-04-20 06:21 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-16 21:21 . 2012-04-16 21:21 45056 ----a-r- c:\users\Usuario\AppData\Roaming\Microsoft\Installer\{009AC76E-1A66-4682-82B7-417E77F3C648}\ARPPRODUCTICON.exe
2012-04-04 18:56 . 2012-05-20 04:23 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-28 08:33 . 2012-03-28 08:33 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2012-03-28 04:55 . 2012-03-28 04:54 3851784 ----a-w- c:\windows\SysWow64\d3dx9_39.dll
2012-03-27 16:52 . 2012-03-27 16:52 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll
2012-03-27 16:52 . 2003-03-18 23:14 505128 ----a-w- c:\windows\SysWow64\msvcp71.dll
2012-03-27 16:52 . 2003-02-21 07:42 353576 ----a-w- c:\windows\SysWow64\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Servicio (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-21 136176]
R3 gupdatem;Google Update Servicio (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-21 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-08-22 12288]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2010-11-01 14544]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-03-09 361984]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - cac0b5e225218c43
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd372e9c9d036.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-21 08:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.babylon.com/?AF=109989&babsrc=HP_ss&mntrId=3857c39e0000000000005404a6f1e24a
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xportar a Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
Trusted Zone: line6.net
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Usuario\AppData\Roaming\Mozilla\Firefox\Profiles\any33b4u.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxps://www.google.com/#hl=en&output=search&sclient=psy-ab&q=
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
AddRemove-Gears of War_is1 - c:\program files (x86)\Gears of War\Uninstall\unins000.exe
AddRemove-MiNODLogin - c:\program files (x86)\ESET\MiNODLogin\MiNODLoginUninst.exe
AddRemove-{0EDC9BA0-016E-406a-86DA-04FC1BE00C21} - c:\program files\Common Files\EAInstaller\Need for Speed™ The Run\Cleanup.exe
AddRemove-{1AA94747-3BF6-4237-9E1A-7B3067738FE1} - c:\program files (x86)\InstallShield Installation Information\{1AA94747-3BF6-4237-9E1A-7B3067738FE1}\setup.exe
AddRemove-{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0} - c:\program files\InstallShield Installation Information\{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cac0b5e225218c43]
"ImagePath"="\SystemRoot\System32\Drivers\cac0b5e225218c43.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2825630950-2320964367-1598673973-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:07,81,b8,7e,70,bb,94,a9,b5,c9,1a,f5,9d,01,2b,12,06,d0,e9,2f,f0,b2,26,
8c,22,68,4d,c2,b0,9a,02,ff,d8,76,af,f0,cb,9f,37,23,20,dc,c8,a4,bf,cb,1c,dd,\
"??"=hex:e6,a8,dd,80,c0,b4,2e,75,6f,3d,0e,9f,d0,be,df,6c
.
[HKEY_USERS\S-1-5-21-2825630950-2320964367-1598673973-1000\Software\SecuROM\License information*]
"datasecu"=hex:00,62,a3,8d,d4,e1,75,ec,ec,6e,db,99,ea,65,2b,02,77,3e,73,0a,31,
af,d9,5a,c6,3d,7a,0f,e3,1e,8d,bd,7e,56,b1,e5,eb,30,ea,6a,60,2f,08,95,da,1f,\
"rkeysecu"=hex:51,ba,23,ee,aa,89,66,50,3f,dd,70,61,c2,70,a3,46
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-24 04:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-24 07:18
.
Pre-Run: 37.295.026.176 bytes libres
Post-Run: 37.407.440.896 bytes libres
.
- - End Of File - - 8CD0762830DB8B87AD44F1AE243CCD3E

I should be restoring all those .LNKs in the Juegos folder, they're just shortcuts to games why would ComboFix even delete them?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 24 June 2012 - 08:42 AM

I should be restoring all those .LNKs in the Juegos folder, they're just shortcuts to games why would ComboFix even delete them?

The folder name was possibly not recognized.
We will restore them.
===

Open notepad and copy/paste the text in the quote box below into it:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\juegos

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Windows Firewall
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the logs and let me know what problem persists.

#5 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 25 June 2012 - 05:52 AM

I had already restored them changing the extensions in the Qoobox folder, nvm

Farbar Service Scanner Version: 24-06-2012 01
Ran by Usuario (administrator) on 25-06-2012 at 07:38:37
Running from "C:\Users\Usuario\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************



Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 23
Java™ 7 Update 5
Adobe Flash Player 10 Flash Player out of Date!
Mozilla Firefox (13.0.1)
Google Chrome 19.0.1084.56
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 25 June 2012 - 10:31 AM

Remove this old version of Java™ 6 Update 23 using the Add/Remove programs applet.

===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.257 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Please let me know if you still have any issues?

#7 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 25 June 2012 - 11:54 PM

Yeah I still have issues with AVs. I prefer to solve this issue before updating stuff that might be vulnerable :/

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 26 June 2012 - 10:04 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    cac0b5e225218c43.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===

Please let me know what problems you have concerning your AVs

#9 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 27 June 2012 - 05:33 AM

No antivirus' real-time protection works. Tried Avast, Eset. I explained that in the OP

SystemLook 30.07.11 by jpshortstuff
Log created at 07:59 on 27/06/2012 by Usuario
Administrator - Elevation successful

========== filefind ==========

Searching for "cac0b5e225218c43.sys"
C:\Windows\System32\drivers\cac0b5e225218c43.sys --a---- 80336 bytes [23:54 17/05/2012] [23:54 17/05/2012] (Unable to calculate MD5)

-= EOF =-

Edited by Logan91, 27 June 2012 - 06:02 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 27 June 2012 - 08:41 AM

No antivirus' real-time protection works. Tried Avast, Eset. I explained that in the OP

Microsoft Security Essencial is blocking these Antivirus programs to work in real life.

http://www.sitepoint.com/forums/showthread.php?639871-Microsoft-Security-Essentials-and-ESET-on-the-Same-Machine
---

>>> Run Jotti's malware scan: Please copy this line (in bold):
C:\Windows\System32\drivers\cac0b5e225218c43.sys
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

#11 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 28 June 2012 - 02:27 AM

I got MSE AFTER I had problems with ESET, I had ESET for years without problems.

Timeline:
-ESET works perfectly
-ESET stops working
-Try to reinstall, I can't, so it's uninstalled
-Install Avast, its shields don't work, desinstall
-Install MSE, scanning works, real-time protection doesn't.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 28 June 2012 - 07:58 AM

Run this tool and remove everything link to ESET and AVAST.

http://majorgeeks.com/Revo_Uninstaller_d5706.html
Revo Uninstaller helps you to remove any unwanted application installed on your computer.

If that does not get MSE to work properly I can only suggest you check with their forum.
http://support.microsoft.com/ph/15931

#13 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 29 June 2012 - 05:53 AM

Jotti's tool asks for admin right, even if I run Firefox with admin rights it doesn't work :(

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 29 June 2012 - 10:07 AM

Jotti's tool asks for admin right,

Strange.

Forget about Jotti.

Rename the file
C:\Windows\System32\drivers\cac0b5e225218c43.sys

to

C:\Windows\System32\drivers\cac0b5e225218c43.sys.old

Any improvement?

#15 Logan91

Logan91
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 01 July 2012 - 02:27 AM

Well it says I need admin rights to change the file, should I back it up in another folder and delete it via command line? I deleted some weird .exe as I explained in that other post like that.

EDIT: I can't copy the file. The creation date is May 17, that other weird .exe was created May 15th, that's when I think I got the infection. I think this is it. If I try to scan it with Malware Bytes, the result says "0 files scanned". By reading the logs I posted earlier I get the file is being used? Maybe backing it up on safe mode

Btw I got Win 7 like 6 months ago. How am I supossed to have rights to EVERYTHING? I mean I own the computer, I am on an admin account as far I can tell, why are there files that I'm not supossed to own? I don't get it.

EDIT 2: OK I went to safe mode, opened CMD and tried to copy the file with "copy cac..." it said Access Denied. So I went ahead and just put "del cac..." and the file got deleted right away. Started in normal mode and MSE real-time protection works :clapping:
Another interesting point Windows Update told me there were updates available as soon as the desktop showed, it didn't since a while ago. I'm updating the virus definitions of MSE now because it says "PC status: potentially unprotected", below it says "real-time protection: ON, virus definitions out-of-date"

Edited by Logan91, 01 July 2012 - 03:24 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users