Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7: Sirefef.y


  • This topic is locked This topic is locked
18 replies to this topic

#1 Turbo Rob

Turbo Rob

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 20 June 2012 - 01:18 PM

Hey everyone,

Thanks in advance for all of the help. This is a great website and community! :thumbsup:

Initially, the computer was infected via "Live Security Platinum". I did a search and attempted to remove "Live Security Platinum" with the help of this guide: http://malwaretips.com/blogs/live-security-platinum-virus/. Unfortunately, I was unable to completely clean the computer. Now when the computer is started, MSE attempts to remove Sirefef.y but Windows shuts down after one minute and automatically reboots. The frustrating part of this is that it reboots in regular and safe mode even when automatic restart is disabled. :thumbdown:

I did a search and found that I am not the first one to have this problem, so I decided to get a head start on the process. Here is the Farbar text file:



Scan result of Farbar Recovery Scan Tool Version: 20-06-2012 04
Ran by SYSTEM at 20-06-2012 10:57:46
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7833120 2009-05-24] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-05-24] (Realtek Semiconductor Corp.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2009-09-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2009-09-08] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe [225280 2009-08-19] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Robin\...\Run: [Google Update] "C:\Users\Robin\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-09-18] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 66.28.0.45 156.154.71.1 8.8.4.4
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Robin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 BBUpdate; "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [249648 2011-10-13] (Microsoft Corporation)
2 Device Handle Service; C:\Windows\SysWOW64\AsHookDevice.exe [196608 2009-08-19] (ASUSTeK Computer Inc.)
2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [107848 2012-06-18] (SurfRight B.V.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13440 2009-08-03] ()
1 AsUpIO; C:\Windows\SysWow64\Drivers\AsUpIO.sys [13368 2009-07-05] ()
3 hitmanpro35; \??\C:\Windows\system32\drivers\hitmanpro36.sys [30496 2012-06-19] ()
3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [139264 2009-07-09] (Intel® Corporation)
3 KMWDFILTER; C:\Windows\System32\Drivers\KMWDFILTER.sys [30208 2009-04-29] (Windows ® Codename Longhorn DDK provider)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
3 tmlwf; [x]
3 tmwfp; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-20 10:57 - 2012-06-20 10:57 - 00000000 ____D C:\FRST
2012-06-19 11:19 - 2012-06-19 11:19 - 00030496 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-06-18 21:57 - 2012-06-18 21:57 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-18 21:57 - 2012-06-18 21:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-18 21:55 - 2012-06-18 21:56 - 12621696 ____A (Microsoft Corporation) C:\Users\Robin\Downloads\mseinstall(1).exe
2012-06-18 21:49 - 2012-06-18 21:49 - 00002396 ____A C:\Windows\System32\.crusader
2012-06-18 21:44 - 2012-06-18 21:49 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-18 21:44 - 2012-06-18 21:44 - 00001897 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-06-18 21:44 - 2012-06-18 21:44 - 00000000 ____D C:\Program Files\HitmanPro
2012-06-18 21:42 - 2012-06-18 21:44 - 08298672 ____A (SurfRight B.V.) C:\Users\Robin\Downloads\HitmanPro36_x64.exe
2012-06-18 21:15 - 2012-06-18 21:15 - 00000629 ____A C:\rkill.log
2012-06-18 21:14 - 2012-06-18 21:14 - 01012656 ____A C:\Users\Robin\Downloads\iExplore.exe
2012-06-18 21:13 - 2012-06-18 21:13 - 00001205 ____A C:\Users\Robin\Downloads\registryfix.reg
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Malwarebytes
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 10:28 - 2012-04-04 14:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-18 10:27 - 2012-06-18 10:27 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Robin\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-18 10:10 - 2012-06-18 10:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-18 09:26 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-18 09:26 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-18 09:26 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-18 09:26 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-18 09:26 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-18 09:26 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-18 09:26 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-18 09:26 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-18 09:26 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-18 09:26 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-18 09:26 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-18 09:26 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-18 09:26 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-18 09:26 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-18 09:26 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-18 09:26 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-18 09:26 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-18 09:26 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-18 09:26 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-18 09:26 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-18 09:26 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-18 09:26 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-18 09:26 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-18 09:26 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-18 09:26 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-18 09:26 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-18 09:26 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-18 09:26 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 15:49 - 2012-05-04 02:52 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 15:49 - 2012-05-01 21:32 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 15:49 - 2012-04-25 21:34 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 15:49 - 2012-04-25 21:34 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 15:49 - 2012-04-25 21:28 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 15:48 - 2012-05-14 17:32 - 03144192 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 15:48 - 2012-05-04 02:08 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 15:48 - 2012-05-04 02:08 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 15:48 - 2012-04-27 19:50 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 15:48 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 15:48 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 15:48 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 15:48 - 2012-04-23 20:47 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 15:48 - 2012-04-23 20:47 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 15:48 - 2012-04-23 20:47 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 15:48 - 2012-04-07 04:18 - 03213824 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 15:48 - 2012-04-07 03:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

============ 3 Months Modified Files and Folders =============

2012-06-20 10:57 - 2012-06-20 10:57 - 00000000 ____D C:\FRST
2012-06-19 12:00 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 12:00 - 2009-07-13 20:51 - 00052941 ____A C:\Windows\setupact.log
2012-06-19 11:39 - 2010-06-15 18:00 - 01614913 ____A C:\Windows\WindowsUpdate.log
2012-06-19 11:19 - 2012-06-19 11:19 - 00030496 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-06-18 22:11 - 2011-09-18 19:44 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000UA.job
2012-06-18 22:00 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-18 22:00 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-18 21:57 - 2012-06-18 21:57 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-18 21:57 - 2012-06-18 21:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-18 21:57 - 2012-05-14 14:37 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-18 21:57 - 2012-03-23 11:39 - 00743538 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-18 21:56 - 2012-06-18 21:55 - 12621696 ____A (Microsoft Corporation) C:\Users\Robin\Downloads\mseinstall(1).exe
2012-06-18 21:54 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-18 21:49 - 2012-06-18 21:49 - 00002396 ____A C:\Windows\System32\.crusader
2012-06-18 21:49 - 2012-06-18 21:44 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-18 21:44 - 2012-06-18 21:44 - 00001897 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-06-18 21:44 - 2012-06-18 21:44 - 00000000 ____D C:\Program Files\HitmanPro
2012-06-18 21:44 - 2012-06-18 21:42 - 08298672 ____A (SurfRight B.V.) C:\Users\Robin\Downloads\HitmanPro36_x64.exe
2012-06-18 21:16 - 2012-03-23 10:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-06-18 21:15 - 2012-06-18 21:15 - 00000629 ____A C:\rkill.log
2012-06-18 21:14 - 2012-06-18 21:14 - 01012656 ____A C:\Users\Robin\Downloads\iExplore.exe
2012-06-18 21:13 - 2012-06-18 21:13 - 00001205 ____A C:\Users\Robin\Downloads\registryfix.reg
2012-06-18 11:21 - 2010-06-15 20:53 - 00065184 ____A C:\Windows\PFRO.log
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Malwarebytes
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-18 10:28 - 2012-06-18 10:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 10:27 - 2012-06-18 10:27 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Robin\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-18 10:10 - 2012-06-18 10:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-18 09:56 - 2012-05-14 13:34 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-18 09:56 - 2009-07-13 20:45 - 00343552 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-18 09:50 - 2012-05-14 13:34 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-18 09:50 - 2012-01-10 09:43 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-18 09:49 - 2012-05-18 06:23 - 00014406 ____A C:\Users\Robin\AppData\Roaming\Java
2012-06-18 09:31 - 2010-06-15 19:13 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-13 16:43 - 2012-05-16 12:32 - 00000024 ____A C:\Users\Robin\random.dat
2012-06-13 16:27 - 2012-05-16 15:13 - 00000023 ____A C:\Users\Robin\jagexappletviewer.preferences
2012-06-13 15:41 - 2012-05-16 12:32 - 00000044 ____A C:\Users\Robin\jagex_cl_runescape_LIVE.dat
2012-06-13 15:38 - 2011-09-18 19:45 - 00002363 ____A C:\Users\Robin\Desktop\Google Chrome.lnk
2012-05-18 06:14 - 2012-05-18 06:14 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-18 06:14 - 2012-05-18 06:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-17 18:47 - 2012-06-18 09:26 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-18 09:26 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-18 09:26 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-18 09:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-18 09:26 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-18 09:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-18 09:26 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-18 09:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-18 09:26 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-18 09:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-18 09:26 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-18 09:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-18 09:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-18 09:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-18 09:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-18 09:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-18 09:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-18 09:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-18 09:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-18 09:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-18 09:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-18 09:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-18 09:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-18 09:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-18 09:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-18 09:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-18 09:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-18 09:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-17 07:26 - 2010-01-21 10:00 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-16 17:38 - 2012-05-16 17:17 - 00000000 ____D C:\Users\Robin\AppData\Local\WinZip
2012-05-16 17:17 - 2012-05-16 17:17 - 00002209 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-05-16 17:17 - 2012-05-16 17:17 - 00000000 ____D C:\Users\All Users\WinZip
2012-05-16 17:17 - 2012-05-16 17:17 - 00000000 ____D C:\Program Files\WinZip
2012-05-16 17:17 - 2010-06-15 18:01 - 00000000 ____D C:\users\Robin
2012-05-16 17:15 - 2012-05-16 17:13 - 33240976 ____A C:\Users\Robin\Downloads\winzip16-64.exe
2012-05-16 15:13 - 2012-05-16 15:13 - 00000000 ____D C:\.jagex_cache_32
2012-05-16 14:11 - 2011-09-18 19:44 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000Core.job
2012-05-16 13:46 - 2012-05-16 13:46 - 00000045 ____A C:\Users\Robin\jagex_cl_runescape_LIVE1.dat
2012-05-16 13:46 - 2012-05-16 13:46 - 00000000 ____D C:\Users\Robin\jagexcache1
2012-05-16 12:32 - 2012-05-16 12:31 - 00000000 ____D C:\Users\Robin\jagexcache
2012-05-16 12:31 - 2012-05-16 12:31 - 00002052 ____A C:\Users\Robin\Desktop\RuneScape.lnk
2012-05-16 12:30 - 2012-05-16 12:26 - 23642112 ____A C:\Users\Robin\Downloads\RuneScape.msi
2012-05-16 12:26 - 2012-05-16 12:26 - 00000000 ____D C:\Users\All Users\Sun
2012-05-16 12:26 - 2012-05-16 12:26 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-05-16 12:24 - 2012-05-16 12:25 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-05-16 12:24 - 2012-05-16 12:25 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-05-16 12:24 - 2012-05-16 12:24 - 00000000 ____D C:\Program Files (x86)\Java
2012-05-16 12:16 - 2012-05-16 12:16 - 00892360 ____A (Oracle Corporation) C:\Users\Robin\Downloads\jxpiinstall.exe
2012-05-16 10:17 - 2012-05-14 13:15 - 00002098 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2012-05-16 10:17 - 2012-05-14 13:15 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2012-05-14 17:32 - 2012-06-13 15:48 - 03144192 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 14:30 - 2010-06-15 18:07 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 14:30 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-14 14:26 - 2012-05-14 14:26 - 00125986 ____A C:\Users\Robin\Downloads\PythonInjector(4).zip
2012-05-14 14:19 - 2012-05-14 14:19 - 01039360 ____A C:\Users\Robin\Downloads\WinRAR(1).exe
2012-05-14 14:19 - 2012-05-14 14:19 - 00000000 ____D C:\Users\Robin\AppData\Roaming\WinRAR
2012-05-14 14:17 - 2012-05-14 14:17 - 08769696 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-14 14:14 - 2012-05-14 14:14 - 01039360 ____A C:\Users\Robin\Downloads\WinRAR.exe
2012-05-14 14:14 - 2012-05-14 14:14 - 00116678 ____A C:\Users\Robin\Downloads\RemoteDll.zip
2012-05-14 13:57 - 2012-05-14 13:57 - 00000759 ____A C:\Users\Robin\Downloads\Toontown-setup - Shortcut.lnk
2012-05-14 13:34 - 2012-05-14 13:34 - 00000000 ____D C:\Windows\System32\Macromed
2012-05-14 13:25 - 2012-05-14 13:25 - 00000729 ____A C:\Users\Robin\Downloads\FreeRide - Shortcut.lnk
2012-05-14 13:20 - 2012-05-14 13:20 - 01271392 ____A C:\Users\Robin\Downloads\Toontown-setup.exe
2012-05-14 13:20 - 2012-01-15 21:14 - 00001374 ____A C:\Users\Public\Desktop\Toontown Online.lnk
2012-05-14 13:15 - 2012-05-14 13:15 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2012-05-14 13:15 - 2012-05-14 13:15 - 00000000 ____D C:\Users\All Users\McAfee
2012-05-14 13:09 - 2012-05-14 13:09 - 00519382 ____A C:\Users\Robin\Downloads\FreeRide.exe
2012-05-14 13:06 - 2012-05-14 13:24 - 00019906 ___RA C:\Users\Robin\Downloads\buttons (1).py
2012-05-14 13:06 - 2012-05-14 13:06 - 00002733 ____A C:\Users\Robin\Downloads\Team Pawz Buttons.zip
2012-05-14 12:58 - 2012-05-14 12:58 - 00125986 ____A C:\Users\Robin\Downloads\PythonInjector.zip
2012-05-04 02:52 - 2012-06-13 15:49 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:08 - 2012-06-13 15:48 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:08 - 2012-06-13 15:48 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 21:32 - 2012-06-13 15:49 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:50 - 2012-06-13 15:48 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:34 - 2012-06-13 15:49 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:34 - 2012-06-13 15:49 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:28 - 2012-06-13 15:49 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:59 - 2012-06-13 15:48 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:59 - 2012-06-13 15:48 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:59 - 2012-06-13 15:48 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:47 - 2012-06-13 15:48 - 01156608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:47 - 2012-06-13 15:48 - 00139264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:47 - 2012-06-13 15:48 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-07 04:18 - 2012-06-13 15:48 - 03213824 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:34 - 2012-06-13 15:48 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 17:47 - 2012-05-16 12:25 - 00772504 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-04-04 17:47 - 2012-05-16 12:25 - 00687504 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-04-04 17:47 - 2012-05-16 12:25 - 00227720 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-04-04 14:56 - 2012-06-18 10:28 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-30 03:09 - 2012-05-14 13:12 - 01895280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-23 11:46 - 2011-09-18 19:49 - 00000000 ____D C:\Users\All Users\MFAData
2012-03-23 11:38 - 2012-03-23 11:38 - 10165440 ____A (Microsoft Corporation) C:\Users\Robin\Downloads\mseinstall.exe
2012-03-23 10:33 - 2012-03-23 10:33 - 00001134 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-03-23 10:33 - 2012-03-23 10:33 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Mozilla
2012-03-23 10:33 - 2012-03-23 10:33 - 00000000 ____D C:\Users\Robin\AppData\Local\Mozilla
2012-03-23 10:32 - 2012-03-23 10:31 - 16157992 ____A (Mozilla) C:\Users\Robin\Downloads\Firefox Setup 11.0.exe
2012-03-23 09:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

ZeroAccess:
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\@
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\L
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\n
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\00000001.@
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\80000000.@
C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\800000cb.@

ZeroAccess:
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985}
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985}\@
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985}\L
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 5885.12 MB
Available physical RAM: 5247.48 MB
Total Pagefile: 5883.27 MB
Available Pagefile: 5231.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (WIN7) (Fixed) (Total:923.51 GB) (Free:879.68 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:14.9 GB) (Free:14.85 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 8 GB 31 KB
Partition 2 Primary 923 GB 8 GB

======================================================================================================

Disk: 0
Partition 1
Type : 1B
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C WIN7 NTFS Partition 923 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 14 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-16 14:18

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 20 June 2012 - 10:04 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985}
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985}
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registery key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • The contents of the FixLog.txt file from your flash drive
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 June 2012 - 03:17 AM

I was able to run "Fix" on Farbar as you requested, but when attempting to download and run ComboFix, my computer shut down after one minute due to "Critical error'.

Here are the results from fixlist.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 04
Ran by SYSTEM at 2012-06-21 01:06:57 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{0074cc56-a130-ebaa-9dc1-746a1b659985} moved successfully.
C:\Users\Robin\AppData\Local\{0074cc56-a130-ebaa-9dc1-746a1b659985} moved successfully.

==== End of Fixlog ====

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 21 June 2012 - 09:13 AM

OK, lets do this instead:

Boot to System Recovery Options and run FRST again.
  • Type the following in the edit box after "Search:".

    services.exe
It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 June 2012 - 01:01 PM

Farbar Recovery Scan Tool Version: 20-06-2012 04
Ran by SYSTEM at 2012-06-21 10:57:51
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 21 June 2012 - 01:24 PM

Please do this next:

Delete any existing versions of fixlist.txt from your flash drive, then open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe  C:\Windows\System32\services.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 June 2012 - 02:06 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 04
Ran by SYSTEM at 2012-06-21 12:04:49 Run:2
Running from E:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 21 June 2012 - 02:12 PM

Great! Please try to run ComboFix again now.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 June 2012 - 02:47 PM

ComboFix 12-06-21.02 - Robin 06/21/2012 12:31:35.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5885.4170 [GMT -7:00]
Running from: c:\users\Robin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Robin\AppData\Roaming\java
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 19:34 . 2012-06-21 19:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-21 19:25 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 19:25 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 19:25 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 19:25 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 19:24 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 19:24 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 19:24 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 19:24 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 19:24 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 18:57 . 2012-06-21 08:59 -------- d-----w- C:\FRST
2012-06-19 19:19 . 2012-06-21 19:28 30496 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-06-19 06:03 . 2012-06-19 06:03 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5CF19F22-6395-41BF-B6E4-A2BF476CF7A8}\gapaengine.dll
2012-06-19 06:03 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C3DA4003-D939-4184-8318-26F09AAF4288}\mpengine.dll
2012-06-19 05:57 . 2012-06-19 05:57 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-19 05:57 . 2012-06-19 05:57 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-19 05:44 . 2012-06-21 19:29 -------- d-----w- c:\program files\HitmanPro
2012-06-19 05:44 . 2012-06-19 05:49 -------- d-----w- c:\programdata\HitmanPro
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\users\Robin\AppData\Roaming\Malwarebytes
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\programdata\Malwarebytes
2012-06-18 18:28 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-18 18:10 . 2012-06-18 18:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-13 23:49 . 2012-04-26 05:34 76288 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 23:49 . 2012-04-26 05:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 23:49 . 2012-04-26 05:28 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 23:49 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 23:49 . 2012-05-04 10:52 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 23:48 . 2012-05-04 10:08 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 23:48 . 2012-05-04 10:08 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 23:48 . 2012-05-15 01:32 3144192 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 23:48 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 23:48 . 2012-04-07 12:18 3213824 ----a-w- c:\windows\system32\msi.dll
2012-06-13 23:48 . 2012-04-07 11:34 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-13 23:48 . 2012-04-24 05:59 182272 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 23:48 . 2012-04-24 05:59 1460224 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 23:48 . 2012-04-24 05:59 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 23:48 . 2012-04-24 04:47 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 23:48 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 23:48 . 2012-04-24 04:47 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-18 17:50 . 2012-05-14 21:34 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-18 17:50 . 2012-01-10 17:43 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-14 22:17 . 2012-05-14 22:17 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-05 01:47 . 2012-05-16 20:25 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-04-05 01:47 . 2012-05-16 20:25 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-30 11:09 . 2012-05-14 21:12 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RunAIShell"="c:\program files (x86)\ASUS\AI Manager\AsShellApplication.exe" [2009-08-20 225280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-5 1132472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-18 257224]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-18 129976]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-08-20 196608]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 17:50]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000Core.job
- c:\users\Robin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-19 03:44]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000UA.job
- c:\users\Robin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-19 03:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-24 7833120]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-05-24 1833504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-08 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 365592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 66.28.0.45 156.154.71.1 8.8.4.4
FF - ProfilePath - c:\users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\jqb1vafy.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\AI Manager\AIManager.exe
c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2012-06-21 12:39:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-21 19:39
.
Pre-Run: 943,881,232,384 bytes free
Post-Run: 944,169,484,288 bytes free
.
- - End Of File - - 96F7605BADFBC8ED640F4D5CF4F792CD

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 21 June 2012 - 09:28 PM

Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • Programs list
  • MBAM log

Edited by RPMcMurphy, 21 June 2012 - 09:29 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 22 June 2012 - 02:15 AM

Results from C:\Qoobox\Add-Remove Programs.txt:

Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.1
AI Manager
ASUSUpdate
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Atheros Ethernet Utility
Best Buy Software Installer
Bing Bar
Compatibility Pack for the 2007 Office system
Disney Toontown Online
EPU-4 Engine
Google Chrome
Java Auto Updater
Java™ 7 Update 4
JavaFX 2.1.0
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee Security Scan Plus
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel 2007 Help Actualización (KB963678)
Microsoft Office Excel MUI (Dutch) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (Dutch) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office Powerpoint 2007 Help Actualización (KB963669)
Microsoft Office PowerPoint MUI (Dutch) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Dutch) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (Dutch) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word 2007 Help Actualización (KB963665)
Microsoft Office Word MUI (Dutch) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mise à jour Microsoft Office Excel 2007 Help (KB963678)
Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
Mise à jour Microsoft Office Word 2007 Help (KB963665)
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
Realtek High Definition Audio Driver
RuneScape Launcher 1.2
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update voor Microsoft Office Excel 2007 Help (KB963678)
Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
Update voor Microsoft Office Word 2007 Help (KB963665)
Visual Studio 2008 x64 Redistributables
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
-----------------------------------------------------------------------------------

Results from Malwarebytes Scan:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.03

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Robin :: ROBIN-PC [administrator]

Protection: Disabled

6/21/2012 11:44:50 PM
mbam-log-2012-06-21 (23-44-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 340994
Time elapsed: 20 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\FRST\Quarantine\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 22 June 2012 - 07:04 AM

Hi,

How is your computer running now? Please do this next:

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 23 June 2012 - 03:45 PM

The computer seems to be operating pretty well right now. The only quirk I have noticed so far is that the screen quickly flashes off and back on when a new program attempts to run, which seems strange.

Here are the results from the ESET Scan (note - "C:\Program Files\Eset\Eset Online Scanner\log.txt/" did not exist after the scan but I had the option to import as a text file.) :

C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan
C:\FRST\Quarantine\{0074cc56-a130-ebaa-9dc1-746a1b659985}\n Win64/Sirefef.W trojan
C:\FRST\Quarantine\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\00000001.@ Win64/Sirefef.AI trojan
C:\FRST\Quarantine\{0074cc56-a130-ebaa-9dc1-746a1b659985}\U\80000000.@ Win64/Sirefef.AE trojan
C:\Program Files (x86)\Disney\Disney Online\ToontownOnline\HackerChat\RemoteDll.exe a variant of Win32/RemoteDLL.A application
C:\Users\Robin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\7c628a63-77da5f88 a variant of Java/TrojanDownloader.Agent.NEH trojan
C:\Users\Robin\Downloads\PythonInjector(4).zip a variant of Win32/RemoteDLL.A application
C:\Users\Robin\Downloads\PythonInjector.zip a variant of Win32/RemoteDLL.A application
C:\Users\Robin\Downloads\RemoteDll.zip a variant of Win32/RemoteDLL.A application

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 23 June 2012 - 10:51 PM

Hi,

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above ClearJavaCache::

ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Turbo Rob

Turbo Rob
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 25 June 2012 - 07:11 PM

ComboFix 12-06-21.02 - Robin 06/25/2012 13:05:49.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5885.4417 [GMT -7:00]
Running from: c:\users\Robin\Desktop\ComboFix.exe
Command switches used :: c:\users\Robin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 20:09 . 2012-06-25 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-23 19:31 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F60560F4-6334-4B24-BD32-8A01B04CFCA7}\mpengine.dll
2012-06-23 19:26 . 2012-06-23 19:26 -------- d-----w- c:\program files (x86)\ESET
2012-06-22 07:25 . 2012-06-18 10:12 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AB7E1C7-EE65-447A-8A24-3BCC1CDF0780}\mpengine.dll
2012-06-22 07:11 . 2012-06-22 07:11 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-22 07:11 . 2012-06-22 07:11 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-21 19:46 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-21 19:25 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 19:25 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 19:25 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 19:25 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 19:24 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 19:24 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 19:24 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 19:24 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 19:24 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 18:57 . 2012-06-21 08:59 -------- d-----w- C:\FRST
2012-06-19 19:19 . 2012-06-21 19:28 30496 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-06-19 06:03 . 2012-06-19 06:03 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5CF19F22-6395-41BF-B6E4-A2BF476CF7A8}\gapaengine.dll
2012-06-19 05:57 . 2012-06-19 05:57 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-19 05:57 . 2012-06-19 05:57 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-19 05:44 . 2012-06-21 19:29 -------- d-----w- c:\program files\HitmanPro
2012-06-19 05:44 . 2012-06-19 05:49 -------- d-----w- c:\programdata\HitmanPro
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\users\Robin\AppData\Roaming\Malwarebytes
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-18 18:28 . 2012-06-18 18:28 -------- d-----w- c:\programdata\Malwarebytes
2012-06-18 18:28 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-18 18:10 . 2012-06-18 18:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-13 23:49 . 2012-04-26 05:34 76288 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 23:49 . 2012-04-26 05:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 23:49 . 2012-04-26 05:28 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 23:49 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 23:49 . 2012-05-04 10:52 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 23:48 . 2012-05-04 10:08 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 23:48 . 2012-05-04 10:08 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 23:48 . 2012-05-15 01:32 3144192 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 23:48 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 23:48 . 2012-04-07 12:18 3213824 ----a-w- c:\windows\system32\msi.dll
2012-06-13 23:48 . 2012-04-07 11:34 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-13 23:48 . 2012-04-24 05:59 182272 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 23:48 . 2012-04-24 05:59 1460224 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 23:48 . 2012-04-24 05:59 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 23:48 . 2012-04-24 04:47 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 23:48 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 23:48 . 2012-04-24 04:47 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 20:17 . 2012-05-14 21:34 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-23 20:17 . 2012-01-10 17:43 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-05 01:47 . 2012-05-16 20:25 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-04-05 01:47 . 2012-05-16 20:25 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-30 11:09 . 2012-05-14 21:12 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-21_19.35.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-06-23 20:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-06-19 05:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-06-23 20:17 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-19 05:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-19 05:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-23 20:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-05 18:23 . 2012-06-25 20:02 35612 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-25 20:02 45570 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-06-16 02:20 . 2012-06-25 20:02 12876 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3642015814-475855457-2614654053-1000_UserData.bin
+ 2009-07-14 04:46 . 2012-06-22 07:17 78720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-09-20 05:54 . 2012-06-22 07:09 2360 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-06-25 20:10 . 2012-06-25 20:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-21 19:35 . 2012-06-21 19:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-25 20:10 . 2012-06-25 20:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-21 19:35 . 2012-06-21 19:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-23 20:17 . 2012-06-23 20:17 686280 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_262_Plugin.exe
+ 2012-05-14 21:34 . 2012-06-23 20:17 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2009-07-14 02:36 . 2012-06-25 20:05 626290 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-06-21 19:27 626290 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-25 20:05 107566 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-06-21 19:27 107566 c:\windows\system32\perfc009.dat
+ 2012-03-23 19:41 . 2012-02-23 17:18 279656 c:\windows\system32\MpSigStub.exe
- 2012-03-23 19:41 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe
+ 2012-06-23 20:17 . 2012-06-23 20:17 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_262_Plugin.exe
- 2010-06-16 04:56 . 2012-06-19 05:58 163840 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-16 04:56 . 2012-06-23 20:17 163840 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 05:01 . 2012-06-21 19:34 308556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-06-25 20:09 308556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-03-23 19:47 . 2012-06-21 19:34 763320 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3642015814-475855457-2614654053-1000-8192.dat
+ 2012-03-23 19:47 . 2012-06-25 20:09 763320 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3642015814-475855457-2614654053-1000-8192.dat
+ 2012-06-23 20:17 . 2012-06-23 20:17 9459912 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
+ 2012-06-23 20:17 . 2012-06-23 20:17 1535176 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
- 2010-06-16 04:56 . 2012-06-19 05:58 3063808 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-16 04:56 . 2012-06-23 20:17 3063808 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-23 20:17 2097152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-19 05:58 2097152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:45 . 2012-06-21 19:37 3801083 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-06-18 17:58 3801083 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 02:34 . 2012-06-23 19:41 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-06-21 19:34 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-06-23 20:17 . 2012-06-23 20:17 12310216 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RunAIShell"="c:\program files (x86)\ASUS\AI Manager\AsShellApplication.exe" [2009-08-20 225280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-5 1132472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-22 113120]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-08-20 196608]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 20:17]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000Core.job
- c:\users\Robin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-19 03:44]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3642015814-475855457-2614654053-1000UA.job
- c:\users\Robin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-19 03:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-24 7833120]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-05-24 1833504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-08 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 365592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 66.28.0.45 156.154.71.1 8.8.4.4
FF - ProfilePath - c:\users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\jqb1vafy.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\AI Manager\AIManager.exe
c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
.
**************************************************************************
.
Completion time: 2012-06-25 13:13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-25 20:13
ComboFix2.txt 2012-06-21 19:39
.
Pre-Run: 943,762,698,240 bytes free
Post-Run: 943,337,664,512 bytes free
.
- - End Of File - - 5359415584E1462E5C9D4B067A7A6A7E




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users