Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GAC_32 virus victim


  • This topic is locked This topic is locked
38 replies to this topic

#1 Bratman

Bratman

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 16 July 2012 - 05:35 PM

Hello and thanks in advance for helping me out. I got hit with the virus that puts two files in the c:\windows\assembly folder. The files are GAC-32\desktop.ini and GAC_64\desktop.ini. I looked for quick fixes and tutorials, but none have worked. I see that some have been successful here with help from the volunteers and I hope you can help me too.

Symptoms: My AVG comes up with the error telling me I have TROJAN HORSE BENERIC28.ANIC AND TROHAN HORSE BACKDOOR.GENERIC15.AXLA. It can neither heal nor quarantine either. I tried changing the attributes to the desktop.ini files in CMD but they cannot be changed.

Another symptom is that Adobe flash installer 11.3 keeps trying to install but hangs. Also, it seems that Firefox will randomly open unintelligible pages in new tabs. And finally, when my laptop is connected to my home network, said network loses its internet connection. For some reason it's fine when connected to another network, but every time I reconnect to the home network, it stops and I have to reset my router.

Again, thanks in advance to whoever helps me. Normally I'm good at manually removing threats like this, but this one seems to be a lot tougher. I will attach my DDS and attachment logs. Please let me know what else I need to do.

Ricky

here is the DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_31
Run by bratman at 15:22:46 on 2012-07-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8188.5731 [GMT -7:00]
.
AV: AVG Anti-Virus *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe
C:\PROGRA~2\AVG\AVG8\avgam.exe
C:\PROGRA~2\AVG\AVG8\avgrsa.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~2\AVG\AVG8\avgemc.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\SuperF4\SuperF4.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\HP\QuickPlay\QPService.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Synaptics\Scrybe\scrybe.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\PROGRA~2\AVG\AVG8\avgnsa.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
{01c813dd-6214-432f-8b1e-c451ac542ccc}
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [SuperF4] "C:\Program Files (x86)\SuperF4\SuperF4.exe"
uRun: [AdobeBridge]
uRun: [Google Update] "C:\Users\bratman\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\bratman\AppData\Local\Akamai\netsession_win.exe"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
mRun: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [XSECVA] C:\Users\bratman\AppData\Roaming\xsecva\xsecva.exe -s
StartupFolder: C:\Users\bratman\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Scrybe.lnk - C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: google.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{02324B53-69AA-422A-AE39-1661F957A7B2} : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{7383A8BF-1E7D-468D-84CC-B37694E66C5F} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{BA3B7381-AF06-4E7F-BCD5-794592ED2664} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
BHO-X64: AskBar BHO - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB-X64: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
mRun-x64: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [XSECVA] C:\Users\bratman\AppData\Roaming\xsecva\xsecva.exe -s
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\bratman\AppData\Roaming\Mozilla\Firefox\Profiles\xik85pz0.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/home.php|http://www.ufc.com/|http://www.mail.com/|http://www.toplessrobot.com/|http://www.world-sex-news.com/|http://www.arcamax.com/comics
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\bratman\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\bratman\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\bratman\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\Users\bratman\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\bratman\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx64;AvgRkx64;C:\Windows\system32\Drivers\avgrkx64.sys --> C:\Windows\system32\Drivers\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\system32\Drivers\avgldx64.sys --> C:\Windows\system32\Drivers\avgldx64.sys [?]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\system32\Drivers\avgmfx64.sys --> C:\Windows\system32\Drivers\avgmfx64.sys [?]
R1 AvgTdiA;AVG8 Network Redirector;C:\Windows\system32\Drivers\avgtdia.sys --> C:\Windows\system32\Drivers\avgtdia.sys [?]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};Power Control [2010/09/22 09:44:16];C:\Program Files (x86)\HP\QuickPlay\000.fcl [2010-9-22 146928]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 21504]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~2\AVG\AVG8\avgemc.exe [2009-5-15 908056]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [2009-5-15 297752]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-8-17 655944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-6 1262400]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-7-28 361808]
R2 ScrybeUpdater;Scrybe Updater;C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-5-27 1300264]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe --> C:\Windows\system32\Pen_Tablet.exe [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2008-12-7 24652]
R2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-7-9 935008]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-1-15 127784]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-7-28 193840]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1c9c0fdf14ae8d8;Google Update Service (gupdate1c9c0fdf14ae8d8);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-19 133104]
S2 pla32;Performance Logs & Alerts ;C:\Windows\system32\modemui32.exe --> C:\Windows\system32\modemui32.exe [?]
S2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-6-19 3048136]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-6 250056]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG8\Toolbar\ToolbarBroker.exe [2010-10-26 167264]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-19 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-7 129976]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 PAC207;Webcam 1200;C:\Windows\system32\DRIVERS\PFC027.SYS --> C:\Windows\system32\DRIVERS\PFC027.SYS [?]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-5-7 24176]
S3 Pcouffin64;Low level access layer for CD devices;C:\Windows\system32\Drivers\pcouffin64a.sys --> C:\Windows\system32\Drivers\pcouffin64a.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S4 ASKService;ASKService;C:\Program Files (x86)\AskBarDis\bar\bin\AskService.exe [2008-12-7 464264]
S4 ASKUpgrade;ASKUpgrade;C:\Program Files (x86)\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-7 234888]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-24 89920]
S4 SlingAgentService;SlingAgentService;C:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe [2009-9-25 93960]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-16 14:23:30 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-07-16 13:48:09 -------- d-----w- C:\Users\bratman\AppData\Roaming\xsecva
2012-06-23 14:57:49 -------- d-----w- C:\Users\bratman\AppData\Local\Macromedia
2012-06-20 00:35:14 4967624 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
==================== Find3M ====================
.
2012-07-11 23:17:31 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 23:17:31 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-03 20:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-06 19:14:04 2864396 ----a-w- C:\ProgramData\MPV.exe
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-05-15 09:29:47 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-05-15 09:29:46 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-05-15 09:29:46 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-05-15 09:29:46 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-05-15 09:29:25 3149632 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-05-15 09:28:42 6151488 ----a-w- C:\Windows\System32\nvcpl.dll
2012-04-18 17:08:08 31040 ----a-w- C:\Windows\System32\nvhdap64.dll
2012-04-18 17:08:06 72512 ----a-w- C:\Windows\System32\nvapo64v.dll
2012-04-18 17:08:03 188736 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys
2012-04-18 17:08:02 1451840 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll
.
============= FINISH: 15:23:23.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 17 July 2012 - 12:51 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 17 July 2012 - 01:14 AM

Thanks for helping. I ran combo fix, but I didn't see a full log registered after. This is what was in combofix.txt:

ComboFix 12-07-16.01 - bratman 07/16/2012 22:06:58.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8188.5864 [GMT -7:00]
Running from: C:\Users\bratman\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


I did see that at one point near the end it deleted GAC_32\desktop.ini and GAC_64\desktop.ini.
The system seems to be running ok, and I've been online without a drop for a while.
However, when I ran malwarebytes after the combofix, it STILL came back with trojan.dropper.bcminer detected.

What do I do next?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 17 July 2012 - 01:26 AM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 17 July 2012 - 09:01 AM

Farbar Results

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 17-07-2012 06:51:59
Running from G:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [685568 2008-01-23] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [441344 2008-09-11] (IDT, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2735400 2011-03-31] (Synaptics Incorporated)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe [2042208 2011-10-17] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe" [468264 2009-03-10] (CyberLink Corp.)
HKLM-x32\...\Run: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1107552 2012-07-09] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-01-15] ()
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [XSECVA] C:\Users\bratman\AppData\Roaming\xsecva\xsecva.exe -s [131072 2012-07-16] ()
HKLM-x32\...\Run: [combofix] C:\ComboFix\CF13263.3XE /c C:\ComboFix\Combobatch.bat [8272 2012-07-16] ()
HKU\bratman\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\bratman\...\Run: [Aim6] [x]
HKU\bratman\...\Run: [SuperF4] "C:\Program Files (x86)\SuperF4\SuperF4.exe" [47616 2010-10-23] (Stefan Sundin)
HKU\bratman\...\Run: [AdobeBridge] [x]
HKU\bratman\...\Run: [Akamai NetSession Interface] "C:\Users\bratman\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
HKU\bratman\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\bratman\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
HKU\bratman\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59240 2012-02-24] (Apple Inc.)
HKU\bratman\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Guest\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Kids\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Kids\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Kids\...\Run: [Aim6] [x]
HKU\Kids\...\Run: [SuperF4] "C:\Program Files (x86)\SuperF4\SuperF4.exe" -hide [47616 2010-10-23] (Stefan Sundin)
HKU\Kids\...\Run: [Google Update] "C:\Users\bratman\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-02-25] (Google Inc.)
HKU\Kids\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Mcx1\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Mcx1\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [196608 2009-04-10] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: avgrssta.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Scrybe.lnk
ShortcutTarget: Scrybe.lnk -> C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe (Acresso Software Inc.)
Startup: C:\Users\bratman\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 AdobeActiveFileMonitor7.0; C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe [89088 2008-06-27] (Andrea Electronics Corporation)
4 ASKService; C:\Program Files (x86)\AskBarDis\bar\bin\AskService.exe [464264 2008-11-24] ()
4 ASKUpgrade; C:\Program Files (x86)\AskBarDis\bar\bin\ASKUpgrade.exe [234888 2008-11-24] ()
3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG8\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
2 avg8emc; C:\PROGRA~2\AVG\AVG8\avgemc.exe [908056 2009-07-30] (AVG Technologies CZ, s.r.o.)
2 avg8wd; C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [297752 2009-07-30] (AVG Technologies CZ, s.r.o.)
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [181784 2007-12-04] (WildTangent, Inc.)
2 gupdate1c9c0fdf14ae8d8; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [133104 2009-04-19] (Google Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
4 QPCapSvc; "C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [292216 2009-01-12] ()
4 QPSched; "C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe" [116080 2009-01-12] ()
2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe" [272024 2007-01-09] ()
2 ScrybeUpdater; "C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe" [1300264 2011-05-27] (Synaptics, Inc.)
4 SlingAgentService; C:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe [93960 2009-09-25] (Sling Media Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\STacSV64.exe [279040 2008-09-11] (IDT, Inc.)
2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2 vToolbarUpdater11.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-09] ()
2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [127784 2009-11-23] (Wacom Technology, Corp.)
2 pla32; C:\Windows\system32\modemui32.exe [x]
3 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

3 61883; C:\Windows\System32\Drivers\61883.sys [58496 2008-01-20] (Microsoft Corporation)
1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2007-10-15] ((Standard mouse types))
3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2008-02-13] (A4Tech Co.,Ltd.)
1 AvgLdx64; C:\Windows\System32\Drivers\AvgLdx64.sys [427016 2009-07-30] (AVG Technologies CZ, s.r.o.)
1 AvgMfx64; C:\Windows\System32\Drivers\AvgMfx64.sys [33416 2009-07-30] (AVG Technologies CZ, s.r.o.)
0 AvgRkx64; C:\Windows\System32\Drivers\AvgRkx64.sys [14856 2009-05-15] (AVG Technologies CZ, s.r.o.)
1 AvgTdiA; C:\Windows\System32\Drivers\AvgTdiA.sys [133640 2009-05-15] (AVG Technologies CZ, s.r.o.)
3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl664.sys [550912 2006-10-06] (Broadcom Corporation)
1 cdrbsdrv; C:\Windows\SysWow64\Drivers\cdrbsdrv.sys [33408 2009-04-14] (B.H.A Corporation)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL6.SYS [286720 2008-01-20] (Conexant Systems, Inc.)
3 HSF_DPV; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1523712 2008-01-20] (Conexant Systems, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NVENETFD; C:\Windows\System32\DRIVERS\nvm60x64.sys [742696 2006-10-09] (NVIDIA Corporation)
3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [677376 2007-06-29] (PixArt Imaging Inc.)
3 pbfilter; \??\C:\Program Files\PeerBlock\pbfilter.sys [24176 2010-11-06] ()
3 Pcouffin64; C:\Windows\System32\Drivers\pcouffin64a.sys [82048 2008-12-10] (VSO Software)
3 winachsf; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [724480 2008-01-20] (Conexant Systems, Inc.)
2 {22D78859-9CE9-4B77-BF18-AC83E81A9263}; \??\C:\Program Files (x86)\HP\QuickPlay\000.fcl [146928 2009-01-12] (CyberLink Corp.)
1 Beep; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
1 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-17 06:50 - 2012-07-17 06:50 - 00000000 ____D C:\FRST
2012-07-16 20:59 - 2012-07-16 21:23 - 00000000 ___SD C:\ComboFix
2012-07-16 20:59 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-16 20:59 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-16 20:59 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-16 20:59 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-16 20:59 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-16 20:59 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-16 20:59 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-16 20:59 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-16 20:28 - 2012-07-16 20:28 - 00020692 ____A C:\Users\bratman\My Documents\trojan071612.reg
2012-07-16 20:28 - 2012-07-16 20:28 - 00020692 ____A C:\Users\bratman\Documents\trojan071612.reg
2012-07-16 19:34 - 2012-07-16 21:37 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-16 14:24 - 2012-07-16 14:24 - 00030121 ____A C:\Users\bratman\Desktop\DDS.txt
2012-07-16 14:24 - 2012-07-16 14:24 - 00010727 ____A C:\Users\bratman\Desktop\Attach.txt
2012-07-16 14:21 - 2012-07-16 14:22 - 00607260 ____R (Swearware) C:\Users\bratman\Desktop\dds.scr
2012-07-16 13:28 - 2012-07-16 21:23 - 00000000 ____D C:\Windows\erdnt
2012-07-16 13:28 - 2012-07-16 20:59 - 00000000 ___SD C:\32788R22FWJFW
2012-07-16 13:28 - 2012-07-16 20:59 - 00000000 ____D C:\Qoobox
2012-07-16 13:21 - 2012-07-16 13:23 - 04579127 ____R (Swearware) C:\Users\bratman\Desktop\ComboFix.exe
2012-07-16 07:10 - 2012-07-16 07:10 - 00000000 ____D C:\Users\bratman\Desktop\Castle Images
2012-07-16 06:23 - 2012-07-16 06:23 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-16 05:48 - 2012-07-16 06:59 - 00000000 ____D C:\Users\bratman\Application Data\xsecva
2012-07-16 05:48 - 2012-07-16 06:59 - 00000000 ____D C:\Users\bratman\AppData\Roaming\xsecva
2012-07-16 05:48 - 2012-07-16 05:48 - 00000012 ____A C:\Windows\srun.log
2012-07-06 09:41 - 2012-07-06 09:41 - 00269550 ____A C:\Users\bratman\My Documents\The Legend of Korra - Disc 1.XtoDVD
2012-07-06 09:41 - 2012-07-06 09:41 - 00269550 ____A C:\Users\bratman\Documents\The Legend of Korra - Disc 1.XtoDVD
2012-07-05 15:54 - 2012-07-05 20:37 - 03612716 ____A C:\Users\bratman\My Documents\korra.tda3
2012-07-05 15:54 - 2012-07-05 20:37 - 03612716 ____A C:\Users\bratman\Documents\korra.tda3
2012-06-23 06:57 - 2012-06-23 06:57 - 00000000 ____D C:\Users\bratman\Local Settings\Macromedia
2012-06-23 06:57 - 2012-06-23 06:57 - 00000000 ____D C:\Users\bratman\Local Settings\Application Data\Macromedia
2012-06-23 06:57 - 2012-06-23 06:57 - 00000000 ____D C:\Users\bratman\AppData\Local\Macromedia
2012-06-19 04:49 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-19 04:49 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-19 04:49 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-19 04:49 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-19 04:49 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-19 04:49 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-19 04:49 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-19 04:49 - 2012-06-02 14:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-17 05:45 - 2008-11-12 18:01 - 01379892 ____A C:\Windows\WindowsUpdate.log
2012-07-17 05:45 - 2008-07-28 05:44 - 00001076 ____A C:\Windows\bthservsdp.dat
2012-07-17 05:45 - 2006-11-02 07:42 - 00032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-17 05:45 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-17 05:45 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-17 05:45 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-17 05:32 - 2009-06-30 05:44 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-17 04:57 - 2010-02-25 19:37 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003416874-3378425454-692388888-1000UA.job
2012-07-16 21:46 - 2012-04-06 06:23 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-16 21:46 - 2011-07-13 05:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-16 21:30 - 2006-11-02 04:46 - 00755222 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-16 21:27 - 2009-06-30 05:44 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-16 21:27 - 2008-11-12 18:51 - 00000253 ____A C:\Users\All Users\hpqp.ini
2012-07-16 21:27 - 2008-11-12 18:51 - 00000253 ____A C:\Users\All Users\Application Data\hpqp.ini
2012-07-16 21:25 - 2010-07-01 06:42 - 00000386 ____A C:\Windows\Tasks\Registry Reviver64-bratman-Startup.job
2012-07-16 21:25 - 2008-01-20 19:26 - 00389226 ____A C:\Windows\PFRO.log
2012-07-16 21:05 - 2006-11-02 07:27 - 00133931 ____A C:\Windows\setupact.log
2012-07-16 20:28 - 2012-07-16 20:28 - 00020692 ____A C:\Users\bratman\My Documents\trojan071612.reg
2012-07-16 20:28 - 2012-07-16 20:28 - 00020692 ____A C:\Users\bratman\Documents\trojan071612.reg
2012-07-16 14:24 - 2012-07-16 14:24 - 00030121 ____A C:\Users\bratman\Desktop\DDS.txt
2012-07-16 14:24 - 2012-07-16 14:24 - 00010727 ____A C:\Users\bratman\Desktop\Attach.txt
2012-07-16 14:22 - 2012-07-16 14:21 - 00607260 ____R (Swearware) C:\Users\bratman\Desktop\dds.scr
2012-07-16 13:23 - 2012-07-16 13:21 - 04579127 ____R (Swearware) C:\Users\bratman\Desktop\ComboFix.exe
2012-07-16 10:57 - 2010-02-25 19:37 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003416874-3378425454-692388888-1000Core.job
2012-07-16 05:48 - 2012-07-16 05:48 - 00000012 ____A C:\Windows\srun.log
2012-07-15 06:13 - 2008-12-07 06:44 - 00100352 ____A C:\Users\bratman\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-15 06:13 - 2008-12-07 06:44 - 00100352 ____A C:\Users\bratman\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-15 06:13 - 2008-12-07 06:44 - 00100352 ____A C:\Users\bratman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-14 19:59 - 2008-12-07 15:14 - 00000021 ____A C:\Users\All Users\hpqp.txt
2012-07-14 19:59 - 2008-12-07 15:14 - 00000021 ____A C:\Users\All Users\Application Data\hpqp.txt
2012-07-12 21:42 - 2009-01-28 11:14 - 00000000 ____A C:\Users\bratman\Local Settings\FnF4.txt
2012-07-12 21:42 - 2009-01-28 11:14 - 00000000 ____A C:\Users\bratman\Local Settings\Application Data\FnF4.txt
2012-07-12 21:42 - 2009-01-28 11:14 - 00000000 ____A C:\Users\bratman\AppData\Local\FnF4.txt
2012-07-09 11:48 - 2011-12-10 07:25 - 02135640 ____A (Kaspersky Lab ZAO) C:\Users\bratman\Desktop\TDSSKiller.exe
2012-07-06 09:41 - 2012-07-06 09:41 - 00269550 ____A C:\Users\bratman\My Documents\The Legend of Korra - Disc 1.XtoDVD
2012-07-06 09:41 - 2012-07-06 09:41 - 00269550 ____A C:\Users\bratman\Documents\The Legend of Korra - Disc 1.XtoDVD
2012-07-05 20:37 - 2012-07-05 15:54 - 03612716 ____A C:\Users\bratman\My Documents\korra.tda3
2012-07-05 20:37 - 2012-07-05 15:54 - 03612716 ____A C:\Users\bratman\Documents\korra.tda3
2012-07-03 12:46 - 2011-08-17 06:49 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-19 04:38 - 2011-02-06 23:46 - 00000732 ____A C:\Users\bratman\Local Settings\d3d9caps64.dat
2012-06-19 04:38 - 2011-02-06 23:46 - 00000732 ____A C:\Users\bratman\Local Settings\Application Data\d3d9caps64.dat
2012-06-19 04:38 - 2011-02-06 23:46 - 00000732 ____A C:\Users\bratman\AppData\Local\d3d9caps64.dat
2012-06-06 18:46 - 2012-06-06 18:46 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
2012-06-06 11:14 - 2012-06-06 11:14 - 00000000 ____A C:\Diagnostics.txt
2012-06-02 14:19 - 2012-06-19 04:49 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-19 04:49 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-19 04:49 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-19 04:49 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-19 04:49 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-19 04:49 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:12 - 2012-06-19 04:49 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 14:12 - 2012-06-19 04:49 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-15 02:48 - 2012-06-06 18:38 - 25743168 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll
2012-05-15 02:48 - 2012-06-06 18:38 - 10194752 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2umx.dll
2012-05-15 02:48 - 2012-06-06 18:38 - 08105280 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 25248064 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 19607872 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 17551680 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 14298944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2012-05-15 02:48 - 2012-06-06 18:37 - 08139072 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 05982528 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 02881856 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 02681664 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 02524992 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 02445120 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 02368832 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 01738048 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco64.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 01468224 ____A (NVIDIA Corporation) C:\Windows\System32\nvgenco64.dll
2012-05-15 02:48 - 2012-06-06 18:37 - 00014324 ____A C:\Windows\System32\nvinfo.pb
2012-05-15 02:48 - 2010-10-01 04:47 - 15322432 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2012-05-15 02:48 - 2010-10-01 04:47 - 00068928 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
2012-05-15 02:48 - 2010-10-01 04:47 - 00061248 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2012-05-15 02:48 - 2008-05-13 18:09 - 18044224 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2012-05-15 02:48 - 2008-05-13 18:09 - 02741568 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi64.dll
2012-05-15 01:29 - 2010-07-09 15:17 - 03149632 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc64.dll
2012-05-15 01:29 - 2010-07-09 15:17 - 02561856 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvcr.dll
2012-05-15 01:29 - 2010-07-09 15:17 - 00889664 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
2012-05-15 01:29 - 2010-07-09 15:17 - 00118080 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
2012-05-15 01:29 - 2010-07-09 15:17 - 00063296 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
2012-05-15 01:28 - 2010-07-09 15:17 - 06151488 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
2012-05-07 07:57 - 2012-05-07 07:57 - 590704650 ____A C:\Users\bratman\My Documents\regbackup 050712.reg
2012-05-07 07:57 - 2012-05-07 07:57 - 590704650 ____A C:\Users\bratman\Documents\regbackup 050712.reg
2012-05-07 07:41 - 2012-05-07 07:41 - 00001686 ____A C:\Users\bratman\Desktop\PeerBlock.lnk
2012-05-01 21:36 - 2009-05-11 14:50 - 00001356 ____A C:\Users\bratman\Local Settings\d3d9caps.dat
2012-05-01 21:36 - 2009-05-11 14:50 - 00001356 ____A C:\Users\bratman\Local Settings\Application Data\d3d9caps.dat
2012-05-01 21:36 - 2009-05-11 14:50 - 00001356 ____A C:\Users\bratman\AppData\Local\d3d9caps.dat
2012-04-25 18:09 - 2010-09-06 11:53 - 00000021 ____A C:\Windows\SurCode.INI
2012-04-19 20:01 - 2012-04-19 20:01 - 00067300 ____A C:\Users\bratman\My Documents\Ellee Trowbridge Media.XtoDVD
2012-04-19 20:01 - 2012-04-19 20:01 - 00067300 ____A C:\Users\bratman\Documents\Ellee Trowbridge Media.XtoDVD


ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\1afb2d56
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000004.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\000000cb.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000032.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000064.@

ZeroAccess:
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 8188.16 MB
Available physical RAM: 7300.16 MB
Total Pagefile: 7749.02 MB
Available Pagefile: 7411.6 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:221.47 GB) (Free:39.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:232.88 GB) (Free:29.26 GB) NTFS
3 Drive e: (HP_RECOVERY) (Fixed) (Total:11.41 GB) (Free:1.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:3.72 GB) (Free:2.34 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2232 KB
Disk 1 Online 233 GB 1528 KB
Disk 2 Online 3822 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 221 GB 32 KB
Partition 2 Primary 11 GB 221 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 221 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E HP_RECOVERY NTFS Partition 11 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D DATA NTFS Partition 233 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 G FAT32 Removable 3818 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-16 21:51

======================= End Of Log ==========================

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 17 July 2012 - 09:20 AM

Greetings

Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 17 July 2012 - 02:10 PM

Services Search results

Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 2012-07-17 11:53:50
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-24 00:14] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-24 00:14] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-09-24 00:14] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-09-24 00:14] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

====== End Of Search ======

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 17 July 2012 - 09:42 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 17 July 2012 - 11:35 PM

Here you go. BTW, before this last scan, I was still seeing random firefox pages opening up.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 02
Ran by SYSTEM at 2012-07-17 21:08:54 Run:1
Running from G:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Users\bratman\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 17 July 2012 - 11:40 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2012 - 08:40 AM

PC seems to be running fine now. Haven't had any problems other than a random webpage popping up. Haven't run an MBAM since this last combofix scan. Will do it later.

ComboFix 12-07-18.01 - bratman 07/18/2012 6:09.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8188.5926 [GMT -7:00]
Running from: c:\users\bratman\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\Games.exe
c:\programdata\MPV.exe
c:\users\bratman\AppData\Roaming\9E2B.78E
c:\users\bratman\AppData\Roaming\inst.exe
c:\users\bratman\AppData\Roaming\vso_ts_preview.xml
c:\users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\bf1biv3l.default\extensions\{17366b28-e086-49e9-a8e5-21f6d752f74d}\chrome.manifest
c:\users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\bf1biv3l.default\extensions\{17366b28-e086-49e9-a8e5-21f6d752f74d}\chrome\xulcache.jar
c:\users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\bf1biv3l.default\extensions\{17366b28-e086-49e9-a8e5-21f6d752f74d}\defaults\preferences\xulcache.js
c:\users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\bf1biv3l.default\extensions\{17366b28-e086-49e9-a8e5-21f6d752f74d}\install.rdf
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\Kids\AppData\Local\temp
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-18 13:25 . 2012-07-18 13:25 -------- d-----w- c:\users\7E6D6~1\AppData\Local\temp
2012-07-17 14:50 . 2012-07-17 14:50 -------- d-----w- C:\FRST
2012-07-17 03:34 . 2012-07-17 05:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-16 14:23 . 2012-07-16 14:23 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-16 13:48 . 2012-07-16 14:59 -------- d-----w- c:\users\bratman\AppData\Roaming\xsecva
2012-06-23 14:57 . 2012-06-23 14:57 -------- d-----w- c:\users\bratman\AppData\Local\Macromedia
2012-06-20 00:35 . 2012-06-20 00:35 4967624 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 05:46 . 2012-04-06 14:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-17 05:46 . 2011-07-13 13:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 20:46 . 2011-08-17 14:49 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-15 10:48 . 2012-06-07 02:38 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-05-15 10:48 . 2012-06-07 02:38 25743168 ----a-w- c:\windows\system32\nvoglv64.dll
2012-05-15 10:48 . 2012-06-07 02:38 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-05-15 10:48 . 2012-06-07 02:37 8139072 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:48 . 2012-06-07 02:37 5982528 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-05-15 10:48 . 2012-06-07 02:37 2881856 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:48 . 2012-06-07 02:37 2681664 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:48 . 2012-06-07 02:37 2524992 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-05-15 10:48 . 2012-06-07 02:37 25248064 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:48 . 2012-06-07 02:37 2445120 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-05-15 10:48 . 2012-06-07 02:37 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-05-15 10:48 . 2012-06-07 02:37 19607872 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-05-15 10:48 . 2012-06-07 02:37 17551680 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-05-15 10:48 . 2012-06-07 02:37 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
2012-05-15 10:48 . 2012-06-07 02:37 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
2012-05-15 10:48 . 2012-06-07 02:37 14298944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-05-15 10:48 . 2010-10-01 12:47 68928 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:48 . 2010-10-01 12:47 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-05-15 10:48 . 2010-10-01 12:47 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-05-15 10:48 . 2008-05-14 02:09 2741568 ----a-w- c:\windows\system32\nvapi64.dll
2012-05-15 10:48 . 2008-05-14 02:09 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-05-15 09:29 . 2010-07-09 23:17 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-05-15 09:29 . 2010-07-09 23:17 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-05-15 09:29 . 2010-07-09 23:17 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-05-15 09:29 . 2010-07-09 23:17 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-05-15 09:29 . 2010-07-09 23:17 3149632 ----a-w- c:\windows\system32\nvsvc64.dll
2012-05-15 09:28 . 2010-07-09 23:17 6151488 ----a-w- c:\windows\system32\nvcpl.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 04:25 333192 ----a-w- c:\program files (x86)\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-10 06:43 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files (x86)\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-10 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SuperF4"="c:\program files (x86)\SuperF4\SuperF4.exe" [2010-10-23 47616]
"Akamai NetSession Interface"="c:\users\bratman\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-02-24 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"AVG8_TRAY"="c:\progra~2\AVG\AVG8\avgtray.exe" [2011-10-17 2042208]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-03-11 468264]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-10 1107552]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-15 928096]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"XSECVA"="c:\users\bratman\AppData\Roaming\xsecva\xsecva.exe" [2012-07-16 131072]
.
c:\users\bratman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-2 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe [2008-06-27 89088]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-19 14:48]
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-19 14:48]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003416874-3378425454-692388888-1000Core.job
- c:\users\bratman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-26 17:22]
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003416874-3378425454-692388888-1000UA.job
- c:\users\bratman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-26 17:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2008-01-24 685568]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2008-06-27 443904]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\avgrssta.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: google.com\www
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\bratman\AppData\Roaming\Mozilla\Firefox\Profiles\xik85pz0.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/home.php|http://www.ufc.com/|http://www.mail.com/|http://www.toplessrobot.com/|http://www.world-sex-news.com/|http://www.arcamax.com/comics
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{01C813DD-6214-432F-8B1E-C451AC542CCc} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-Aim6 - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-Adobe Reader Speed Launcher - c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe
SafeBoot-23057544.sys
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-AndreaMosaic - c:\windows\iun6002.exe
AddRemove-CodInstl - c:\windows\system32\CDUninst.isu
AddRemove-SlingMedia.QPSlingPlayer_is1 - c:\program files (x86)\HP\QuickPlay\unins001.exe
AddRemove-Xvid_is1 - c:\program files (x86)\Xvid\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files (x86)\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:01,b7,64,8a,f7,02,e4,17,42,f3,21,6e,7a,ae,ac,01,94,a4,d0,9f,6f,
f9,40,f5,a6,ed,9d,e1,35,68,42,d1,c3,ac,c0,e3,7a,b9,3b,25,e3,69,de,fd,53,c2,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:01,b7,64,8a,f7,02,e4,17,42,f3,21,6e,7a,ae,ac,01,94,a4,d0,9f,6f,
f9,40,f5,a6,ed,9d,e1,35,68,42,d1,c3,ac,c0,e3,7a,b9,3b,25,e3,69,de,fd,53,c2,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\06\18\0e26g"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-07-18 06:28:22
ComboFix-quarantined-files.txt 2012-07-18 13:28
.
Pre-Run: 45,994,037,248 bytes free
Post-Run: 45,644,894,208 bytes free
.
- - End Of File - - CB258ABE4BED118BD1A8626E7B2A5CF6

#12 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2012 - 02:37 PM

Holy crap... Today, after running combofix like you asked, I ran MBAM and AVG scans, none of which showed any signs of infection. I left the pc for a bit and when I came back, I touched the touchpad to bring it out of sleep. It rebooted. I didn't think anything of it until it KEPT rebooting! It's not even getting the Windows load. It restarts just after I see the screen saying "press esc to see boot options".

Do you have any idea why it's doing this? Currently I'm in the bios running a self diagnostic scan on the hard drive.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 PM

Posted 18 July 2012 - 03:29 PM

rerun FRST again for me and lets see what it shows


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2012 - 04:08 PM

I'm letting the pc cool down right now in case it's a heat issue. If I can't get the pc to boot up to recovery, I don't know how I can run frst.

#15 Bratman

Bratman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2012 - 04:35 PM

Ok, don't know what that was about, but I was able to get into system recovery to run frst. Almost ran a system restore from a backup, but decided against it. Then, for whatever reason, the PC booted back up. WHEW!!

Here is the frst results:

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 18-07-2012 14:24:43
Running from C:\
(X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The system was unable to find the specified registry key or value.
Attention: System hive is missing.

========================== Registry (Whitelisted) =============

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()

==================== Services (Whitelisted) ======


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-18 14:22 - 2012-07-18 14:22 - 00000094 ____A \Windows\SETUPAPI.LOG
2012-07-18 14:22 - 2012-07-18 14:22 - 00000000 ____D \Windows\ServiceProfiles
2012-07-18 08:20 - 2012-07-15 20:24 - 00000000 ____D C:\Jessica Sanchez American Idol Songs
2012-07-18 08:20 - 2012-04-14 12:40 - 00000000 ____D C:\adele
2012-07-18 08:19 - 2011-05-20 09:46 - 00000000 ____D C:\Richard Marx
2012-07-17 21:04 - 2012-07-17 21:04 - 00000386 ____A C:\fixlist.txt
2012-07-17 11:53 - 2012-07-17 12:01 - 00001492 ____A C:\Search.txt
2012-07-16 20:21 - 2012-07-16 20:19 - 01437107 ____A (Farbar) C:\FRST64.exe


============ 3 Months Modified Files ========================

2012-07-18 14:22 - 2012-07-18 14:22 - 00000094 ____A \Windows\SETUPAPI.LOG
2012-07-17 21:04 - 2012-07-17 21:04 - 00000386 ____A C:\fixlist.txt
2012-07-17 12:01 - 2012-07-17 11:53 - 00001492 ____A C:\Search.txt
2012-07-16 20:19 - 2012-07-16 20:21 - 01437107 ____A (Farbar) C:\FRST64.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8188.16 MB
Available physical RAM: 7423.69 MB
Total Pagefile: 7749.03 MB
Available Pagefile: 7414.63 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Removable) (Total:3.72 GB) (Free:1.95 GB) FAT32
2 Drive d: (DATA) (Fixed) (Total:232.88 GB) (Free:31.04 GB) NTFS
3 Drive e: (OS) (Fixed) (Total:221.47 GB) (Free:41.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (HP_RECOVERY) (Fixed) (Total:11.41 GB) (Free:1.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: () (Removable) (Total:3.72 GB) (Free:1.95 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2232 KB
Disk 1 Online 233 GB 1528 KB
Disk 2 Online 3822 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 221 GB 32 KB
Partition 2 Primary 11 GB 221 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E OS NTFS Partition 221 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G HP_RECOVERY NTFS Partition 11 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D DATA NTFS Partition 233 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y FAT32 Removable 3818 MB Healthy

==================================================================================
======================= End Of Log ==========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users