Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspected virus? avast warnings and malwarebytes


  • This topic is locked This topic is locked
18 replies to this topic

#1 pastorel2

pastorel2

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 01 September 2012 - 02:56 PM

Computer was most definitely jacked by a virus or malware yesterday, so I got on it quickly and ran safe-mode scans with Superanti-malware, malwarebytes, and avast in that order. I cleared what was found, which wasnt much. It did the trick, as I was able to us my computer again without complete functionality being lost like it was. But today avast seems to be freaking out about the windows process "services.exe". Google said it should be a problem, but service.exe is usually a problem of some kind. However when I investigated further into this with avast, it was showing me logs of Trogans and Malware named 800000cb.@ and 80000000.@, respectively. The warnings from Avast come inconsistently, but often. I've also noticed two iexplore.exe programs running at all times. Manually ending the process makes it come back instantly... never seen them before. I'm also a bit sketched out because i can't arrange my icons correctly, everytime i move them, and refresh the page they go back to some random order, even if I dont refresh and restart my computer. But I'm more concerned about the 8000000.@ malware and 800000cb.@ trojans. Any help would be great, thank you.

DDS.txt included under this line

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0
Run by Labatt at 15:36:23 on 2012-09-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16354.14781 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{C85D6DFC-43B5-4B71-86C9-01B7DC21D755} : DhcpNameServer = 167.206.251.129 167.206.251.130
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Users\Labatt\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);C:\Windows\system32\DRIVERS\ICCWDT.sys --> C:\Windows\system32\DRIVERS\ICCWDT.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
S1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
S2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-3 918144]
S2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [2010-12-1 915584]
S2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2012-4-7 586880]
S2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
S2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
S2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-8-31 44808]
S2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-4-7 13336]
S2 Intel PROSet Monitoring Service;Intel PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]
S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe --> C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [?]
S2 pk876tr3;pk876tr3;C:\Users\Labatt\AppData\Roaming\33nvejc.bat [2012-8-31 91]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-25 114144]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S3 SaiH075C;SaiH075C;C:\Windows\system32\DRIVERS\SaiH075C.sys --> C:\Windows\system32\DRIVERS\SaiH075C.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2012-09-01 05:20:32 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-09-01 03:50:25 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-09-01 03:50:24 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-09-01 03:50:22 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-09-01 03:50:10 41224 ----a-w- C:\Windows\avastSS.scr
2012-09-01 03:50:04 -------- d-----w- C:\ProgramData\AVAST Software
2012-09-01 03:50:04 -------- d-----w- C:\Program Files\AVAST Software
2012-09-01 03:46:05 -------- d-----w- C:\Users\Labatt\AppData\Roaming\SUPERAntiSpyware.com
2012-09-01 03:44:41 -------- d-----w- C:\Users\Labatt\AppData\Roaming\Malwarebytes
2012-09-01 03:44:33 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-01 03:44:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-01 03:44:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-01 03:31:42 -------- d-----w- C:\Users\Labatt\AppData\Roaming\xsecva
2012-09-01 03:30:56 -------- d-----w- C:\Users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}
2012-09-01 03:30:53 1603584 ----a-w- C:\Users\Labatt\AppData\Roaming\prtif.dll
2012-09-01 03:30:40 91 ---h--w- C:\Users\Labatt\AppData\Roaming\33nvejc.bat
2012-08-18 23:14:16 -------- d-----w- C:\Users\Labatt\AppData\Local\Chromium
2012-08-18 23:11:38 -------- d-----w- C:\Users\Labatt\AppData\Roaming\The Creative Assembly
2012-08-09 16:58:23 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-08-07 19:52:42 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FB4E5FDF-F9AF-4EF0-A343-BDE028886BD0}\mpengine.dll
2012-08-06 05:15:44 -------- d-----w- C:\Games
.
==================== Find3M ====================
.
2012-08-18 21:03:07 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-08-18 21:03:07 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-08-18 21:02:30 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-08-17 18:49:33 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-17 18:49:33 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-12 04:24:37 98304 ----a-w- C:\Windows\SysWow64\CmdLineExt.dll
2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
.
============= FINISH: 15:38:14.35 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 01 September 2012 - 06:05 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 01 September 2012 - 11:12 PM

Thank you CatByte for such a fast response!
I was unable to run from System Recovery, as when the Windows UI started (Language settings), my keyboard and mouse wouldn't power up. I tried this in safe mode though.

FRST.txt:

Scan result of Farbar Recovery Scan Tool Version: 01-09-2012 01
Ran by Labatt at 02-09-2012 00:04:00
Running from E:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ======================

2012-09-02 00:03 - 2012-09-02 00:04 - 00000000 ____D C:\FRST
2012-09-01 12:49 - 2012-09-01 12:49 - 00000935 ____A C:\Users\Labatt\Desktop\Steam.lnk
2012-08-31 23:51 - 2012-08-31 23:51 - 00000034 ____A C:\Users\Labatt\AppData\Roaming\mbam.context.scan
2012-08-31 23:50 - 2012-08-31 23:50 - 00001922 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-08-31 23:50 - 2012-08-31 23:50 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-08-31 23:50 - 2012-08-31 23:50 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-08-31 23:50 - 2012-08-31 23:50 - 00000000 ____D C:\Program Files\AVAST Software
2012-08-31 23:50 - 2012-08-31 23:50 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-31 23:50 - 2012-08-21 05:13 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-31 23:50 - 2012-08-21 05:13 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-31 23:50 - 2012-08-21 05:13 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-31 23:50 - 2012-08-21 05:13 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-31 23:50 - 2012-08-21 05:13 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-31 23:50 - 2012-08-21 05:13 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-31 23:50 - 2012-08-21 05:12 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-31 23:50 - 2012-08-21 05:12 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-31 23:50 - 2012-08-21 05:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-31 23:46 - 2012-08-31 23:46 - 00000000 ____D C:\Users\Labatt\AppData\Roaming\SUPERAntiSpyware.com
2012-08-31 23:44 - 2012-08-31 23:44 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-31 23:44 - 2012-08-31 23:44 - 00000000 ____D C:\Users\Labatt\AppData\Roaming\Malwarebytes
2012-08-31 23:44 - 2012-08-31 23:44 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-31 23:44 - 2012-08-31 23:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-31 23:44 - 2012-07-03 13:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-31 23:31 - 2012-09-01 12:43 - 00000000 ____D C:\Users\Labatt\AppData\Roaming\xsecva
2012-08-31 23:31 - 2012-08-31 23:31 - 00000012 ____A C:\Windows\srun.log
2012-08-31 23:30 - 2012-09-01 23:55 - 00000000 ____A C:\Users\Labatt\AppData\Local\π∫Ω√≈∆Ռ◊⁄fiflı˘˙˚˝˛ˇ
2012-08-31 23:30 - 2012-09-01 12:45 - 00000016 ____A C:\Users\Labatt\AppData\Roaming\lyjsb
2012-08-31 23:30 - 2012-08-31 23:30 - 01603584 ____A (C-Media Electronics Inc.) C:\Users\Labatt\AppData\Roaming\prtif.dll
2012-08-31 23:30 - 2012-08-31 23:30 - 00090176 ____A C:\Users\Labatt\AppData\Roaming\lj1y6nb.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00086080 ____A C:\Users\Labatt\AppData\Roaming\aftr4sb.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00060992 ____A C:\Users\Labatt\AppData\Roaming\serjs58n.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00000091 ____H C:\Users\Labatt\AppData\Roaming\33nvejc.bat
2012-08-31 23:30 - 2012-08-31 23:30 - 00000000 ____D C:\Users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}
2012-08-31 23:29 - 2012-08-31 23:29 - 00000012 ____A C:\Windows\sruna.log
2012-08-18 19:14 - 2012-08-18 19:14 - 00000000 ____D C:\Users\Labatt\AppData\Local\Chromium
2012-08-09 12:58 - 2012-08-09 12:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-06 01:15 - 2012-08-26 17:22 - 00000000 ____D C:\Games
2012-08-03 21:00 - 2012-09-01 21:06 - 00111616 __ASH C:\Users\Labatt\Desktop\Thumbs.db

==================== 3 Months Modified Files ================================

2012-09-01 23:57 - 2009-07-14 00:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-01 23:57 - 2009-07-14 00:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-01 23:55 - 2012-08-31 23:30 - 00000000 ____A C:\Users\Labatt\AppData\Local\π∫Ω√≈∆Ռ◊⁄fiflı˘˙˚˝˛ˇ
2012-09-01 23:54 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-01 23:54 - 2009-07-14 00:51 - 00047539 ____A C:\Windows\setupact.log
2012-09-01 21:06 - 2012-08-03 21:00 - 00111616 __ASH C:\Users\Labatt\Desktop\Thumbs.db
2012-09-01 20:35 - 2012-07-27 02:25 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000UA.job
2012-09-01 15:35 - 2010-11-20 23:47 - 00019250 ____A C:\Windows\PFRO.log
2012-09-01 12:49 - 2012-09-01 12:49 - 00000935 ____A C:\Users\Labatt\Desktop\Steam.lnk
2012-09-01 12:48 - 2009-07-14 01:13 - 00726270 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-01 12:45 - 2012-08-31 23:30 - 00000016 ____A C:\Users\Labatt\AppData\Roaming\lyjsb
2012-08-31 23:51 - 2012-08-31 23:51 - 00000034 ____A C:\Users\Labatt\AppData\Roaming\mbam.context.scan
2012-08-31 23:50 - 2012-08-31 23:50 - 00001922 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-08-31 23:50 - 2012-08-31 23:50 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-08-31 23:50 - 2012-08-31 23:50 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-31 23:44 - 2012-08-31 23:44 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-31 23:31 - 2012-08-31 23:31 - 00000012 ____A C:\Windows\srun.log
2012-08-31 23:30 - 2012-08-31 23:30 - 01603584 ____A (C-Media Electronics Inc.) C:\Users\Labatt\AppData\Roaming\prtif.dll
2012-08-31 23:30 - 2012-08-31 23:30 - 00090176 ____A C:\Users\Labatt\AppData\Roaming\lj1y6nb.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00086080 ____A C:\Users\Labatt\AppData\Roaming\aftr4sb.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00060992 ____A C:\Users\Labatt\AppData\Roaming\serjs58n.dat
2012-08-31 23:30 - 2012-08-31 23:30 - 00000091 ____H C:\Users\Labatt\AppData\Roaming\33nvejc.bat
2012-08-31 23:29 - 2012-08-31 23:29 - 00000012 ____A C:\Windows\sruna.log
2012-08-23 22:10 - 2012-04-07 22:33 - 00307687 ____A C:\Windows\DirectX.log
2012-08-22 00:43 - 2012-04-07 21:38 - 01763692 ____A C:\Windows\WindowsUpdate.log
2012-08-21 17:35 - 2012-07-27 02:25 - 00002420 ____A C:\Users\Labatt\Desktop\Google Chrome.lnk
2012-08-21 05:13 - 2012-08-31 23:50 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-21 05:13 - 2012-08-31 23:50 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-21 05:13 - 2012-08-31 23:50 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 05:13 - 2012-08-31 23:50 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-21 05:13 - 2012-08-31 23:50 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-21 05:13 - 2012-08-31 23:50 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-21 05:12 - 2012-08-31 23:50 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 05:12 - 2012-08-31 23:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-21 05:12 - 2012-08-31 23:50 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-18 17:03 - 2012-04-19 23:04 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-08-18 17:03 - 2012-04-12 18:27 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-08-18 17:02 - 2012-04-12 18:27 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-08-17 14:49 - 2012-04-07 22:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-17 14:49 - 2012-04-07 22:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 02:35 - 2012-07-27 02:25 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000Core.job
2012-08-08 13:40 - 2009-07-14 01:08 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-12 22:03 - 2012-04-07 22:05 - 00060008 ____A C:\Users\Labatt\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-12 22:02 - 2009-07-14 00:45 - 00272488 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 02:49 - 2012-04-07 23:31 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-12 00:24 - 2012-07-12 00:24 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt.dll
2012-07-03 13:46 - 2012-08-31 23:44 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 23:44 - 2012-06-30 23:42 - 00000045 ____A C:\Users\Labatt\jagex_cl_runescape_LIVE.dat
2012-06-30 19:21 - 2012-04-07 21:47 - 00026916 ____A C:\Windows\Ascd_tmp.ini
2012-06-30 19:21 - 2012-04-07 21:47 - 00001769 ____A C:\Windows\Language_trs.ini
2012-06-21 14:58 - 2012-06-21 14:58 - 00001092 ____A C:\Users\Labatt\Desktop\EVGA Precision X.lnk
2012-06-21 14:14 - 2012-06-21 14:13 - 168454136 ____A (NVIDIA Corporation) C:\Users\Labatt\Desktop\301.42-desktop-win7-winvista-64bit-english-whql.exe
2012-06-16 11:10 - 2012-06-16 11:10 - 00287756 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-06-15 13:57 - 2012-06-15 13:57 - 00289102 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-06-15 00:55 - 2012-06-15 00:48 - 00173054 ____A C:\Windows\hpoins46.dat
2012-06-15 00:55 - 2012-06-15 00:48 - 00000817 ____A C:\Users\All Users\hpzinstall.log
2012-06-14 01:19 - 2012-06-14 01:19 - 00001955 ____A C:\Users\Labatt\Desktop\SCHTHACK PSOBB.lnk
2012-06-11 23:08 - 2012-07-12 02:50 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 01:43 - 2012-07-11 23:59 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-09 00:41 - 2012-07-11 23:59 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 02:06 - 2012-07-11 23:59 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-06 02:06 - 2012-07-11 23:59 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-06 02:02 - 2012-07-11 23:59 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-06 01:05 - 2012-07-11 23:59 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-06 01:05 - 2012-07-11 23:59 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-06 01:03 - 2012-07-11 23:59 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

ZeroAccess:
C:\Windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}
C:\Windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\@
C:\Windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\L
C:\Windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U
C:\Windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U\00000001.@

ZeroAccess:
C:\Users\Labatt\AppData\Local\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}
C:\Users\Labatt\AppData\Local\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\@
C:\Users\Labatt\AppData\Local\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\L
C:\Users\Labatt\AppData\Local\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 16354.32 MB
Available physical RAM: 14796.04 MB
Total Pagefile: 32706.82 MB
Available Pagefile: 31150.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:585.31 GB) NTFS
3 Drive e: (USB DISK) (Removable) (Total:14.72 GB) (Free:14.6 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 931 GB Healthy Boot

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 7448 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E USB DISK FAT32 Removable 14 GB Healthy

==================================================================================

Last Boot: 2012-08-31 18:59

==================== End Of Log =============================



Search.txt:

Farbar Recovery Scan Tool Version: 01-09-2012 01
Ran by Labatt at 2012-09-02 00:04:42
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 07:30 AM

the log shows that you are infected with a nasty rootkit called zero access, as a precaution, stay off the internet as much as possible till we get you cleaned up and change any on-line passwords from a computer that has never been infected.

Unfortunately for a fix to take effect, FRST needs to be run from the recovery environment, so we need to try another tool

please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 02 September 2012 - 01:10 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 11:42 AM

ComboFix 12-09-01.01 - Labatt 09/02/2012 12:23:50.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16361.14559 [GMT -4:00]
Running from: c:\users\Labatt\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Labatt\AppData\Roaming\33nvejc.bat
c:\users\Labatt\AppData\Roaming\prtif.dll
c:\windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\@
c:\windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U\00000001.@
c:\windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U\80000000.@
c:\windows\Installer\{8e5f4ad8-f840-7edf-55b9-e1617522ac84}\U\800000cb.@
c:\windows\SysWow64\FlashPlayerInstaller.exe
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_pk876tr3
.
.
((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 )))))))))))))))))))))))))))))))
.
.
2012-09-02 16:30 . 2012-09-02 16:33 -------- d-----w- c:\users\Labatt\AppData\Local\temp
2012-09-02 16:30 . 2012-09-02 16:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-02 16:30 . 2012-09-02 16:30 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-02 04:03 . 2012-09-02 04:04 -------- d-----w- C:\FRST
2012-09-01 05:20 . 2012-09-01 05:20 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-09-01 03:50 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-01 03:50 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-01 03:50 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-01 03:50 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-01 03:50 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-01 03:50 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-01 03:50 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-01 03:50 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-01 03:50 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\programdata\AVAST Software
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\program files\AVAST Software
2012-09-01 03:46 . 2012-09-01 03:46 -------- d-----w- c:\users\Labatt\AppData\Roaming\SUPERAntiSpyware.com
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\users\Labatt\AppData\Roaming\Malwarebytes
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\programdata\Malwarebytes
2012-09-01 03:44 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 03:31 . 2012-09-01 16:43 -------- d-----w- c:\users\Labatt\AppData\Roaming\xsecva
2012-09-01 03:30 . 2012-09-01 03:30 -------- d-----w- c:\users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}
2012-08-18 23:14 . 2012-08-18 23:14 -------- d-----w- c:\users\Labatt\AppData\Local\Chromium
2012-08-18 23:11 . 2012-08-25 23:12 -------- d-----w- c:\users\Labatt\AppData\Roaming\The Creative Assembly
2012-08-09 16:58 . 2012-08-09 16:58 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-07 19:52 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB4E5FDF-F9AF-4EF0-A343-BDE028886BD0}\mpengine.dll
2012-08-06 05:15 . 2012-08-26 21:22 -------- d-----w- C:\Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 21:03 . 2012-04-20 03:04 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-08-18 21:03 . 2012-04-12 22:27 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-08-18 21:02 . 2012-04-12 22:27 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-08-17 18:49 . 2012-04-08 02:44 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-17 18:49 . 2012-04-08 02:44 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 06:49 . 2012-04-08 03:31 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-12 04:24 . 2012-07-12 04:24 98304 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2012-06-12 03:08 . 2012-07-12 06:50 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-12 03:59 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-12 03:59 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-12 03:59 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-12 03:59 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-12 03:59 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-12 03:59 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-12 03:59 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
R3 ALSysIO;ALSysIO;c:\users\Labatt\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-01 114144]
R3 SaiH075C;SaiH075C;c:\windows\system32\DRIVERS\SaiH075C.sys [2007-05-01 171144]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-08 1255736]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-03 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 Intel PROSet Monitoring Service;Intel PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-01 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-09-01 09:12]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000Core.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000UA.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 310272]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 158208]
"combofix"="c:\combofix\CF5078.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
FF - ProfilePath - c:\users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{3706EE7C-3CAD-445D-8A43-03EBC3B75908} - c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
HKLM-Run-prtif - c:\users\Labatt\AppData\Roaming\prtif.dll
HKLM-Run-tbspts - c:\users\Labatt\AppData\Roaming\tbspts.dll
AddRemove-BattlEye for A2 - c:\program files (x86)\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-ESN Sonar-0.70.4 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe
AddRemove-NVIDIAStereo - c:\program files (x86)\NVIDIA Corporation\3D Vision\nvStInst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1137381350-4176824296-2993100912-1000\Software\SecuROM\License information*]
"datasecu"=hex:9d,97,b5,87,5f,9c,c7,89,aa,06,fb,7e,db,a7,df,ce,aa,c8,f2,4a,0c,
94,4c,d5,c0,50,f7,e4,f1,28,5d,f6,8b,df,cd,0e,ef,39,e7,97,20,4b,09,7b,d0,ba,\
"rkeysecu"=hex:4d,34,66,0d,91,07,54,55,c8,7b,f0,d2,9b,60,60,66
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-09-02 12:39:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-02 16:39
.
Pre-Run: 627,077,627,904 bytes free
Post-Run: 628,664,221,696 bytes free
.
- - End Of File - - 41D4190613C33A20099B6F0CF5231F4E

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 01:15 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
C:\Users\Labatt\AppData\Roaming\xsecva
C:\Users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 03:17 PM

Despite disabling Avast! completely, ComboFix still believes the scanners are running. I am wary to proceed until this is checked. Attached is a screenshot. Thanks.

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 03:48 PM

yes, continue on, Avast appears to be disabled

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 05:48 PM

ComboFix Log:

ComboFix 12-09-01.01 - Labatt 09/02/2012 16:54:48.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16361.14627 [GMT -4:00]
Running from: c:\users\Labatt\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}
c:\users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}\chrome.manifest
c:\users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
c:\users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}\install.rdf
c:\users\Labatt\AppData\Roaming\xsecva
c:\users\Labatt\AppData\Roaming\xsecva\xseacc.xse
.
.
((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 )))))))))))))))))))))))))))))))
.
.
2012-09-02 21:03 . 2012-09-02 21:03 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-02 21:03 . 2012-09-02 21:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-02 16:30 . 2012-09-02 21:06 -------- d-----w- c:\users\Labatt\AppData\Local\temp
2012-09-02 04:03 . 2012-09-02 04:04 -------- d-----w- C:\FRST
2012-09-01 05:20 . 2012-09-01 05:20 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-09-01 03:50 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-01 03:50 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-01 03:50 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-01 03:50 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-01 03:50 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-01 03:50 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-01 03:50 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-01 03:50 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-01 03:50 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\programdata\AVAST Software
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\program files\AVAST Software
2012-09-01 03:46 . 2012-09-01 03:46 -------- d-----w- c:\users\Labatt\AppData\Roaming\SUPERAntiSpyware.com
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\users\Labatt\AppData\Roaming\Malwarebytes
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\programdata\Malwarebytes
2012-09-01 03:44 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-18 23:14 . 2012-08-18 23:14 -------- d-----w- c:\users\Labatt\AppData\Local\Chromium
2012-08-18 23:11 . 2012-08-25 23:12 -------- d-----w- c:\users\Labatt\AppData\Roaming\The Creative Assembly
2012-08-09 16:58 . 2012-08-09 16:58 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-07 19:52 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB4E5FDF-F9AF-4EF0-A343-BDE028886BD0}\mpengine.dll
2012-08-06 05:15 . 2012-08-26 21:22 -------- d-----w- C:\Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 21:03 . 2012-04-20 03:04 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-08-18 21:03 . 2012-04-12 22:27 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-08-18 21:02 . 2012-04-12 22:27 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-08-17 18:49 . 2012-04-08 02:44 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-17 18:49 . 2012-04-08 02:44 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 06:49 . 2012-04-08 03:31 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-12 04:24 . 2012-07-12 04:24 98304 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2012-06-12 03:08 . 2012-07-12 06:50 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-12 03:59 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-12 03:59 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-12 03:59 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-12 03:59 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-12 03:59 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-12 03:59 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-12 03:59 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-02_16.33.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-09-02 16:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-02 21:05 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-02 21:05 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-02 16:21 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-02 16:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-02 21:05 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-09-02 21:07 41474 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-02 21:07 35932 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-04-08 02:06 . 2012-09-02 21:07 13114 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1137381350-4176824296-2993100912-1000_UserData.bin
- 2012-09-02 16:32 . 2012-09-02 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-02 21:04 . 2012-09-02 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-02 16:32 . 2012-09-02 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-02 21:04 . 2012-09-02 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-09-02 16:31 236824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-02 21:04 236824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
R3 ALSysIO;ALSysIO;c:\users\Labatt\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-01 114144]
R3 SaiH075C;SaiH075C;c:\windows\system32\DRIVERS\SaiH075C.sys [2007-05-01 171144]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-08 1255736]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-03 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 Intel PROSet Monitoring Service;Intel PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000Core.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000UA.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 310272]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 158208]
"prtif"="c:\users\Labatt\AppData\Roaming\prtif.dll" [BU]
"tbspts"="c:\users\Labatt\AppData\Roaming\tbspts.dll" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
FF - ProfilePath - c:\users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1137381350-4176824296-2993100912-1000\Software\SecuROM\License information*]
"datasecu"=hex:9d,97,b5,87,5f,9c,c7,89,aa,06,fb,7e,db,a7,df,ce,aa,c8,f2,4a,0c,
94,4c,d5,c0,50,f7,e4,f1,28,5d,f6,8b,df,cd,0e,ef,39,e7,97,20,4b,09,7b,d0,ba,\
"rkeysecu"=hex:4d,34,66,0d,91,07,54,55,c8,7b,f0,d2,9b,60,60,66
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-09-02 17:11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-02 21:11
.
Pre-Run: 628,737,359,872 bytes free
Post-Run: 628,667,711,488 bytes free
.
- - End Of File - - 10A7F971EBB09616C8E5EFDCF00802EE



MBAM Log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Labatt :: LABATT-PC [administrator]

9/2/2012 5:13:52 PM
mbam-log-2012-09-02 (17-13-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217897
Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET Log:


C:\Qoobox\Quarantine\C\Users\Labatt\AppData\Local\{714AA93A-F3E5-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul.vir JS/Redirector.NIQ trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan
C:\Users\Labatt\AppData\Local\Google\Chrome\User Data\Default\Default\aagggedegcgedidggcdbgbgfdegbdbde\background.html Win32/BHO.OEI trojan
C:\Users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\extensions\casvhrygmb@casvhrygmb.org.xpi JS/Redirector.NCA trojan

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 07:24 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic467168.html/page__pid__2827688#entry2827688

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prtif"=-
"tbspts"=-

Collect::
c:\users\Labatt\AppData\Roaming\prtif.dll
c:\users\Labatt\AppData\Roaming\tbspts.dll

File::
C:\Users\Labatt\AppData\Local\Google\Chrome\User Data\Default\Default\aagggedegcgedidggcdbgbgfdegbdbde\background.html 
C:\Users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\extensions\casvhrygmb@casvhrygmb.org.xpi 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 08:04 PM

CFlog:

ComboFix 12-09-01.01 - Labatt 09/02/2012 20:45:16.3.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16361.14599 [GMT -4:00]
Running from: c:\users\Labatt\Desktop\ComboFix.exe
Command switches used :: E:\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Labatt\AppData\Local\Google\Chrome\User Data\Default\Default\aagggedegcgedidggcdbgbgfdegbdbde\background.html"
"c:\users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\extensions\casvhrygmb@casvhrygmb.org.xpi"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Labatt\AppData\Local\Google\Chrome\User Data\Default\Default\aagggedegcgedidggcdbgbgfdegbdbde\background.html
c:\users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\extensions\casvhrygmb@casvhrygmb.org.xpi
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 00:52 . 2012-09-03 00:52 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-03 00:52 . 2012-09-03 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-02 16:30 . 2012-09-03 00:54 -------- d-----w- c:\users\Labatt\AppData\Local\temp
2012-09-02 04:03 . 2012-09-02 04:04 -------- d-----w- C:\FRST
2012-09-01 05:20 . 2012-09-01 05:20 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-09-01 03:50 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-01 03:50 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-01 03:50 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-01 03:50 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-01 03:50 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-01 03:50 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-01 03:50 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-01 03:50 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-01 03:50 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\programdata\AVAST Software
2012-09-01 03:50 . 2012-09-01 03:50 -------- d-----w- c:\program files\AVAST Software
2012-09-01 03:46 . 2012-09-01 03:46 -------- d-----w- c:\users\Labatt\AppData\Roaming\SUPERAntiSpyware.com
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\users\Labatt\AppData\Roaming\Malwarebytes
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 03:44 . 2012-09-01 03:44 -------- d-----w- c:\programdata\Malwarebytes
2012-09-01 03:44 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-18 23:14 . 2012-08-18 23:14 -------- d-----w- c:\users\Labatt\AppData\Local\Chromium
2012-08-18 23:11 . 2012-08-25 23:12 -------- d-----w- c:\users\Labatt\AppData\Roaming\The Creative Assembly
2012-08-09 16:58 . 2012-08-09 16:58 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-07 19:52 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB4E5FDF-F9AF-4EF0-A343-BDE028886BD0}\mpengine.dll
2012-08-06 05:15 . 2012-08-26 21:22 -------- d-----w- C:\Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 21:03 . 2012-04-20 03:04 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-08-18 21:03 . 2012-04-12 22:27 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-08-18 21:02 . 2012-04-12 22:27 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-08-17 18:49 . 2012-04-08 02:44 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-17 18:49 . 2012-04-08 02:44 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 06:49 . 2012-04-08 03:31 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-12 04:24 . 2012-07-12 04:24 98304 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2012-06-12 03:08 . 2012-07-12 06:50 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-12 03:59 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-12 03:59 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-12 03:59 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-12 03:59 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-12 03:59 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-12 03:59 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-12 03:59 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-02_16.33.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-09-02 16:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-03 00:53 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-09-02 16:21 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-03 00:53 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-02 16:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-03 00:53 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-09-03 00:55 41726 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-03 00:55 35948 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-04-08 02:06 . 2012-09-03 00:55 13278 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1137381350-4176824296-2993100912-1000_UserData.bin
+ 2012-04-08 06:28 . 2012-09-02 22:48 3032 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-09-02 16:32 . 2012-09-02 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-03 00:53 . 2012-09-03 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-03 00:53 . 2012-09-03 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-02 16:32 . 2012-09-02 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-09-02 16:31 236824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-03 00:52 236824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-04-08 03:12 . 2012-09-02 22:48 33814488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1137381350-4176824296-2993100912-1000-12288.dat
- 2012-04-08 03:12 . 2012-09-02 16:14 33814488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1137381350-4176824296-2993100912-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
R3 ALSysIO;ALSysIO;c:\users\Labatt\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-01 114144]
R3 SaiH075C;SaiH075C;c:\windows\system32\DRIVERS\SaiH075C.sys [2007-05-01 171144]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-08 1255736]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-03 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 Intel PROSet Monitoring Service;Intel PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000Core.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1137381350-4176824296-2993100912-1000UA.job
- c:\users\Labatt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-27 06:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 310272]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 158208]
"prtif"="c:\users\Labatt\AppData\Roaming\prtif.dll" [BU]
"tbspts"="c:\users\Labatt\AppData\Roaming\tbspts.dll" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
FF - ProfilePath - c:\users\Labatt\AppData\Roaming\Mozilla\Firefox\Profiles\g98ft6ym.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1137381350-4176824296-2993100912-1000\Software\SecuROM\License information*]
"datasecu"=hex:9d,97,b5,87,5f,9c,c7,89,aa,06,fb,7e,db,a7,df,ce,aa,c8,f2,4a,0c,
94,4c,d5,c0,50,f7,e4,f1,28,5d,f6,8b,df,cd,0e,ef,39,e7,97,20,4b,09,7b,d0,ba,\
"rkeysecu"=hex:4d,34,66,0d,91,07,54,55,c8,7b,f0,d2,9b,60,60,66
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-09-02 20:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-03 00:59
.
Pre-Run: 628,517,527,552 bytes free
Post-Run: 628,424,839,168 bytes free
.
- - End Of File - - BC0FB942C03004840A37E2D9B16C64B4


MiniToolBox log:

MiniToolBox by Farbar Version: 23-07-2012
Ran by Labatt (administrator) on 02-09-2012 at 21:01:26
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (Version: 6.2.2)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.235)
Adobe Flash Player 11 Plugin (Version: 11.3.300.271)
Adobe Reader X (10.1.4) (Version: 10.1.4)
ARMA 2
ARMA 2: Operation Arrowhead
avast! Free Antivirus (Version: 7.0.1466.0)
Battlefield 3 (Version: 1.0.0.0)
Battlelog Web Plugins (Version: 1.122.0)
BattlEye for OA Uninstall
BattlEye Uninstall
BitTorrent (Version: 7.6.1)
Browser Configuration Utility (Version: 1.0.10.0)
Core Temp 1.0 RC3 (Version: 1.0)
Counter-Strike: Source
Driver Sweeper version 3.2.0 (Version: 3.2.0)
Empire: Total War
ESN Sonar (Version: 0.70.4)
EVGA OC Scanner X 2.0.1
EVGA Precision 2.0.2 (Version: 2.0.2)
EVGA Precision X 3.0.2 (Version: 3.0.2)
Garry's Mod
Google Chrome (Version: 21.0.1180.83)
HP Photosmart D110 All-In-One Driver 14.0 Rel. 7 (Version: 14.0)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® Network Connections 15.6.25.0 (Version: 15.6.25.0)
Intel® Rapid Storage Technology (Version: 10.1.0.1008)
Intel Watchdog Timer Driver (Intel WDT)
Java™ 7 Update 4 (64-bit) (Version: 7.0.40)
Java™ 7 Update 4 (Version: 7.0.40)
JMicron JMB36X Driver (Version: 1.17.58.2)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
marvell 91xx driver (Version: 1.0.0.1051)
Medieval II: Total War
Medieval II: Total War Kingdoms
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Camera Codec Pack (Version: 16.3.1483.0410)
Microsoft Flight Simulator X (Version: 10.0.60905)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 11 Developer Preview Pre-Clean Tool (Version: 11.0.50214)
Microsoft Visual Studio 11 Professional Beta (Version: 11.0.50214)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mount & Blade: Warband
Mozilla Firefox 15.0 (x86 en-US) (Version: 15.0)
Mozilla Maintenance Service (Version: 15.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Network64 (Version: 140.0.212.000)
NVIDIA 3D Vision Controller Driver 301.24 (Version: 301.24)
NVIDIA Control Panel 301.42 (Version: 301.42)
NVIDIA Graphics Driver 301.42 (Version: 301.42)
NVIDIA HD Audio Driver 1.3.12.0 (Version: 1.3.12.0)
NVIDIA Install Application (Version: 2.1002.75.420)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.13.0124)
NVIDIA Update 1.8.12 (Version: 1.8.12)
NVIDIA Update Components (Version: 1.8.12)
Origin (Version: 8.5.2.23)
Port Royale 3
PS_AIO_07_D110_SW_Min (Version: 140.0.142.000)
PunkBuster Services (Version: 0.991)
Realtek High Definition Audio Driver (Version: 6.0.1.6235)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.0.32.0)
Rome: Total War Gold Edition
Scan (Version: 140.0.77.000)
SCHTHACK PSOBB Compatibility Database
Sid Meier's Civilization V
Smart Technology Programming Software 7.0.2.7 (Version: 7.0.2.7)
Star Wars: The Old Republic (Version: 1.0.0.0)
Steam (Version: 1.0.0.0)
The Elder Scrolls V: Skyrim
Toolbox (Version: 140.0.424.000)
Total War: SHOGUN 2
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
VLC media player 2.0.1 (Version: 2.0.1)
WhoCrashed 3.04
WinRAR 4.11 (64-bit) (Version: 4.11.0)

**** End of log ****


FSS log:

Farbar Service Scanner Version: 06-08-2012
Ran by Labatt (administrator) on 02-09-2012 at 21:02:21
Running from "E:\"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 08:24 PM

Your BITS registry key is missing so we need to replace it or Windows update wont work, please download the attached registry fix and save it to your desktop.
Right click and choose to Merge it into your registry (then delete the file as you wont need it again)



Now reboot the computer and check that windows update is working correctly.

Next


Please show hidden files and folders and see if you can navigate to these two files

if so, please right click and rename them by adding a .vir extension,

let me know if you are successful

to show hidden files and folders

  • Close all programs so that you are at your desktop.
  • Open the Control Panel switch to classic view, then click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and exit My Computer.
  • Now your computer is configured to show all hidden files.


c:\users\Labatt\AppData\Roaming\prtif.dll
c:\users\Labatt\AppData\Roaming\tbspts.dll

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 08:55 PM

I am unable to locate both files. Windows Update does seem to be functioning properly though

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:06 PM

Posted 02 September 2012 - 09:03 PM

how is the computer running?

Are there any outstanding issues?

Please run the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Link 1
Link 2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *prtif*
    *tbspts*
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 pastorel2

pastorel2
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 02 September 2012 - 09:30 PM

Computer seems to be running fine as of now, nothing out of the ordinary.

SystemLook Log:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:24 on 02/09/2012 by Labatt
Administrator - Elevation successful

========== filefind ==========

Searching for "*prtif*"
C:\Qoobox\Quarantine\C\Users\Labatt\AppData\Roaming\prtif.dll.vir --a---- 1603584 bytes [03:30 01/09/2012] [03:30 01/09/2012] BA4BBE350E67563730898CD8D41EACBA
C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prtif.reg.dat --a---- 80 bytes [16:38 02/09/2012] [16:38 02/09/2012] CFD9C5961316EF99F641BDDB62D9105A

Searching for "*tbspts*"
C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-tbspts.reg.dat --a---- 80 bytes [16:38 02/09/2012] [16:38 02/09/2012] CFD9C5961316EF99F641BDDB62D9105A

-= EOF =-



Edit:

No idea what Qoobox is

Edited by pastorel2, 02 September 2012 - 09:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users