Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! Computer runs sluggish / Graphical lag in games


  • This topic is locked This topic is locked
10 replies to this topic

#1 NovaCatalyst

NovaCatalyst

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 September 2012 - 10:00 PM

Hello, my name is Nova

Just recently between the days of September 1st-3rd I have been noticing weird things happening to my computer and on September 4th at about 3pm, I started receiving warnings from Microsoft Security Essentials that there is a virus and to send information. Have made scans using Microsoft Security Essentials, Malwarebytes AntiMalware, and SUPERAntiSpyware many malware and adware have been removed and still the same. A friend suggested I system restore but their is none that a far back enough; Need help please! p.s. not sure about any other additional information needed and I might be forgetting something.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,260 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:04 AM

Posted 07 September 2012 - 08:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please follow the preparation Guide and post the logs for my review.
http://www.bleepingcomputer.com/forums/topic34773.html

#3 NovaCatalyst

NovaCatalyst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 September 2012 - 09:25 AM

Here is the requested; was unable to use GMER it would not allow me to check what was in the guide and scanned anyway nothing was found.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Nova at 7:09:13 on 2012-09-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8169.6305 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
E:\Users\Nova\ProgramFiles\Office14\MSOSYNC.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\LOLReplay\LOLRecorder.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe
C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
E:\Users\Nova\ProgramFiles\SetPointG\SetPointII.exe
C:\Users\Nova\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\iPhone Simulator\pnSvc.exe
C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
C:\Users\Nova\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Nova\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Nova\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Nova\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\ProgramData\NVIDIA\Updatus\Packages\00000553\drsupdate.13143727_RUNASUSER.exe
C:\Windows\SysWOW64\cscript.exe
C:\Program Files\NVIDIA Corporation\DRS\dbInstaller.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110795&tt=3612_6&babsrc=HP_ss&mntrId=24c64885000000000000f46d04484db9
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - E:\Users\Nova\PROGRA~1\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - E:\Users\Nova\PROGRA~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Nova\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [OfficeSyncProcess] "E:\Users\Nova\ProgramFiles\Office14\MSOSYNC.EXE"
uRun: [JavaSoft] C:\Users\Nova\AppData\Roaming\DA7B94.exe
uRun: [pcscd] "C:\Windows\System32\rundll32.exe" "C:\Users\Nova\AppData\Roaming\pcscd.dll",get_color_type
uRun: [uigmsb] "C:\Windows\System32\rundll32.exe" "C:\Users\Nova\AppData\Roaming\uigmsb.dll",TypeError
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [ASUS ShellProcess Execute] C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe
mRun: [ASUS AiChargerPlus Execute] C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BCSSync] "E:\Users\Nova\ProgramFiles\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Nova\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOLREC~1.LNK - C:\Program Files (x86)\LOLReplay\LOLRecorder.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - E:\Users\Nova\PROGRA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - E:\Users\Nova\PROGRA~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - E:\Users\Nova\ProgramFiles\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - E:\Users\Nova\ProgramFiles\Office14\ONBttnIELinkedNotes.dll
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5044CF15-50DD-4B02-A035-FAFBC240B2F2} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - E:\Users\Nova\PROGRA~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Users\Nova\PROGRA~1\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\Users\Nova\PROGRA~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ASUS ShellProcess Execute] C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe
mRun-x64: [ASUS AiChargerPlus Execute] C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [BCSSync] "E:\Users\Nova\ProgramFiles\Office14\BCSSync.exe" /DelayServices
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\Users\Nova\PROGRA~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AiChargerPlus;ASUS Charger Plus Driver;C:\Windows\system32\DRIVERS\AiChargerPlus.sys --> C:\Windows\system32\DRIVERS\AiChargerPlus.sys [?]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-3 918144]
R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2010-12-1 915584]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2012-2-14 586880]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-2-13 13336]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-2-13 1262400]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);C:\Windows\system32\DRIVERS\ICCWDT.sys --> C:\Windows\system32\DRIVERS\ICCWDT.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\system32\DRIVERS\asmthub3.sys --> C:\Windows\system32\DRIVERS\asmthub3.sys [?]
S3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\system32\DRIVERS\asmtxhci.sys --> C:\Windows\system32\DRIVERS\asmtxhci.sys [?]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;E:\Users\Nova\ProgramFiles\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-09-05 21:13:15 -------- d-----w- C:\Windows\pss
2012-09-05 20:10:22 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{94C17C32-66EE-4BEE-B75F-CB56DF7A57D7}\mpengine.dll
2012-09-05 04:30:27 7387496 ----a-w- C:\Windows\System32\nvopencl.dll
2012-09-05 04:30:27 6100328 ----a-w- C:\Windows\SysWow64\nvopencl.dll
2012-09-04 23:25:25 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-04 21:27:40 379904 ----a-w- C:\Users\Nova\AppData\Roaming\pcscd.dll
2012-09-04 21:27:24 649728 ----a-w- C:\Users\Nova\AppData\Roaming\uigmsb.dll
2012-09-04 06:11:28 -------- d-----w- C:\Users\Nova\AppData\Roaming\Babylon
2012-09-04 06:11:28 -------- d-----w- C:\ProgramData\Babylon
2012-08-30 13:39:34 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-08-30 13:38:48 3130440 ----a-w- C:\Windows\SysWow64\pbsvc_blr.exe
2012-08-30 02:56:19 -------- d-----w- C:\Users\Nova\AppData\Local\Apple Computer
2012-08-30 02:56:18 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-08-30 02:56:18 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-30 02:56:18 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-08-30 02:56:05 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-08-30 02:56:05 -------- d-----w- C:\Program Files\iTunes
2012-08-30 02:56:05 -------- d-----w- C:\Program Files\iPod
2012-08-30 02:56:05 -------- d-----w- C:\Program Files (x86)\iTunes
2012-08-30 02:55:16 -------- d-----w- C:\Users\Nova\AppData\Local\Apple
2012-08-28 20:47:31 -------- d-----w- C:\Program Files (x86)\Dotjosh Studios
2012-08-26 01:41:50 2368832 ----a-w- C:\Windows\SysWow64\nvapi.dll
2012-08-26 01:41:50 1482600 ----a-w- C:\Windows\System32\nvdispgenco64.dll
2012-08-17 00:41:54 -------- d-----w- C:\Users\Nova\AppData\Roaming\.Nitrous
2012-08-16 01:33:53 -------- d--h--w- C:\Users\Nova\AppData\Local\CRE
2012-08-16 01:33:49 -------- d--h--w- C:\Users\Nova\AppData\Local\Conduit
2012-08-16 01:33:49 -------- d-----w- C:\Program Files (x86)\Conduit
2012-08-14 22:14:29 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-14 22:14:29 67072 ----a-w- C:\Windows\splwow64.exe
2012-08-14 22:14:29 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-14 22:14:29 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-14 20:43:14 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-14 20:43:14 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-14 20:43:09 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-08-14 20:43:09 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-14 20:43:09 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-14 20:43:07 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-14 20:43:05 956928 ----a-w- C:\Windows\System32\localspl.dll
2012-08-14 03:18:55 -------- d-----w- C:\Users\Nova\AppData\Local\SplitMediaLabs
2012-08-14 03:18:39 -------- d-----w- C:\ProgramData\SplitMediaLabs
2012-08-14 03:18:39 -------- d-----w- C:\Program Files (x86)\SplitMediaLabs
2012-08-14 03:17:50 -------- d-----w- C:\Users\Nova\AppData\Roaming\SplitMediaLabs
.
==================== Find3M ====================
.
2012-09-02 03:25:07 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-09-02 03:25:07 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-09-02 03:23:25 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-08-31 00:50:36 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-08-16 02:35:24 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 02:35:24 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-04 00:29:53 627600 ----a-w- C:\Windows\System32\deployJava1.dll
2012-07-03 20:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 03:37:00 60776 ----a-w- C:\Windows\System32\OpenCL.dll
2012-06-29 03:37:00 52584 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-11 18:17:46 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2012-06-11 18:17:42 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
.
============= FINISH: 7:09:24.64 ===============

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,260 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:04 AM

Posted 07 September 2012 - 12:24 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.

===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs for my review and let me know what problem persists.

#5 NovaCatalyst

NovaCatalyst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 September 2012 - 02:27 PM

Here:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.07.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nova :: XCUTION-PC [administrator]

9/7/2012 10:41:33 AM
mbam-log-2012-09-07 (10-41-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214992
Time elapsed: 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ComboFix 12-09-07.03 - Nova 09/07/2012 10:54:55.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8169.6603 [GMT -7:00]
Running from: c:\users\Nova\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1329197696.bdinstall.bin
c:\programdata\1331693397.bdinstall.bin
c:\programdata\1331742685.bdinstall.bin
c:\programdata\1334510590.bdinstall.bin
c:\users\Nova\AppData\Roaming\pcscd.dll
c:\users\Nova\AppData\Roaming\uigmsb.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-08-07 to 2012-09-07 )))))))))))))))))))))))))))))))
.
.
2012-09-07 17:40 . 2012-09-07 17:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-07 17:40 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-07 14:16 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FEB50088-7397-40D7-A4E2-7BDD8682D32C}\mpengine.dll
2012-09-05 20:10 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-05 04:30 . 2012-08-22 13:46 7387496 ----a-w- c:\windows\system32\nvopencl.dll
2012-09-05 04:30 . 2012-08-22 13:46 6100328 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-09-04 06:11 . 2012-09-04 06:11 304 ----a-w- C:\user.js
2012-09-04 06:11 . 2012-09-04 06:11 -------- d-----w- c:\users\Nova\AppData\Roaming\Babylon
2012-09-04 06:11 . 2012-09-04 06:11 -------- d-----w- c:\programdata\Babylon
2012-08-30 13:39 . 2012-08-30 13:39 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-08-30 13:38 . 2011-12-19 22:16 3130440 ----a-w- c:\windows\SysWow64\pbsvc_blr.exe
2012-08-30 02:56 . 2012-08-30 14:04 -------- d-----w- c:\users\Nova\AppData\Roaming\Apple Computer
2012-08-30 02:56 . 2012-08-30 02:56 -------- d-----w- c:\users\Nova\AppData\Local\Apple Computer
2012-08-30 02:55 . 2012-08-30 02:55 -------- d-----w- c:\programdata\Apple
2012-08-28 20:47 . 2012-08-28 20:47 -------- d-----w- c:\program files (x86)\Dotjosh Studios
2012-08-26 01:41 . 2012-08-22 13:46 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-08-26 01:41 . 2012-05-15 10:48 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-08-17 00:41 . 2012-08-17 00:41 -------- d-----w- c:\users\Nova\AppData\Roaming\.Nitrous
2012-08-16 01:33 . 2012-08-16 01:33 -------- d--h--w- c:\users\Nova\AppData\Local\CRE
2012-08-16 01:33 . 2012-08-16 02:32 -------- d--h--w- c:\users\Nova\AppData\Local\Conduit
2012-08-16 01:33 . 2012-08-16 01:33 -------- d-----w- c:\program files (x86)\Conduit
2012-08-14 22:14 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-14 22:14 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-14 22:14 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-14 22:14 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-14 20:43 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-14 20:43 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-14 20:43 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-14 20:43 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-14 20:43 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-14 20:43 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-14 20:43 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-14 20:43 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\users\Nova\AppData\Local\SplitMediaLabs
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\programdata\SplitMediaLabs
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\program files (x86)\SplitMediaLabs
2012-08-14 03:17 . 2012-08-14 03:17 -------- d-----w- c:\users\Nova\AppData\Roaming\SplitMediaLabs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-02 03:25 . 2012-02-15 05:00 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-09-02 03:25 . 2012-02-15 04:59 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-09-02 03:23 . 2012-02-15 04:59 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-08-31 00:50 . 2012-02-15 04:58 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-08-16 02:35 . 2012-03-30 19:33 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-16 02:35 . 2012-02-14 07:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 06:12 . 2012-02-17 02:40 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-04 00:29 . 2012-02-14 06:53 627600 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-04 00:29 . 2012-02-14 06:53 252296 ----a-w- c:\windows\system32\javaws.exe
2012-08-04 00:29 . 2012-02-14 06:53 188808 ----a-w- c:\windows\system32\javaw.exe
2012-08-04 00:29 . 2012-02-14 06:53 188808 ----a-w- c:\windows\system32\java.exe
2012-06-29 03:37 . 2012-03-15 21:25 60776 ----a-w- c:\windows\system32\OpenCL.dll
2012-06-29 03:37 . 2012-03-15 21:25 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-06-11 18:17 . 2012-06-11 18:17 71680 ----a-w- c:\windows\system32\frapsv64.dll
2012-06-11 18:17 . 2012-06-11 18:17 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"OfficeSyncProcess"="e:\users\Nova\ProgramFiles\Office14\MSOSYNC.EXE" [2012-01-21 719672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"ASUS ShellProcess Execute"="c:\program files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe" [2010-09-28 252544]
"ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"BCSSync"="e:\users\Nova\ProgramFiles\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
.
c:\users\Nova\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
LOLRecorder.lnk - c:\program files (x86)\LOLReplay\LOLRecorder.exe [2012-7-12 517120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2010-12-09 122856]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2010-12-09 369640]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2011-04-08 35840]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\users\Nova\ProgramFiles\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 OSFMount;OSFMount;c:\program files\OSForensics\OSFMount64\OSFMount.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-17 1255736]
R3 X6va005;X6va005;c:\users\Nova\AppData\Local\Temp\005999C.tmp [x]
S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys [2010-11-08 14464]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-03 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725980145-2262299888-3775156013-1000Core.job
- c:\users\Nova\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 19:00]
.
2012-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725980145-2262299888-3775156013-1000UA.job
- c:\users\Nova\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 19:00]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"EvtMgr6"="e:\users\Nova\ProgramFiles\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.babylon.com/?affID=110795&tt=3612_6&babsrc=HP_ss&mntrId=24c64885000000000000f46d04484db9
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\users\Nova\PROGRA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - e:\users\Nova\PROGRA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - (no file)
Wow6432Node-HKCU-Run-JavaSoft - c:\users\Nova\AppData\Roaming\DA7B94.exe
Wow6432Node-HKCU-Run-pcscd - c:\users\Nova\AppData\Roaming\pcscd.dll
Wow6432Node-HKCU-Run-uigmsb - c:\users\Nova\AppData\Roaming\uigmsb.dll
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\Nova\AppData\Local\Temp\005999C.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
c:\program files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
.
**************************************************************************
.
Completion time: 2012-09-07 10:58:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-07 17:58
.
Pre-Run: 12,777,619,456 bytes free
Post-Run: 12,086,898,688 bytes free
.
- - End Of File - - 58E0978D489CC539D78252A159417B28





Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
JavaFX 2.1.1
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.3.300.265 Flash Player out of Date!
Adobe Reader X (10.1.4)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbam.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````






# AdwCleaner v2.000 - Logfile created 09/07/2012 at 12:24:33
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Nova - XCUTION-PC
# Boot Mode : Normal
# Running from : C:\Users\Nova\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\user.js
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\Users\Nova\AppData\Local\Conduit
Folder Found : C:\Users\Nova\AppData\LocalLow\Conduit
Folder Found : C:\Users\Nova\AppData\Roaming\Babylon

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKU\S-1-5-21-3725980145-2262299888-3775156013-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.babylon.com/?affID=110795&tt=3612_6&babsrc=HP_ss&mntrId=24c64885000000000000f46d04484db9

-\\ Google Chrome v21.0.1180.89

File : C:\Users\Nova\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48",
Found [l.1358] : homepage = "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48",

*************************

AdwCleaner[R1].txt - [2073 octets] - [07/09/2012 12:24:33]

########## EOF - C:\AdwCleaner[R1].txt - [2133 octets] ##########

#6 NovaCatalyst

NovaCatalyst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 September 2012 - 08:45 PM

Everything seems fine thus far, what further steps do I need to take in order to finish this process and make sure that I am safe and secure? EDIT: Negative on this reply Microsoft Security Essentials is detecting, Trojan:Win32/Sirefef.P, Exploit:Java/CVE-2012-4681.CK, Exploit:Java/CVE-2012-4681.CJ. I am sure their is still other undetected malware aswell and as I restarted my computer it started showing symptoms all over again.

Edited by NovaCatalyst, 07 September 2012 - 10:08 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,260 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:04 AM

Posted 08 September 2012 - 07:41 AM

Open notepad and copy/paste the text in the quote box below into it:

Driver::
X6va005
npggsvc

ClearJavaCache::



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 7 Update 5


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Remove the AdWare, PUP (Potentially Unwanted Program) found.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

If Microsoft Security Essentials is still detecting malware can you post the exact message.
I need to know which file is carring the infection if any.

#8 NovaCatalyst

NovaCatalyst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 September 2012 - 09:22 AM

So far no signs of the reported "Trojan:Win32/Sirefef.P" will let you know if anything comes up.
Microsoft Security Essentials is still detecting

Exploit:Java/CVE-2012-4681.CK
Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\Nova\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\45d9cdd7-5c590c42

Get more information about this item online.



Exploit:Java/CVE-2012-4681.CJ
Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\Nova\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\45d9cdd7-5c590c42

Get more information about this item online.


Here is Combofix and adwcleaner logs:


ComboFix 12-09-07.03 - Nova 09/08/2012 6:41.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8169.6747 [GMT -7:00]
Running from: c:\users\Nova\Desktop\ComboFix.exe
Command switches used :: c:\users\Nova\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_X6VA005
-------\Service_npggsvc
-------\Service_X6va005
.
.
((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))
.
.
2012-09-08 13:44 . 2012-09-08 13:44 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{149FE90F-8849-4983-AE14-39CF47804AA7}\offreg.dll
2012-09-08 13:43 . 2012-09-08 13:43 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-08 13:43 . 2012-09-08 13:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-07 17:40 . 2012-09-07 17:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-07 17:40 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-05 04:30 . 2012-08-22 13:46 7387496 ----a-w- c:\windows\system32\nvopencl.dll
2012-09-05 04:30 . 2012-08-22 13:46 6100328 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-08-30 13:39 . 2012-08-30 13:39 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-08-30 13:38 . 2011-12-19 22:16 3130440 ----a-w- c:\windows\SysWow64\pbsvc_blr.exe
2012-08-30 02:56 . 2012-08-30 14:04 -------- d-----w- c:\users\Nova\AppData\Roaming\Apple Computer
2012-08-30 02:56 . 2012-08-30 02:56 -------- d-----w- c:\users\Nova\AppData\Local\Apple Computer
2012-08-30 02:55 . 2012-08-30 02:55 -------- d-----w- c:\programdata\Apple
2012-08-28 20:47 . 2012-08-28 20:47 -------- d-----w- c:\program files (x86)\Dotjosh Studios
2012-08-26 01:41 . 2012-08-22 13:46 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-08-26 01:41 . 2012-05-15 10:48 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-08-17 00:41 . 2012-08-17 00:41 -------- d-----w- c:\users\Nova\AppData\Roaming\.Nitrous
2012-08-16 01:33 . 2012-08-16 01:33 -------- d--h--w- c:\users\Nova\AppData\Local\CRE
2012-08-14 22:14 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-14 22:14 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-14 22:14 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-14 22:14 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-14 20:43 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-14 20:43 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-14 20:43 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-14 20:43 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-14 20:43 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-14 20:43 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-14 20:43 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-14 20:43 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\users\Nova\AppData\Local\SplitMediaLabs
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\programdata\SplitMediaLabs
2012-08-14 03:18 . 2012-08-14 03:18 -------- d-----w- c:\program files (x86)\SplitMediaLabs
2012-08-14 03:17 . 2012-08-14 03:17 -------- d-----w- c:\users\Nova\AppData\Roaming\SplitMediaLabs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-02 03:25 . 2012-02-15 05:00 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-09-02 03:25 . 2012-02-15 04:59 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-09-02 03:23 . 2012-02-15 04:59 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-08-31 00:50 . 2012-02-15 04:58 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-08-16 02:35 . 2012-03-30 19:33 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-16 02:35 . 2012-02-14 07:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 06:12 . 2012-02-17 02:40 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-04 00:29 . 2012-02-14 06:53 627600 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-04 00:29 . 2012-02-14 06:53 252296 ----a-w- c:\windows\system32\javaws.exe
2012-08-04 00:29 . 2012-02-14 06:53 188808 ----a-w- c:\windows\system32\javaw.exe
2012-08-04 00:29 . 2012-02-14 06:53 188808 ----a-w- c:\windows\system32\java.exe
2012-06-29 03:37 . 2012-03-15 21:25 60776 ----a-w- c:\windows\system32\OpenCL.dll
2012-06-29 03:37 . 2012-03-15 21:25 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-06-11 18:17 . 2012-06-11 18:17 71680 ----a-w- c:\windows\system32\frapsv64.dll
2012-06-11 18:17 . 2012-06-11 18:17 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-07_17.57.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-09-08 13:40 54172 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-08 13:40 40700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-02-14 04:18 . 2012-09-07 17:40 10196 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3725980145-2262299888-3775156013-1000_UserData.bin
+ 2012-02-14 04:18 . 2012-09-08 13:40 10196 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3725980145-2262299888-3775156013-1000_UserData.bin
- 2012-09-07 17:57 . 2012-09-07 17:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-08 13:44 . 2012-09-08 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-09-07 17:42 662196 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-08 13:43 662196 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-08 13:43 122024 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-09-07 17:42 122024 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-09-07 17:56 393856 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-08 13:43 393856 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-15 21:15 . 2012-09-08 13:43 2191364 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3725980145-2262299888-3775156013-1000-8192.dat
- 2012-02-15 21:15 . 2012-09-07 17:56 2191364 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3725980145-2262299888-3775156013-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"OfficeSyncProcess"="e:\users\Nova\ProgramFiles\Office14\MSOSYNC.EXE" [2012-01-21 719672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"ASUS ShellProcess Execute"="c:\program files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe" [2010-09-28 252544]
"ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"BCSSync"="e:\users\Nova\ProgramFiles\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
.
c:\users\Nova\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
LOLRecorder.lnk - c:\program files (x86)\LOLReplay\LOLRecorder.exe [2012-7-12 517120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2010-12-09 122856]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2010-12-09 369640]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2011-04-08 35840]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\users\Nova\ProgramFiles\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 OSFMount;OSFMount;c:\program files\OSForensics\OSFMount64\OSFMount.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-17 1255736]
S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys [2010-11-08 14464]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2010-11-03 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725980145-2262299888-3775156013-1000Core.job
- c:\users\Nova\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 19:00]
.
2012-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725980145-2262299888-3775156013-1000UA.job
- c:\users\Nova\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 19:00]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"EvtMgr6"="e:\users\Nova\ProgramFiles\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
"combofix"="c:\combofix\CF28658.3XE" [2010-11-21 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\users\Nova\PROGRA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - e:\users\Nova\PROGRA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
c:\program files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
.
**************************************************************************
.
Completion time: 2012-09-08 06:45:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-08 13:45
ComboFix2.txt 2012-09-07 17:58
.
Pre-Run: 11,470,233,600 bytes free
Post-Run: 13,946,314,752 bytes free
.
- - End Of File - - BF20AD6AC9FFEA659388D8F9E3A72D28





# AdwCleaner v2.000 - Logfile created 09/07/2012 at 18:34:36
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Nova - XCUTION-PC
# Boot Mode : Normal
# Running from : C:\Users\Nova\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Nova\AppData\Local\Conduit
Folder Deleted : C:\Users\Nova\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Nova\AppData\Roaming\Babylon

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-3725980145-2262299888-3775156013-1001\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.babylon.com/?affID=110795&tt=3612_6&babsrc=HP_ss&mntrId=24c64885000000000000f46d04484db9 --> hxxp://www.google.com

-\\ Google Chrome v21.0.1180.89

File : C:\Users\Nova\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48",
Deleted [l.1358] : homepage = "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48",

*************************

AdwCleaner[R1].txt - [2200 octets] - [07/09/2012 12:24:33]
AdwCleaner[R2].txt - [2260 octets] - [07/09/2012 18:24:34]
AdwCleaner[S1].txt - [2701 octets] - [07/09/2012 18:34:36]

########## EOF - C:\AdwCleaner[S1].txt - [2761 octets] ##########

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,260 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:04 AM

Posted 08 September 2012 - 12:36 PM

Open your computer and navigate to the ...6.0\23\ folder in bold.

C:\Users\Nova\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\45d9cdd7-5c590c42

Delete this item.
45d9cdd7-5c590c42

Restart the computer normally.

How is it now?

#10 NovaCatalyst

NovaCatalyst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 September 2012 - 12:58 PM

Ok well looked in the folder and nothing was in it so I am assuming it was already deleted. My computer seems like its all good and back to normal, no threats have been detected. Thanks so much for your assistance! Is their anything else that is required of me?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,260 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:04 AM

Posted 08 September 2012 - 01:22 PM

Good news. I was surprise that this item was still in the cache since I cleaned the cachec with this ComboFix command.

ClearJavaCache::
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users