Jump to content

Malwarebytes

Malwarebytes Anti-Malware has stopped working

- - - - -
Started by somethingd, Apr 26 2012 03:38 PM


31 replies to this topic

#1
somethingd
Posted 26 April 2012 - 03:38 PM

    New Member

  • Members
  • Pip
  • 17 posts
My computer appears to be infected. I can not run Malwarebytes or Mcafee.

Here is my DDS.txt


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Bria at 16:30:11 on 2012-04-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2155 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - C:\Program Files (x86)\ClickPotatoLite\bin\10.0.523.0\ClickPotatoLiteSABHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265512774943
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://vetter.viewnetcam.com/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C5D8FAF-A8C9-423B-8F10-FC5877ED55F7} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E1AA0074-10DF-4E53-B4CC-18CF54D8FEE4} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO-X64: NCO 2.0 IE BHO - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
BHO-X64: AIM Toolbar Loader - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
.
============= SERVICES / DRIVERS ===============
.
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\system32\DRIVERS\tos_sps64.sys --> C:\Windows\system32\DRIVERS\tos_sps64.sys [?]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\system32\DRIVERS\jswpslwfx.sys --> C:\Windows\system32\DRIVERS\jswpslwfx.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys --> C:\Windows\system32\DRIVERS\FwLnk.sys [?]
R3 mbamchameleon;mbamchameleon;\??\C:\Windows\system32\drivers\mbamchameleon.sys --> C:\Windows\system32\drivers\mbamchameleon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 COH_Mon;COH_Mon;\??\C:\Windows\system32\Drivers\COH_Mon.sys --> C:\Windows\system32\Drivers\COH_Mon.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-8-1 89920]
S4 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2008-4-4 36864]
S4 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2008-4-17 40960]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-1 135664]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-1 135664]
S4 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files (x86)\Jumpstart\jswpsapi.exe [2008-9-26 954368]
S4 KR10I64;KR10I64;C:\Windows\system32\drivers\kr10i64.sys --> C:\Windows\system32\drivers\kr10i64.sys [?]
S4 KR10N64;KR10N64;C:\Windows\system32\drivers\kr10n64.sys --> C:\Windows\system32\drivers\kr10n64.sys [?]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2009-5-27 103440]
S4 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S4 SmartFaceVWatchSrv;SmartFaceVWatchSrv;C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-4-24 84992]
S4 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-9-17 2477304]
S4 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2008-9-15 46392]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2009-3-28 24652]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-04-26 20:20:45 -------- d-----w- C:\Program Files (x86)\ESET
2012-04-26 18:47:37 33096 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2012-04-26 18:45:14 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-26 18:45:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-26 12:09:51 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F0873DF0-BE09-4EF5-8F6C-9EA7BECC92BB}\mpengine.dll
2012-04-26 07:10:26 -------- d-----w- C:\Users\Bria\AppData\Roaming\QuickScan
2012-04-26 07:04:03 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-26 00:20:37 -------- d-----w- C:\Windows\pss
2012-04-25 20:43:54 -------- d-----w- C:\Users\Bria\AppData\Roaming\LolClient
2012-04-25 03:28:12 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2012-04-25 03:28:12 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2012-04-25 03:28:10 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2012-04-25 03:16:39 -------- d-----w- C:\Riot Games
2012-04-25 02:41:31 -------- d-----w- C:\Users\Bria\AppData\Local\PMB Files
2012-04-25 02:41:25 -------- d-----w- C:\ProgramData\PMB Files
2012-04-25 02:41:00 -------- d-----w- C:\Program Files (x86)\Pando Networks
2012-04-24 00:02:06 -------- d-----w- C:\Program Files (x86)\Activision
2012-04-16 13:40:24 -------- d-sh--w- C:\Windows\ftpcache
2012-04-16 13:39:47 -------- d-----w- C:\Program Files (x86)\Saunders NCLEX-RN4e
2012-04-13 07:12:28 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-13 07:11:27 16384 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-13 07:11:26 78848 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-13 07:11:26 5632 ----a-w- C:\Windows\System32\wmi.dll
2012-04-13 07:11:26 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-13 07:11:26 219136 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-13 07:11:26 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-13 07:11:25 157696 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-12 15:14:00 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2012-04-12 15:14:00 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-15 16:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-02-15 16:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:32:47.49 ===============

Attached Files


#2
Maniac
Posted 26 April 2012 - 04:27 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Hello somethingd and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:
  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

I suggest you to uninstall Viewpoint Media Player.
http://www.clickz.co...cle.php/3561546


Step 2

Please follow the instructions here:
http://forums.malwar...ndpost&p=434002

Next, post the log file in your next reply with a new fresh DDS log file.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#3
somethingd
Posted 26 April 2012 - 07:15 PM

    New Member

  • Members
  • Pip
  • 17 posts
When running chameleon the update process would give me the same error "malwarebytes has stopped working."

I tried to copy a new version from another computer and ran all the different versions. Same error.

new logs:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Bria at 20:07:14 on 2012-04-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2240 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - C:\Program Files (x86)\ClickPotatoLite\bin\10.0.523.0\ClickPotatoLiteSABHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265512774943
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://vetter.viewnetcam.com/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C5D8FAF-A8C9-423B-8F10-FC5877ED55F7} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E1AA0074-10DF-4E53-B4CC-18CF54D8FEE4} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO-X64: NCO 2.0 IE BHO - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
BHO-X64: AIM Toolbar Loader - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
.
============= SERVICES / DRIVERS ===============
.
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\system32\DRIVERS\tos_sps64.sys --> C:\Windows\system32\DRIVERS\tos_sps64.sys [?]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\system32\DRIVERS\jswpslwfx.sys --> C:\Windows\system32\DRIVERS\jswpslwfx.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys --> C:\Windows\system32\DRIVERS\FwLnk.sys [?]
R3 mbamchameleon;mbamchameleon;\??\C:\Windows\system32\drivers\mbamchameleon.sys --> C:\Windows\system32\drivers\mbamchameleon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 COH_Mon;COH_Mon;\??\C:\Windows\system32\Drivers\COH_Mon.sys --> C:\Windows\system32\Drivers\COH_Mon.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-8-1 89920]
S4 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2008-4-4 36864]
S4 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2008-4-17 40960]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-1 135664]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-1 135664]
S4 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files (x86)\Jumpstart\jswpsapi.exe [2008-9-26 954368]
S4 KR10I64;KR10I64;C:\Windows\system32\drivers\kr10i64.sys --> C:\Windows\system32\drivers\kr10i64.sys [?]
S4 KR10N64;KR10N64;C:\Windows\system32\drivers\kr10n64.sys --> C:\Windows\system32\drivers\kr10n64.sys [?]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2009-5-27 103440]
S4 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S4 SmartFaceVWatchSrv;SmartFaceVWatchSrv;C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-4-24 84992]
S4 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-9-17 2477304]
S4 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2008-9-15 46392]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-04-26 22:38:15 33096 ----a-w- C:\Windows\System32\drivers\48230029.sys
2012-04-26 22:20:16 33096 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2012-04-26 20:20:45 -------- d-----w- C:\Program Files (x86)\ESET
2012-04-26 18:45:14 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-26 18:45:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-26 12:09:51 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F0873DF0-BE09-4EF5-8F6C-9EA7BECC92BB}\mpengine.dll
2012-04-26 07:10:26 -------- d-----w- C:\Users\Bria\AppData\Roaming\QuickScan
2012-04-26 07:04:03 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-26 00:20:37 -------- d-----w- C:\Windows\pss
2012-04-25 20:43:54 -------- d-----w- C:\Users\Bria\AppData\Roaming\LolClient
2012-04-25 03:28:12 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2012-04-25 03:28:12 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2012-04-25 03:28:10 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2012-04-25 03:16:39 -------- d-----w- C:\Riot Games
2012-04-25 02:41:31 -------- d-----w- C:\Users\Bria\AppData\Local\PMB Files
2012-04-25 02:41:25 -------- d-----w- C:\ProgramData\PMB Files
2012-04-25 02:41:00 -------- d-----w- C:\Program Files (x86)\Pando Networks
2012-04-24 00:02:06 -------- d-----w- C:\Program Files (x86)\Activision
2012-04-16 13:40:24 -------- d-sh--w- C:\Windows\ftpcache
2012-04-16 13:39:47 -------- d-----w- C:\Program Files (x86)\Saunders NCLEX-RN4e
2012-04-13 07:12:28 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-13 07:11:27 16384 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-13 07:11:26 78848 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-13 07:11:26 5632 ----a-w- C:\Windows\System32\wmi.dll
2012-04-13 07:11:26 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-13 07:11:26 219136 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-13 07:11:26 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-13 07:11:25 157696 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-12 15:14:00 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2012-04-12 15:14:00 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-15 16:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-02-15 16:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 20:09:53.88 ===============

Attached Files


#4
Maniac
Posted 27 April 2012 - 02:17 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#5
somethingd
Posted 27 April 2012 - 04:17 AM

    New Member

  • Members
  • Pip
  • 17 posts
ComboFix 12-04-27.01 - Bria 04/27/2012 3:44.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.1778 [GMT -4:00]
Running from: c:\users\Bria\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\ClickPotatoLite
c:\program files (x86)\ClickPotatoLite\bin\10.0.523.0\firefox\extensions\chrome.manifest
c:\program files (x86)\ClickPotatoLite\bin\10.0.523.0\firefox\extensions\install.rdf
c:\program files (x86)\ClickPotatoLite\bin\10.0.523.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
c:\program files (x86)\DDnsFilter
c:\program files (x86)\FunWebProducts
c:\program files (x86)\Gamevance
c:\program files (x86)\Gamevance\ars.cfg
c:\program files (x86)\Gamevance\icon.ico
c:\program files (x86)\MyWebSearch
c:\program files (x86)\MyWebSearch\bar\Settings\s_pid.dat
c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\ClickPotatoLiteSA
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk
c:\users\Bria\AppData\Roaming\ClickPotatoLite
c:\users\Bria\Documents\~WRL0379.tmp
c:\users\Bria\Documents\~WRL0590.tmp
c:\users\Bria\Documents\~WRL0591.tmp
c:\users\Bria\Documents\~WRL1495.tmp
c:\users\Public\Documents\~WRL0001.tmp
c:\windows\0101120101464857.xe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\SysWow64\urttemp
c:\windows\SysWow64\urttemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 08:53 . 2012-04-27 09:00 -------- d-----w- c:\users\Bria\AppData\Local\temp
2012-04-27 08:53 . 2012-04-27 08:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-26 22:20 . 2012-04-26 22:20 33096 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-26 20:20 . 2012-04-26 20:20 -------- d-----w- c:\program files (x86)\ESET
2012-04-26 18:45 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-26 18:45 . 2012-04-26 22:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-26 07:10 . 2012-04-26 20:19 -------- d-----w- c:\users\Bria\AppData\Roaming\QuickScan
2012-04-26 07:04 . 2012-04-26 07:04 -------- d-----w- c:\programdata\Malwarebytes
2012-04-25 20:43 . 2012-04-25 20:43 -------- d-----w- c:\users\Bria\AppData\Roaming\LolClient
2012-04-25 03:28 . 2008-07-12 12:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
2012-04-25 03:28 . 2008-07-12 12:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
2012-04-25 03:28 . 2008-07-12 12:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
2012-04-25 03:16 . 2012-04-25 03:16 -------- d-----w- C:\Riot Games
2012-04-25 02:41 . 2012-04-25 22:21 -------- d-----w- c:\users\Bria\AppData\Local\PMB Files
2012-04-25 02:41 . 2012-04-25 21:53 -------- d-----w- c:\programdata\PMB Files
2012-04-25 02:41 . 2012-04-25 02:41 -------- d-----w- c:\program files (x86)\Pando Networks
2012-04-24 00:02 . 2012-04-24 00:02 -------- d-----w- c:\program files (x86)\Activision
2012-04-16 13:40 . 2012-04-16 13:40 -------- d-sh--w- c:\windows\ftpcache
2012-04-16 13:39 . 2012-04-16 13:40 -------- d-----w- c:\program files (x86)\Saunders NCLEX-RN4e
2012-04-13 07:12 . 2012-03-06 06:44 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-13 07:11 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 07:11 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 07:11 . 2012-02-29 15:37 219136 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 07:11 . 2012-02-29 15:35 78848 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 07:11 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-13 07:11 . 2012-02-29 15:11 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-13 07:11 . 2012-02-29 15:09 157696 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 15:14 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-04-12 15:14 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 08:46 . 2012-04-27 07:33 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{65DD6124-AB59-4569-863D-9FA034EE59AB}\mpengine.dll
2012-02-23 14:18 . 2010-05-24 18:43 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-14 16:49 . 2012-03-14 12:36 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-14 12:36 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 15:45 . 2012-03-14 12:36 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 12:36 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-14 12:36 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-14 12:36 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-14 12:36 834048 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-14 12:36 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-14 12:36 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-14 12:36 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-02 15:34 . 2012-03-14 12:36 2765824 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 432640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
ddnsfilter REG_MULTI_SZ ddnsfilter
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2010-06-08 c:\windows\Tasks\Install_NSS.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-01-27 21:01]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
SafeBoot-Symantec Antvirus
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2463042382-2951657566-2286130367-1000\Software\SecuROM\License information*]
"datasecu"=hex:e0,6a,0e,6b,5f,54,dd,ec,2c,74,12,b6,16,9f,83,55,fa,fb,99,70,97,
7c,0f,01,8c,e4,db,60,97,65,7c,7a,98,17,02,e6,1a,8b,31,74,9f,19,90,27,79,4d,\
"rkeysecu"=hex:5c,53,d9,39,b0,34,e1,5c,d1,71,87,95,ea,1c,e5,a2
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Windows Media Player\wmplayer.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-04-27 05:13:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-27 09:13
.
Pre-Run: 141,153,521,664 bytes free
Post-Run: 142,696,423,424 bytes free
.
- - End Of File - - B9E53F8D9E2357B4F62A7B815DD50F53

#6
Maniac
Posted 27 April 2012 - 04:19 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#7
somethingd
Posted 27 April 2012 - 04:36 AM

    New Member

  • Members
  • Pip
  • 17 posts
MalwareBytes still has the same error when I try to run it. I tried in chameleon mode and the issue is still there.

#8
Maniac
Posted 27 April 2012 - 04:43 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#9
somethingd
Posted 27 April 2012 - 01:48 PM

    New Member

  • Members
  • Pip
  • 17 posts
<p> </p>
<div>
<div>ESETSmartInstaller@High as downloader log:</div>
<div>all ok</div>
<div># version=7</div>
<div># OnlineScannerApp.exe=1.0.0.1</div>
<div># OnlineScanner.ocx=1.0.0.6583</div>
<div># api_version=3.0.2</div>
<div># EOSSerial=e557aba3709060409f9c62947bb261c6</div>
<div># end=stopped</div>
<div># remove_checked=true</div>
<div># archives_checked=false</div>
<div># unwanted_checked=true</div>
<div># unsafe_checked=false</div>
<div># antistealth_checked=true</div>
<div># utc_time=2012-04-26 08:29:20</div>
<div># local_time=2012-04-26 04:29:20 (-0500, Eastern Daylight Time)</div>
<div># country=&quot;United States&quot;</div>
<div># lang=1033</div>
<div># osver=6.0.6002 NT Service Pack 2</div>
<div># compatibility_mode=3584 16777215 100 0 0 0 0 0</div>
<div># compatibility_mode=5892 16776637 100 56 0 172070592 0 0</div>
<div># compatibility_mode=8192 67108863 100 0 0 0 0 0</div>
<div># scanned=2644</div>
<div># found=0</div>
<div># cleaned=0</div>
<div># scan_time=274</div>
<div>esets_scanner_update returned -1 esets_gle=53251</div>
<div> </div>
</div>
<div> </div>
<div>C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Toolbar.MyWebSearch application<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Program Files (x86)\Windows Live\Messenger\riched20.dll<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Toolbar.MyWebSearch application<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files (x86)\ClickPotatoLite\bin\10.0.523.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll.vir<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/Adware.HotBar.J application<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Users\Bria\Downloads\SoftonicDownloader_for_call-of-duty-4.exe<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/SoftonicDownloader.D application<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div> </div>

#10
Maniac
Posted 29 April 2012 - 05:14 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#11
somethingd
Posted 29 April 2012 - 06:02 AM

    New Member

  • Members
  • Pip
  • 17 posts
The internet has stopped working on the laptop.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-29 06:57:54
-----------------------------
06:57:54.125 OS Version: Windows x64 6.0.6002 Service Pack 2
06:57:54.125 Number of processors: 2 586 0x301
06:57:54.125 ComputerName: BRIA-PC UserName: Bria
06:57:57.322 Initialize success
06:58:14.785 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
06:58:14.800 Disk 0 Vendor: TOSHIBA_MK2552GSX LV010M Size: 238475MB BusType: 3
06:58:14.831 Disk 0 MBR read successfully
06:58:14.847 Disk 0 MBR scan
06:58:14.847 Disk 0 Windows VISTA default MBR code
06:58:14.878 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
06:58:14.925 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 236974 MB offset 3074048
06:58:15.003 Disk 0 scanning C:\Windows\system32\drivers
06:58:42.381 Service scanning
06:59:20.305 Modules scanning
06:59:20.351 Disk 0 trace - called modules:
06:59:20.414 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
06:59:20.429 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004474310]
06:59:20.461 3 CLASSPNP.SYS[fffffa60012e9c33] -> nt!IofCallDriver -> [0xfffffa80043d9770]
06:59:21.241 5 acpi.sys[fffffa60008f2fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800442d940]
06:59:21.272 Scan finished successfully
07:00:21.644 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
07:00:21.737 The log file has been saved successfully to "E:\aswMBR.txt"

#12
Maniac
Posted 29 April 2012 - 06:41 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#13
somethingd
Posted 29 April 2012 - 06:46 AM

    New Member

  • Members
  • Pip
  • 17 posts
Farbar Service Scanner Version: 24-04-2012
Ran by Bria (administrator) on 29-04-2012 at 07:44:39
Running from "C:\Users\Bria\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll
[2008-01-20 22:49] - [2008-01-20 22:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2010-08-01 16:45] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-15 08:52] - [2012-01-03 10:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll
[2011-04-15 03:01] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2010-08-01 16:47] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2010-08-01 16:44] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2008-01-20 22:47] - [2008-01-20 22:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018

C:\Windows\System32\vssvc.exe
[2010-08-01 16:48] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2010-08-01 16:43] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2010-08-01 16:45] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll
[2009-10-05 19:14] - [2009-08-06 22:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll
[2010-08-01 16:48] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2010-08-01 16:47] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2010-08-01 16:46] - [2009-04-11 03:11] - 0166912 ____A (Microsoft Corporation) 18918613E63F387CDE4D95CA7D49DCF7

C:\Program Files\Windows Defender\MpSvc.dll
[2008-01-20 22:47] - [2008-01-20 22:47] - 0383544 ____A (Microsoft Corporation) 7D2A43E8FDF725A1133F6C6056A72CDC

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-08-01 16:48] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

#14
Maniac
Posted 29 April 2012 - 07:49 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield: 
    :filefind
*afd.sys*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#15
somethingd
Posted 29 April 2012 - 07:59 AM

    New Member

  • Members
  • Pip
  • 17 posts
SystemLook 30.07.11 by jpshortstuff
Log created at 08:55 on 29/04/2012 by Bria
Administrator - Elevation successful

========== filefind ==========

Searching for "*afd.sys*"
C:\Windows\System32\drivers\afd.sys --a---- 404992 bytes [12:52 15/02/2012] [14:25 03/01/2012] C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\en-US\afd.sys.mui --a---- 8192 bytes [15:13 02/11/2006] [15:13 02/11/2006] A9EB14594E52F176F33518B81F694ABC
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a5d099e339d8fb49\afd.sys.mui --a---- 8192 bytes [15:13 02/11/2006] [15:13 02/11/2006] A9EB14594E52F176F33518B81F694ABC
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_3406de1616ca9086\afd.sys --a---- 408064 bytes [02:48 21/01/2008] [02:48 21/01/2008] DB37041AB857ABC7E179E856D8E1582C
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_33ef7c5016dab752\afd.sys --a---- 407552 bytes [01:57 16/06/2011] [13:42 21/04/2011] 9BB97042FA331A0FB4BDD98B9280A50A
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_34958b832fe3983b\afd.sys --a---- 408064 bytes [01:57 16/06/2011] [13:47 21/04/2011] B53144D2EBB0843DD0436F5EA6953F65
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_35f2572213ec5bd2\afd.sys --a---- 406016 bytes [20:48 01/08/2010] [05:44 11/04/2009] 12415CCFD3E7CEC55B5184E67B039FE4
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_35be4fb214130ed1\afd.sys --a---- 405504 bytes [01:57 16/06/2011] [14:20 21/04/2011] 0CC146C4ADDEA45791B18B1E2659F4A9
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18564_none_35b080ce141ddbe4\afd.sys --a---- 404992 bytes [12:52 15/02/2012] [14:25 03/01/2012] C4F6CE6087760AD70960C9EB130E7943
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_366a5ebb2d168a9d\afd.sys --a---- 405504 bytes [01:57 16/06/2011] [13:54 21/04/2011] 7B8E5F3A0626CA83B706F0738830845F
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22770_none_362b4e6b2d472f6a\afd.sys --a---- 404992 bytes [12:52 15/02/2012] [14:21 03/01/2012] 022ED7EB19DFECF39C106E0F9CF2BB19
C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a5d099e339d8fb49_afd.sys.mui_ff192075 --a---- 8192 bytes [15:15 02/11/2006] [15:14 02/11/2006] A9EB14594E52F176F33518B81F694ABC
C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18564_none_35b080ce141ddbe4_afd.sys_084af4a8 --a---- 404992 bytes [09:10 16/02/2012] [08:31 16/02/2012] C4F6CE6087760AD70960C9EB130E7943

-= EOF =-

#16
Maniac
Posted 29 April 2012 - 01:43 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Delete your ComboFix copy, download a new fresh one and then:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_3406de1616ca9086\afd.sys | C:\Windows\System32\drivers\afd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#17
somethingd
Posted 29 April 2012 - 05:47 PM

    New Member

  • Members
  • Pip
  • 17 posts
ComboFix 12-04-29.02 - Bria 04/29/2012 17:19:48.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2319 [GMT -4:00]
Running from: c:\users\Bria\Desktop\ComboFix.exe
Command switches used :: c:\users\Bria\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bria\Favorites\Games.url
c:\windows\dxxdv34567.bat
c:\windows\fdgg34353edfgdfdf
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_3406de1616ca9086\afd.sys --> c:\windows\System32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 21:46 . 2012-04-29 21:51 -------- d-----w- c:\users\Bria\AppData\Local\temp
2012-04-29 21:46 . 2012-04-29 21:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-29 21:19 . 2008-01-21 02:48 408064 ----a-w- c:\windows\SysWow64\drivers\afd.sys
2012-04-26 22:20 . 2012-04-26 22:20 33096 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-26 20:20 . 2012-04-26 20:20 -------- d-----w- c:\program files (x86)\ESET
2012-04-26 18:45 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-26 18:45 . 2012-04-26 22:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-26 07:10 . 2012-04-26 20:19 -------- d-----w- c:\users\Bria\AppData\Roaming\QuickScan
2012-04-26 07:04 . 2012-04-26 07:04 -------- d-----w- c:\programdata\Malwarebytes
2012-04-25 20:43 . 2012-04-25 20:43 -------- d-----w- c:\users\Bria\AppData\Roaming\LolClient
2012-04-25 03:28 . 2008-07-12 12:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
2012-04-25 03:28 . 2008-07-12 12:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
2012-04-25 03:28 . 2008-07-12 12:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
2012-04-25 03:16 . 2012-04-25 03:16 -------- d-----w- C:\Riot Games
2012-04-25 02:41 . 2012-04-25 22:21 -------- d-----w- c:\users\Bria\AppData\Local\PMB Files
2012-04-25 02:41 . 2012-04-25 21:53 -------- d-----w- c:\programdata\PMB Files
2012-04-25 02:41 . 2012-04-25 02:41 -------- d-----w- c:\program files (x86)\Pando Networks
2012-04-24 00:02 . 2012-04-24 00:02 -------- d-----w- c:\program files (x86)\Activision
2012-04-16 13:40 . 2012-04-16 13:40 -------- d-sh--w- c:\windows\ftpcache
2012-04-16 13:39 . 2012-04-16 13:40 -------- d-----w- c:\program files (x86)\Saunders NCLEX-RN4e
2012-04-13 07:12 . 2012-03-06 06:44 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-13 07:11 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 07:11 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 07:11 . 2012-02-29 15:37 219136 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 07:11 . 2012-02-29 15:35 78848 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 07:11 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-13 07:11 . 2012-02-29 15:11 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-13 07:11 . 2012-02-29 15:09 157696 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 15:14 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-04-12 15:14 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 08:46 . 2012-04-27 07:33 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{65DD6124-AB59-4569-863D-9FA034EE59AB}\mpengine.dll
2012-02-23 14:18 . 2010-05-24 18:43 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-14 16:49 . 2012-03-14 12:36 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-14 12:36 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 15:45 . 2012-03-14 12:36 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 12:36 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-14 12:36 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-14 12:36 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-14 12:36 834048 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-14 12:36 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-14 12:36 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-14 12:36 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-02 15:34 . 2012-03-14 12:36 2765824 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_08.59.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-04-29 21:50 77876 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-04-29 21:50 84084 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-23 03:11 . 2012-04-27 09:00 22258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2463042382-2951657566-2286130367-1000_UserData.bin
+ 2009-03-23 03:11 . 2012-04-29 21:50 22258 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2463042382-2951657566-2286130367-1000_UserData.bin
+ 2012-04-29 21:48 . 2012-04-29 21:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-27 08:57 . 2012-04-27 08:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-29 21:48 . 2012-04-29 21:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-27 08:57 . 2012-04-27 08:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-21 14:56 . 2012-04-29 20:39 334200 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 12:46 . 2012-04-29 11:00 613520 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-04-26 22:37 613520 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-04-29 11:00 108446 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-04-26 22:37 108446 c:\windows\system32\perfc009.dat
+ 2011-02-17 08:20 . 2012-04-29 21:46 302756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-17 08:20 . 2012-04-27 08:55 302756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-08-09 02:22 . 2012-04-29 10:50 576678 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2463042382-2951657566-2286130367-1000-4096.dat
- 2008-10-15 08:29 . 2012-04-27 08:55 2537664 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-10-15 08:29 . 2012-04-29 21:46 2537664 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-06-16 04:06 . 2012-04-27 08:55 2201568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2463042382-2951657566-2286130367-1000-8192.dat
+ 2011-06-16 04:06 . 2012-04-29 21:46 2201568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2463042382-2951657566-2286130367-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 432640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
ddnsfilter REG_MULTI_SZ ddnsfilter
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2010-06-08 c:\windows\Tasks\Install_NSS.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-01-27 21:01]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2463042382-2951657566-2286130367-1000\Software\SecuROM\License information*]
"datasecu"=hex:e0,6a,0e,6b,5f,54,dd,ec,2c,74,12,b6,16,9f,83,55,fa,fb,99,70,97,
7c,0f,01,8c,e4,db,60,97,65,7c,7a,98,17,02,e6,1a,8b,31,74,9f,19,90,27,79,4d,\
"rkeysecu"=hex:5c,53,d9,39,b0,34,e1,5c,d1,71,87,95,ea,1c,e5,a2
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-29 18:03:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 22:03
ComboFix2.txt 2012-04-27 09:13
.
Pre-Run: 140,495,421,440 bytes free
Post-Run: 142,656,258,048 bytes free
.
- - End Of File - - F8C41B83EE46D00C3161C6E084909265

#18
somethingd
Posted 29 April 2012 - 05:48 PM

    New Member

  • Members
  • Pip
  • 17 posts
Also, the laptop is connecting to the internet again.

#19
Maniac
Posted 30 April 2012 - 04:07 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,010 posts
  • Gender:Male
  • Location:Bulgaria, EU
Sounds good. :)

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right
Posted Image

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and post it in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#20
somethingd
Posted 30 April 2012 - 07:37 PM

    New Member

  • Members
  • Pip
  • 17 posts
<p> </p>
<div>Status: Deleted   (events: 4)<span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div>4/30/2012 7:30:02 AM<span class="Apple-tab-span" style="white-space:pre"> </span>Deleted<span class="Apple-tab-span" style="white-space:pre"> </span>adware not-a-virus:AdWare.Win32.HotBar.dh<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\09C80000\4DEDF21A.VBN<span class="Apple-tab-span" style="white-space:pre"> </span>Medium<span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div>4/30/2012 7:30:02 AM<span class="Apple-tab-span" style="white-space:pre"> </span>Deleted<span class="Apple-tab-span" style="white-space:pre"> </span>adware not-a-virus:AdWare.Win32.HotBar.dh<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\09C80000\4DEDF21A.VBN//CryptZ<span class="Apple-tab-span" style="white-space:pre"> </span>Medium<span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div>4/30/2012 7:29:55 AM<span class="Apple-tab-span" style="white-space:pre"> </span>Deleted<span class="Apple-tab-span" style="white-space:pre"> </span>adware not-a-virus:AdWare.Win32.HotBar.dh<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\09C80001\4DED62FE.VBN<span class="Apple-tab-span" style="white-space:pre"> </span>Medium<span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div>4/30/2012 7:29:55 AM<span class="Apple-tab-span" style="white-space:pre"> </span>Deleted<span class="Apple-tab-span" style="white-space:pre"> </span>adware not-a-virus:AdWare.Win32.HotBar.dh<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\09C80001\4DED62FE.VBN//CryptZ<span class="Apple-tab-span" style="white-space:pre"> </span>Medium<span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div> </div>

Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us