Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Windows Security 2012 keeps coming back

This is a discussion on Windows Security 2012 keeps coming back within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I'm new here and just read through the sticky for "new instructions", so I hope I'm doing everything correctly.


 
 
Thread Tools Search this Thread
Old 12-11-2011, 08:02 PM   #1
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Hi, I'm new here and just read through the sticky for "new instructions", so I hope I'm doing everything correctly. I received the "Windows Security 2012" virus a few weeks back and ran "rkill" so I could get "Malwarebyte's Anti-Malware" to do a scan, which found a few things and removed it. Last week, the "Security 2012" came back and I repeated the same thing but the scan didn't find anything this time. However, my "Microsoft Security Essentials" DID find something and removed them. Today, the "Security 2012" came back again, so I finally decided to get some professional help. I don't have a Windows Install CD, but I may be able to get one. Anyways, here's the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Kai at 15:35:13 on 2011-12-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.292 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\OEM02Mon.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Giraffic\Veoh_Giraffic.exe
C:\Windows\System32\WLTRAY.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\VeohWebPlayer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\ping.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\prevhost.exe
C:\Program Files\Windows Media Player\wmprph.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2653012
mURLSearchHooks: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeoh.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeoh.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeoh.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Akamai NetSession Interface] c:\users\kai\appdata\local\akamai\netsession_win.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: kuaiche.com\software
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3877DCF3-14E6-4659-9C7F-753D8612F073} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F68FF5F8-CF15-48B6-AC04-D4BC858E5004} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kai\appdata\roaming\mozilla\firefox\profiles\dqnk2s2o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\users\kai\appdata\roaming\mozilla\firefox\profiles\dqnk2s2o.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\kai\appdata\roaming\mozilla\firefox\profiles\dqnk2s2o.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\users\kai\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl8a00b0c0;MpKsl8a00b0c0;c:\programdata\microsoft\microsoft antimalware\definition updates\{60702f0c-37cc-40d9-9980-0824b0d1b72e}\MpKsl8a00b0c0.sys [2011-12-11 29904]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c09c50a2\AEstSrv.exe [2011-9-22 73728]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-5-31 21504]
R2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\giraffic\veoh_girafficwatchdog.exe --service --> c:\program files\giraffic\Veoh_GirafficWatchdog.exe --service [?]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-5-30 5010288]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2011-6-29 17792]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-5-30 16168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-17 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-17 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-12-11 19:26:31 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{60702f0c-37cc-40d9-9980-0824b0d1b72e}\MpKsl8a00b0c0.sys
2011-12-11 19:26:29 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{60702f0c-37cc-40d9-9980-0824b0d1b72e}\offreg.dll
2011-12-10 20:44:30 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{60702f0c-37cc-40d9-9980-0824b0d1b72e}\mpengine.dll
2011-12-03 00:19:35 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-03 00:19:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-03 00:19:34 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-03 00:19:33 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-03 00:19:33 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-03 00:19:33 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-03 00:19:32 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-03 00:19:32 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-11-27 06:21:44 -------- d-----w- c:\users\kai\appdata\local\{C7573103-9EB8-4FCC-AC8D-5B60DE5688FC}
2011-11-14 01:44:21 -------- d-----w- c:\users\kai\appdata\local\{22550FC8-E42F-44AB-9C12-FD966A6D7F87}
2011-11-14 01:44:00 -------- d-----w- c:\users\kai\appdata\local\{13EB85C4-1949-493F-BFC4-80298EF0428A}
.
==================== Find3M ====================
.
2011-12-09 05:45:00 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-19 20:08:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-20 21:02:55 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-20 13:44:04 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
============= FINISH: 15:37:12.52 ===============


If I left anything out, please let me know. Thank you.
Attached Files
File Type: zip Attach.zip (5.7 KB, 24 views)
KaijuKaizar is offline  
Sponsored Links
Advertisement
 
Old 12-12-2011, 10:26 AM   #2
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar, welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

Due to the restrictions on Windows Vista, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    BEFORE you save Combofix, please rename the file as svchost.exe.

    * IMPORTANT !!! Place svchost.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on svchost.exe & follow the prompts.

  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  5. When finished, it shall produce a log for you. Post that log in your next reply


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
Will Watts is offline  
Old 12-12-2011, 07:14 PM   #3
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Tried to run "Combofix" in normal mode, but it was unable to finish, so I ran it in Safe mode instead. Here's the log I received:


ComboFix 11-12-08.01 - Kai 12/12/2011 17:43:56.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2490 [GMT -8:00]
Running from: c:\users\Kai\Documents\Desktop\svchost.exe.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kai\AppData\Roaming\4555.ini
c:\users\Kai\AppData\Roaming\Mozilla\Firefox\Profiles\dqnk2s2o.default\searchplugins\bing-zugo.xml
I:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-13 to 2011-12-13 )))))))))))))))))))))))))))))))
.
.
2011-12-13 01:59 . 2011-12-13 02:00 -------- d-----w- c:\users\Kai\AppData\Local\temp
2011-12-13 01:59 . 2011-12-13 01:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-13 01:59 . 2011-12-13 01:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-13 01:01 . 2011-12-13 01:37 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55B063ED-6283-42A2-ACE8-4EAC042AA464}\offreg.dll
2011-12-13 01:00 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55B063ED-6283-42A2-ACE8-4EAC042AA464}\mpengine.dll
2011-12-12 11:19 . 2011-12-12 20:32 -------- d-----w- c:\programdata\jO28300EaFcG28300
2011-12-03 00:19 . 2011-12-03 00:19 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-03 00:19 . 2011-12-03 00:19 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-03 00:19 . 2011-12-03 00:19 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-03 00:19 . 2011-12-03 00:19 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-03 00:19 . 2011-12-03 00:19 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-03 00:19 . 2011-12-03 00:19 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-03 00:19 . 2011-12-03 00:19 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-03 00:19 . 2011-12-03 00:19 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-09 05:45 . 2011-06-14 18:47 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-21 10:47 . 2011-07-15 21:25 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-19 20:08 . 2011-06-09 17:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-12 01:32 . 2011-10-12 01:32 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{53ADD451-E9B1-4443-ACA6-CB1A2FCCD9EE}\gapaengine.dll
2011-09-20 21:02 . 2011-11-08 21:03 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-20 13:44 . 2011-11-08 21:03 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2006-06-16 04:33 . 2011-03-09 09:52 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-26 02:43 . 2011-03-09 09:52 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 22:41 . 2011-03-09 09:52 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 21:10 . 2011-03-09 09:52 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 20:19 . 2011-03-09 09:51 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-11 02:35 . 2011-03-09 09:52 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 19:10 . 2011-03-09 09:51 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 19:42 . 2011-03-09 09:51 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 19:22 . 2011-03-09 09:51 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 19:21 . 2011-03-09 09:51 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2011-12-03 00:19 . 2011-12-03 00:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-08-08 1548288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-28 118784]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-16 405504]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-31 691696]
R1 MpKsl2ff21852;MpKsl2ff21852;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6CC850DF-5A72-43A2-888C-5E0CE35D2458}\MpKsl2ff21852.sys [x]
R1 MpKsl3516f4b4;MpKsl3516f4b4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6BEB82C-A787-4DEB-AD53-D7187087128B}\MpKsl3516f4b4.sys [x]
R1 MpKsl84ec156d;MpKsl84ec156d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6BEB82C-A787-4DEB-AD53-D7187087128B}\MpKsl84ec156d.sys [x]
R1 MpKslae0cc6ec;MpKslae0cc6ec;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60702F0C-37CC-40D9-9980-0824B0D1B72E}\MpKslae0cc6ec.sys [x]
R1 MpKsld3255ed1;MpKsld3255ed1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6BEB82C-A787-4DEB-AD53-D7187087128B}\MpKsld3255ed1.sys [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe [2007-09-20 73728]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 135664]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-03-08 5010288]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-26 17792]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-01-24 16168]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 20:35]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2653012
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: kuaiche.com\software
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kai\AppData\Roaming\Mozilla\Firefox\Profiles\dqnk2s2o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CD90BF73-20F6-44EF-993D-BB920303BD2E} - (no file)
HKCU-Run-Akamai NetSession Interface - c:\users\Kai\AppData\Local\Akamai\netsession_win.exe
SafeBoot-74935069.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-12 17:59
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Kai\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1916)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-12-12 18:05:07
ComboFix-quarantined-files.txt 2011-12-13 02:05
ComboFix2.txt 2011-07-12 02:13
.
Pre-Run: 124,873,269,248 bytes free
Post-Run: 124,579,094,528 bytes free
.
- - End Of File - - 95FBDED11D24CFBB78E8B8649D7A5947
KaijuKaizar is offline  
Sponsored Links
Advertisement
 
Old 12-13-2011, 04:09 AM   #4
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Press the Windows "logo" key and "R" then copy/paste the following single-line command into the Run box and click OK:

C:\qoobox\ComboFix2.txt

A notepad window should appear. Please copy and paste the contents of the log into your next reply.

------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:
Folder::
C:\Windows\$NtUninstallKB43384$
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Combofix may request an update, click Yes to allow it.

When finished, please post the C:\ComboFix.txt for further review.
Will Watts is offline  
Old 12-13-2011, 03:35 PM   #5
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



I wasn't sure how you wanted this, but I copy/pasted the results from the first set of instructions into the reply and attached the results from the second set.

ComboFix 11-07-11.02 - Kai 07/11/2011 18:56:53.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1465 [GMT -7:00]
Running from: c:\users\Kai\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Kai\AppData\Local\{1A1CF6BC-6D23-4A3F-BE17-2F65A62EBAF9}
c:\users\Kai\AppData\Local\{1A1CF6BC-6D23-4A3F-BE17-2F65A62EBAF9}\chrome.manifest
c:\users\Kai\AppData\Local\{1A1CF6BC-6D23-4A3F-BE17-2F65A62EBAF9}\chrome\content\_cfg.js
c:\users\Kai\AppData\Local\{1A1CF6BC-6D23-4A3F-BE17-2F65A62EBAF9}\chrome\content\overlay.xul
c:\users\Kai\AppData\Local\{1A1CF6BC-6D23-4A3F-BE17-2F65A62EBAF9}\install.rdf
c:\users\Kai\AppData\Roaming\Adobe\plugs
c:\users\Kai\AppData\Roaming\Adobe\shed
c:\windows\system32\Install.txt
c:\windows\system32\tukdtjsr.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 02:10 . 2011-07-12 02:11 -------- d-----w- c:\users\Kai\AppData\Local\temp
2011-07-12 02:10 . 2011-07-12 02:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-11 09:19 . 2011-07-11 09:19 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-11 08:01 . 2011-07-11 08:01 115712 --sha-r- c:\windows\system32\C_861T.dll
2011-07-11 07:08 . 2011-07-11 07:08 -------- d-----w- c:\users\Kai\AppData\Roaming\GRETECH
2011-07-11 07:07 . 2011-07-11 07:42 -------- d-----w- c:\programdata\IMinent
2011-07-11 07:07 . 2011-07-11 07:07 -------- d-----w- c:\program files\GRETECH
2011-07-10 09:14 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EF53C54-1F7A-4262-907B-0BBF990F5079}\mpengine.dll
2011-06-30 20:07 . 2011-06-30 20:07 -------- d-----w- c:\program files\StartNow Toolbar
2011-06-29 21:00 . 2011-06-29 21:00 -------- d-----w- C:\1
2011-06-29 20:58 . 2011-06-29 20:58 -------- d-----w- C:\AV_LOGS
2011-06-29 20:47 . 2011-06-29 20:47 -------- d-----w- c:\users\Kai\AppData\Roaming\Avnex
2011-06-29 20:46 . 2008-12-26 19:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2011-06-29 20:46 . 2011-06-30 10:55 -------- d-----w- c:\program files\AV Vcs 7.0 DIAMOND
2011-06-29 20:35 . 2011-06-29 20:44 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-06-28 23:38 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-17 01:17 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-06-16 04:52 . 2011-06-17 01:34 -------- d-----w- C:\illusion
2011-06-16 04:28 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-16 04:28 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 04:28 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-14 18:47 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-14 18:47 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-14 18:47 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-14 18:47 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-14 18:47 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-14 18:46 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-14 18:46 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-14 18:46 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-14 18:46 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-14 18:46 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 20:06 . 2011-06-09 17:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 15:55 . 2011-04-04 02:48 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-01 07:06 . 2011-06-01 07:06 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-01 07:06 . 2011-06-01 07:06 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-06-01 07:06 . 2011-06-01 07:06 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-01 07:06 . 2011-06-01 07:06 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-01 07:06 . 2011-06-01 07:06 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-01 07:06 . 2011-06-01 07:06 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-01 07:06 . 2011-06-01 07:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-01 07:06 . 2011-06-01 07:06 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-01 07:06 . 2011-06-01 07:06 367104 ----a-w- c:\windows\system32\html.iec
2011-06-01 07:06 . 2011-06-01 07:06 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-01 07:06 . 2011-06-01 07:06 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-01 07:06 . 2011-06-01 07:06 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-01 07:06 . 2011-06-01 07:06 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-01 07:06 . 2011-06-01 07:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-01 07:06 . 2011-06-01 07:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-01 07:06 . 2011-06-01 07:06 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-01 07:06 . 2011-06-01 07:06 101888 ----a-w- c:\windows\system32\admparse.dll
2011-06-01 07:06 . 2011-06-01 07:06 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-01 07:06 . 2011-06-01 07:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-29 16:11 . 2010-05-31 08:06 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-05-31 08:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-15 05:53 . 2010-05-31 04:30 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2011-05-02 04:35 . 2011-05-02 04:34 44544 ----a-w- c:\windows\system32\agremove.exe
2006-06-16 04:33 . 2011-03-09 09:52 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-26 02:43 . 2011-03-09 09:52 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 22:41 . 2011-03-09 09:52 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 21:10 . 2011-03-09 09:52 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 20:19 . 2011-03-09 09:51 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-11 02:35 . 2011-03-09 09:52 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 19:10 . 2011-03-09 09:51 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 19:42 . 2011-03-09 09:51 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 19:22 . 2011-03-09 09:51 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 19:21 . 2011-03-09 09:51 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-18 00:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
2011-01-18 00:54 175912 ----a-w- c:\program files\Veoh_Web_Player\prxtbVeoh.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{cd90bf73-20f6-44ef-993d-bb920303bd2e}"= "c:\program files\Veoh_Web_Player\prxtbVeoh.dll" [2011-01-18 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-18 175912]
.
[HKEY_CLASSES_ROOT\clsid\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CD90BF73-20F6-44EF-993D-BB920303BD2E}"= "c:\program files\Veoh_Web_Player\prxtbVeoh.dll" [2011-01-18 175912]
.
[HKEY_CLASSES_ROOT\clsid\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2010-11-17 1242448]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2011-06-30 2648184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-08-08 1548288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-28 118784]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-01-24 16168]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-31 691696]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 Giraffic;Giraffic Video Accelerator;c:\program files\Giraffic\GirafficWatchdog.exe [2011-06-27 2211984]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-03-08 5010288]
S2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe [2011-03-24 199904]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-26 17792]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 57827050
*NewlyCreated* - 98849426
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - 57827050
*Deregistered* - 98849426
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 20:35]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kai\AppData\Roaming\Mozilla\Firefox\Profiles\dqnk2s2o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Web Player Community Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.scr=REG_SZ
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-avppvkp - c:\windows\system32\vfa0ppff.exe
HKCU-Run-faakf5k - c:\windows\system32\1akfvkf.exe
HKCU-Run-zztj5e - c:\windows\system32\e2oj5e1to.exe
HKCU-Run-tjjet - c:\windows\system32\eo38ojzoee.exe
HKCU-Run-zoojzo - c:\windows\system32\t5oojz5t.exe
HKCU-Run-hhccxs - c:\windows\system32\sh9c0xssn1h.exe
HKCU-Run-nnhxxs - c:\windows\system32\xsnnh5xssnh.exe
HKCU-Run-sncsnnh - c:\windows\system32\hh6cxss7nh.exe
HKCU-Run-dyytii - c:\windows\system32\iidtt1ddyyt.exe
HKCU-Run-dyytn - c:\windows\system32\i2ytii1ttn.exe
HKCU-Run-tiynnii - c:\windows\system32\0ttnd9y.exe
HKCU-Run-bvvqgg - c:\windows\system32\qgg1q0llgv9.exe
HKCU-Run-lggbqq1 - c:\windows\system32\ql9ggbv9q.exe
HKCU-Run-qbqql - c:\windows\system32\gbqqlbb1.exe
HKCU-Run-llg1v - c:\windows\system32\qqlbqgg1q.exe
HKCU-Run-bvvq2 - c:\windows\system32\vqggb1vqq.exe
HKCU-Run-vllgv9q - c:\windows\system32\vl9ggbv9q0l.exe
HKCU-Run-bqqlb9 - c:\windows\system32\2bbwllg.exe
HKCU-Run-qggb1 - c:\windows\system32\1ggbqql.exe
HKCU-Run-llggbww - c:\windows\system32\wq4lbbwl.exe
HKCU-Run-mccwwr - c:\windows\system32\mmhcc6wr.exe
HKCU-Run-rhhcc - c:\windows\system32\c6rrm7hc1.exe
HKCU-Run-qllgvvq - c:\windows\system32\5qqla4v.exe
HKCU-Run-lgaavll - c:\windows\system32\6aavl5g.exe
HKCU-Run-bvqqlb - c:\windows\system32\aqgvvqqlaa.exe
HKCU-Run-lbbww - c:\windows\system32\lb9rrlgg7.exe
HKCU-Run-lgwwr1l - c:\windows\system32\6wwrggb.exe
HKCU-Run-ddynni2 - c:\windows\system32\ytiyy1i0.exe
HKCU-Run-tnddyy - c:\windows\system32\5dyytnn.exe
HKCU-Run-ttoo6 - c:\windows\system32\ddttod9y0to.exe
HKCU-Run-ttoddy0 - c:\windows\system32\dy7to1oiidt.exe
HKCU-Run-oeezoo - c:\windows\system32\u1uoojz9.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-sxs1s - c:\windows\system32\niinii2n.exe
HKCU-Run-ddxx2d - c:\windows\system32\dd1xd71nxx.exe
HKCU-Run-ndidssn - c:\windows\system32\issxidxxnn.exe
HKCU-Run-favvqql - c:\windows\system32\6qqk2av.exe
HKCU-Run-llfvvq1 - c:\windows\system32\qqkaavlaq.exe
HKCU-Run-vqqlf9 - c:\windows\system32\k0faavlaqq.exe
HKCU-Run-avvq1f - c:\windows\system32\avvqf9a0vq.exe
HKCU-Run-qlbbvll - c:\windows\system32\qqlb5vllgv.exe
HKCU-Run-lgg7b - c:\windows\system32\b1vqqlbq.exe
HKCU-Run-qbqgv - c:\windows\system32\38qlbqg.exe
HKCU-Run-lgvvqql - c:\windows\system32\v5qqlb5v.exe
HKCU-Run-yysii - c:\windows\system32\snni7dy1ys.exe
HKCU-Run-ssnddy1 - c:\windows\system32\1yn9i0d.exe
HKCU-Run-siiddys - c:\windows\system32\ii1ssnniy0.exe
HKCU-Run-eojo3 - c:\windows\system32\tjjzzzo6.exe
HKCU-Run-kfaavk - c:\windows\system32\aav1qkkfv.exe
HKCU-Run-vqqkaa - c:\windows\system32\vkkfvvqf9.exe
HKCU-Run-avvqf9a - c:\windows\system32\kkfv5q1faq.exe
HKCU-Run-kffaq - c:\windows\system32\1aq0k0f.exe
HKCU-Run-faqqk2a - c:\windows\system32\ffa7vq1v.exe
HKCU-Run-kffa0v - c:\windows\system32\kkffaq0k0.exe
HKCU-Run-ffaavqq - c:\windows\system32\avkk1vvqqka.exe
HKCU-Run-ddyo0 - c:\windows\system32\i3iidt98oid.exe
HKCU-Run-yti4d - c:\windows\system32\iidt98oi.exe
HKCU-Run-dyo0j - c:\windows\system32\id5y2oiyy1i.exe
HKCU-Run-toojy - c:\windows\system32\yytoo6idyy7.exe
HKCU-Run-kfaav1q - c:\windows\system32\5v6f5a2.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-11 19:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-11 19:13:34
ComboFix-quarantined-files.txt 2011-07-12 02:13
.
Pre-Run: 93,823,762,432 bytes free
Post-Run: 99,310,702,592 bytes free
.
- - End Of File - - AF79054742A3154AB862A7E04470C0DD
Attached Files
File Type: txt ComboFix.txt (12.1 KB, 22 views)
KaijuKaizar is offline  
Old 12-13-2011, 03:51 PM   #6
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi, thanks for the logs.

The latest Combofix Run seems to have used Reduced Functionality Mode, did you receive any error message about this?

Please post the logs located at:
C:\Qoobox\ComboFix-quarantined-files.txt

There will also be a log located here:
C:\Qoobox\CFScript_used_<date>_<time>.txt

Please post up both logs. Please note, the <date>_<time> are variables that will be named accordingly.
Will Watts is offline  
Old 12-13-2011, 05:34 PM   #7
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



I think it did, but the instructions said to select yes and I figured that was what I would have to select to get it to update. Should I re-download ComboFix to update it and redo the second set of instructions?

Otherwise, I'll attach the 2 logs requested.
Attached Files
File Type: txt ComboFix-quarantined-files.txt (12.5 KB, 22 views)
File Type: txt CFScript_used_2011-12-13_14.18.48.txt (31 Bytes, 18 views)
KaijuKaizar is offline  
Old 12-14-2011, 10:25 AM   #8
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar, how is the computer behaving now?
  • Download TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Skip is selected.
    NOTE: Please do not attempt any fix yet.
  • Once complete, a log will be produced at the root drive which is typically C:\
    For example, C:\TDSSKiller.2.6.21.0_date_time_log.txt
  • Attach that log, please.
--------------------------------------
Will Watts is offline  
Old 12-14-2011, 04:44 PM   #9
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



I still seem to be getting these fake virus/malware scanners, but it doesn't seem to be limited to Windows Security 2012 anymore. I got a "Security Sphere 2012" the night before and "Vista Antivirus 2012" last night. And even though I don't do anything to them, they disappear the next morning. Is that weird?
Attached Files
File Type: txt TDSSKiller.2.6.23.0_14.12.2011_15.37.01_log.txt (71.2 KB, 23 views)
KaijuKaizar is offline  
Old 12-14-2011, 04:47 PM   #10
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi,

How are these fake virus scanners displaying, is it in a browser whilst on the internet, or just on your desktop?

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
--------------------------------------
Will Watts is offline  
Old 12-15-2011, 05:07 AM   #11
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



When the scanners show up, all my internet browser windows close and a window pops up on my desktop showing a virus scanner scanning and listing possible infections. It seems to only close my browser windows as one time I was working in Adobe Flash and it didn't close.

I attached the MBR log, but wasn't sure if it finished as there was no indication that it did and simply noticed that it stopped "scanning". Plus, the thing ran for over 10 hours.
Attached Files
File Type: zip MBR.zip (1.8 KB, 26 views)
KaijuKaizar is offline  
Old 12-15-2011, 11:24 AM   #12
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar,

aswMBR does seem to have taken an unusually long time to scan, but the log completed successfully.

There is still some active malware we need to address.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    tdx.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Will Watts is offline  
Old 12-15-2011, 03:40 PM   #13
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Okay, here's the next log.
Attached Files
File Type: txt SystemLook.txt (1.8 KB, 22 views)
KaijuKaizar is offline  
Old 12-15-2011, 03:47 PM   #14
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar,

Please ensure the entire script is copied as it's quite long.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:
File::
C:\Users\Kai\AppData\Local\far.exe
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\Windows\System32\drivers\tdx.sys
Comment::
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Combofix may request an update, click Yes to allow it.

When finished, please post the C:\ComboFix.txt for further review.
Will Watts is offline  
Old 12-15-2011, 09:06 PM   #15
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Here's the Combofix log.
Attached Files
File Type: txt ComboFix.txt (12.6 KB, 17 views)
KaijuKaizar is offline  
Old 12-16-2011, 08:43 AM   #16
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar,

How's the machine behaving now?

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • Please post contents of that file in your next reply.
--------------------------------------

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
------------------------------------------------------
Will Watts is offline  
Old 12-16-2011, 02:43 PM   #17
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Hi,

I haven't had any run ins with any virus scans yet, so it seems to be doing better.
I've attached the results from the ESET scan.
Attached Files
File Type: txt ESET.txt (1.1 KB, 31 views)
KaijuKaizar is offline  
Old 12-16-2011, 02:47 PM   #18
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi, please also post up the log from MBAM.
Will Watts is offline  
Old 12-16-2011, 03:15 PM   #19
Registered Member
 
Join Date: Dec 2011
Posts: 39
OS: Windows Vista



Sorry, just noticed I forgot to post that.
Also, I don't know if it's related, but I forgot to mention that I seem to have a bit of an internet connection issue starting yesterday.
Attached Files
File Type: txt mbam-log-2011-12-16 (08-55-04).txt (973 Bytes, 19 views)
KaijuKaizar is offline  
Old 12-16-2011, 03:32 PM   #20
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi KaijuKaizar,

Some of the malware is respawning, we need to go after a patched driver again. Please repeat the steps in Post 12 and post the log in your next reply.

Could you describe the internet issue in more detail? What exactly is happening? Is it constant?
Will Watts is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Probably Phished; Avira scans incomplete; Winpatrol stalls while"verifying startup pr
Hi there, E here. Probably got Phished while signing into redbox.com located via google search vice saved link :( Multiple Avira scans incomplete; Winpatrol stalls while "verifying startup programs" forcing reboot; linking attach.zip to post also froze pc requiring reboot. 2nd attempt at...
ebernheisel Resolved HJT Threads 50 09-29-2011 12:27 PM
Being Redirected to other sites when Searching on Google
Hello, My problem is that I am being redirected to other sites when searching using Google. I searched around and was told it is a redirection malware/virus that cannot be detected with my normal virus scanner. I was also told I could use "Combofix", but not to use it unless directed to...
cheriserandle Resolved HJT Threads 24 07-31-2011 09:11 PM
Hijacked netbook? freezing up Acer AspireOne
To whom it may concern: Thanks for taking the time to help me. My Acer netbook worked great for over a year before it recently was overcome with locking up / freezing issues. I've performed many hard reboots lately, which leads me to believe I have a nasty trojan or rootkit issue, but I have...
badbassrandy Windows XP Support 3 04-26-2011 05:44 PM
virus ends all programs, help please
Hello there, the other day whilst not really paying attention I allowed a fishy program to bypass my firewall, and it basically just shuts down any prgrm I open, and opens some fake virus software stuff. Anyways help please, I don't want to buy a new computer yet :grin:
redphase Inactive Malware Help Topics 8 02-25-2011 12:14 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:12 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts