TOM-J-LAEL

Merged two post We look for post with 0 replies, so when you replied to your own topic, we assume you were being helped. Do Not bump your topic. I have a user who is still suffering from Google redirects. MWB comes up clean, Trend Micro WFB reports no infections, SAS comes up clean, TDSS Killer comes up clean, MBR Check came up clean, et cetera, et cetera. HitmanPro intially reported some ZeroAccess stuff which it allegedly removed. Combofix does not delete any files. Yes, I know I'm not supposed to run Combofix without being asked to. Hopefully you all will anoint me for my sins. I just need a resolution. I'm at IT Professional (or at least I play one on TV), and I have a disk image backup prior to trying anything. After running all of these tools, and straight from reboot, the System Idle Process starts jabbering out to random locations on the Internet. I know this from running Netstat. I thought that was strange. It's a Windows 7 Pro machine as you'll tell, as well is mine. My System Idle Process does not show any connections out to the Internet. Here's the Combofix Log ComboFix 12-06-26.02 - jeanne 06/27/2012 11:27:29.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2035.974 [GMT -4:00] Running from: c:\users\jeanne\Desktop\ComboFix.exe AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} FW: Trend Micro Personal Firewall *Disabled* {50C2E989-60CF-0845-AFD3-290B7D301E79} SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 ))))))))))))))))))))))))))))))) . . 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\SMS\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\temp 2012-06-27 15:02 . 2012-06-27 15:02 -------- d-----w- c:\users\jeanne\AppData\Roaming\SUPERAntiSpyware.com 2012-06-27 15:01 . 2012-06-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-06-27 15:01 . 2012-06-27 15:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-06-27 14:43 . 2012-06-27 14:43 12872 ----a-w- c:\windows\system32\bootdelete.exe 2012-06-25 12:17 . 2012-06-25 12:17 -------- d-----w- c:\users\jeanne\AppData\Local\Macromedia 2012-06-22 21:00 . 2012-06-22 21:00 -------- d-----w- c:\program files (x86)\Dell Digital Delivery 2012-06-21 12:24 . 2012-06-21 12:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-21 12:24 . 2012-06-21 12:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-19 16:35 . 2012-06-19 16:35 -------- d-----w- c:\users\DefaultAppPool 2012-06-18 00:41 . 2012-06-18 00:41 -------- d-----w- c:\windows\system32\log 2012-06-18 00:40 . 2012-06-18 00:41 -------- d-----w- c:\program files (x86)\Trend Micro 2012-06-13 07:04 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-06-13 07:04 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-06-13 07:04 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-06-13 07:01 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-06-13 07:01 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys 2012-06-13 07:01 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-03 21:27 . 2012-06-03 21:27 -------- d-----w- c:\users\jeanne\AppData\Local\Apple 2012-06-01 19:27 . 2012-06-27 14:44 -------- d-----w- c:\programdata\HitmanPro 2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Mozilla 2012-06-01 17:46 . 2012-06-27 15:37 -------- d-----w- c:\users\jeanne\AppData\Local\temp 2012-05-31 16:21 . 2012-05-31 16:21 -------- d-----w- c:\users\jeanne\AppData\Roaming\Malwarebytes 2012-05-31 13:00 . 2012-05-31 13:00 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Malwarebytes 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\programdata\Malwarebytes 2012-05-31 12:59 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-31 12:31 . 2012-05-31 12:31 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Roxio Burn 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\ICAClient 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Hewlett-Packard Company 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Citrix 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\LogMeIn 2012-05-30 17:45 . 2012-05-30 17:45 -------- d-----w- c:\users\jeanne\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-30 17:38 . 2012-05-30 17:38 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-05-30 17:35 . 2012-05-31 16:27 -------- d-----w- c:\program files (x86)\Common Files\Outlook 2012-05-30 17:34 . 2012-05-31 11:52 -------- d-----w- c:\users\jeanne\AppData\Roaming\Ifysi 2012-05-30 17:34 . 2012-05-30 17:44 -------- d-----w- c:\users\jeanne\AppData\Roaming\Elor 2012-05-30 17:34 . 2012-05-30 17:34 -------- d-----w- c:\users\jeanne\AppData\Roaming\Akpuor . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-23 15:20 . 2012-04-04 19:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-23 15:20 . 2012-03-28 15:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-06-23 15:20 . 2012-04-13 20:20 9815752 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-05-22 15:52 . 2012-05-22 15:52 608 --sha-w- c:\windows\system32\winzvprt5.sys 2012-05-22 12:13 . 2012-04-22 18:23 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-05-22 12:13 . 2012-04-22 18:23 34688 ----a-w- c:\windows\system32\LMIport.dll 2012-05-22 12:13 . 2012-04-22 18:23 80768 ----a-w- c:\windows\system32\LMIinit.dll 2012-05-08 17:02 . 2012-05-30 03:04 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310DB10C-D086-496B-86CD- 8E51A4A25BE9}\mpengine.dll 2012-04-04 16:39 . 2010-06-24 16:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-03-30 11:35 . 2012-05-09 07:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AutomatedTaskLauncher"="c:\program files (x86)\Comdata\Shared\Applications\CDAtl.exe" [2004-06-01 77824] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-26 4787072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-04-05 371864] "ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936] "OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2012-01-09 1712656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3699739257-3343509579-3915199227-500\Scripts\Logon\0\0] "Script"=LaunchNotificationUI.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-12-20 1691848] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056] R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408] R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-21 113120] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816] S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-06-19 173056] S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-05-22 375176] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928] S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x] S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2012-05-14 50704] S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2011-07-12 342288] S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2011-07-12 42768] S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2010-12-14 22040] S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys [2010-12-14 23576] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2012-04-27 918032] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] iissvcs REG_MULTI_SZ w3svc was apphost REG_MULTI_SZ apphostsvc . Contents of the 'Scheduled Tasks' folder . 2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:20] . 2012-05-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09] . 2012-06-26 c:\windows\Tasks\SystemToolsDailyTest.job - c:\program files\Dell Support Center\pcdrcui.exe [2011-12-14 04:09] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328] "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928] "HP LaserJet Professional M1530 MFP Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.foxnews.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: iconnectdata.com\w6 Trusted Zone: vospro.net\go TCP: DhcpNameServer = 192.168.0.2 FF - ProfilePath - c:\users\jeanne\AppData\Roaming\Mozilla\Firefox\Profiles\ar10f2xn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://www.msn.com/ FF - prefs.js: network.proxy.type - 0 FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfService.exe . ************************************************************************** . Completion time: 2012-06-27 11:42:45 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-27 15:42 ComboFix2.txt 2012-06-01 17:46 . Pre-Run: 419,192,397,824 bytes free Post-Run: 419,038,064,640 bytes free . Here's the Netstat Log: Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:7 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:9 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:13 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:17 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:19 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:80 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:135 SMSPC16:0 LISTENING 772 TCP 0.0.0.0:445 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:515 SMSPC16:0 LISTENING 1548 TCP 0.0.0.0:2002 SMSPC16:0 LISTENING 2036 TCP 0.0.0.0:3389 SMSPC16:0 LISTENING 1084 TCP 0.0.0.0:5357 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:49152 SMSPC16:0 LISTENING 432 TCP 0.0.0.0:49153 SMSPC16:0 LISTENING 856 TCP 0.0.0.0:49154 SMSPC16:0 LISTENING 948 TCP 0.0.0.0:49187 SMSPC16:0 LISTENING 508 TCP 0.0.0.0:49197 SMSPC16:0 LISTENING 492 TCP 0.0.0.0:61116 SMSPC16:0 LISTENING 1240 TCP 127.0.0.1:2002 SMSPC16:49246 ESTABLISHED 2036 TCP 127.0.0.1:6999 SMSPC16:0 LISTENING 2616 TCP 127.0.0.1:6999 SMSPC16:49346 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49349 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49350 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49351 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49353 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49354 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49355 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49364 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49367 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49372 TIME_WAIT 0 TCP 127.0.0.1:21112 SMSPC16:0 LISTENING 2868 TCP 127.0.0.1:49246 SMSPC16:2002 ESTABLISHED 4392 TCP 127.0.0.1:49361 SMSPC16:6999 TIME_WAIT 0 TCP 127.0.0.1:49369 SMSPC16:6999 TIME_WAIT 0 TCP 192.168.0.127:139 SMSPC16:0 LISTENING 4 TCP 192.168.0.127:49191 smssrvr:ldap ESTABLISHED 316 TCP 192.168.0.127:49210 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49211 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49213 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49214 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49219 smssrvr:microsoft-ds ESTABLISHED 4 TCP 192.168.0.127:49229 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49244 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49274 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49288 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49292 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49317 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49320 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49327 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49334 network-098-027-088-048:http TIME_WAIT 0 TCP 192.168.0.127:49341 65.55.53.190:http TIME_WAIT 0 TCP 192.168.0.127:49342 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49348 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49362 216.35.15.168:http TIME_WAIT 0 TCP 192.168.0.127:49363 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49370 iad23s06-in-f1:http TIME_WAIT 0 TCP 192.168.0.127:49371 network-098-027-088-030:http TIME_WAIT 0 TCP [::]:7 SMSPC16:0 LISTENING 2516 TCP [::]:9 SMSPC16:0 LISTENING 2516 TCP [::]:13 SMSPC16:0 LISTENING 2516 TCP [::]:17 SMSPC16:0 LISTENING 2516 TCP [::]:19 SMSPC16:0 LISTENING 2516 TCP [::]:80 SMSPC16:0 LISTENING 4 TCP [::]:135 SMSPC16:0 LISTENING 772 TCP [::]:445 SMSPC16:0 LISTENING 4 TCP [::]:515 SMSPC16:0 LISTENING 1548 TCP [::]:3389 SMSPC16:0 LISTENING 1084 TCP [::]:5357 SMSPC16:0 LISTENING 4 TCP [::]:49152 SMSPC16:0 LISTENING 432 TCP [::]:49153 SMSPC16:0 LISTENING 856 TCP [::]:49154 SMSPC16:0 LISTENING 948 TCP [::]:49187 SMSPC16:0 LISTENING 508 TCP [::]:49197 SMSPC16:0 LISTENING 492 UDP 0.0.0.0:7 *:* 2516 UDP 0.0.0.0:9 *:* 2516 UDP 0.0.0.0:13 *:* 2516 UDP 0.0.0.0:17 *:* 2516 UDP 0.0.0.0:19 *:* 2516 UDP 0.0.0.0:123 *:* 328 UDP 0.0.0.0:427 *:* 5848 UDP 0.0.0.0:500 *:* 948 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:4500 *:* 948 UDP 0.0.0.0:5355 *:* 1084 UDP 0.0.0.0:51335 *:* 1812 UDP 0.0.0.0:56305 *:* 1240 UDP 0.0.0.0:61117 *:* 1240 UDP 127.0.0.1:1900 *:* 1812 UDP 127.0.0.1:51265 *:* 316 UDP 127.0.0.1:51709 *:* 3144 UDP 127.0.0.1:53037 *:* 1084 UDP 127.0.0.1:58742 *:* 508 UDP 127.0.0.1:63173 *:* 1812 UDP 192.168.0.127:137 *:* 4 UDP 192.168.0.127:138 *:* 4 UDP 192.168.0.127:427 *:* 5848 UDP 192.168.0.127:1900 *:* 1812 UDP 192.168.0.127:32527 *:* 2036 UDP 192.168.0.127:32528 *:* 2036 UDP 192.168.0.127:63172 *:* 1812 UDP [::]:7 *:* 2516 UDP [::]:9 *:* 2516 UDP [::]:13 *:* 2516 UDP [::]:17 *:* 2516 UDP [::]:19 *:* 2516 UDP [::]:123 *:* 328 UDP [::]:500 *:* 948 UDP [::]:3702 *:* 1812 UDP [::]:3702 *:* 1812 UDP [::]:4500 *:* 948 UDP [::]:5355 *:* 1084 UDP [::]:51336 *:* 1812 UDP [::1]:1900 *:* 1812 UDP [::1]:63171 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:1900 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:63170 *:* 1812 bump...

How long do I wait for a reply? I emailed suggested email address today at 12:10pm EST. thanks, paul

Hello, MWB reseller here. Have a corporate customer whose computer is suddenly freezing when it boots, and it also blue screened at one point. I analyzed the dump file and it blue screened due to Malwarebytes driver file. Booted into safe mode, no malware detected by MWB w/ latest definitions. Disabled MBAM service and booted into normal mode fine. Already uninstalled using mbam-clean.exe file and reinstalled, re-registered, et cetera. Same problem. They use Trend Micro WFB 6.0 as their corporate Anti-Virus, and I've long had all the mbam related files and services that I know of excluded from scanning by Trend. This also is exclusive to just this computer, and not company wide. Any ideas?

Hello, I was trying to visit my friend's webpage www.toastskateboards.com and I couldn't. Later I come to realize it's because MWB Ip Protection is blocking 207.45.187.58, the server in which his website is hosted. Can I ask what prompted that IP Address to be blocked so that I may present that evidence to my friend? thanks, Tom

Is bettanews.com a legtimate source for downloading MBAM? or is only CNET and majorgeeks ? thanks, TOM-J-LAEL

Here's the log: Malwarebytes' Anti-Malware 1.44 Database version: 3677 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/2/2010 9:10:42 AM mbam-log-2010-02-02 (09-10-42).txt Scan type: Full Scan (C:\|) Objects scanned: 190096 Time elapsed: 23 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\ComboFix\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\ComboFix\PV.cfxxe (Adware.Swizzor) -> Quarantined and deleted successfully. C:\ComboFix\pv.com (Adware.Swizzor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017473.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017511.com (Adware.Swizzor) -> Quarantined and deleted successfully.

it probably pays to know a little bit of Russian in the malware research field too, huh?

yah...my friend's in development and makes about $30k more a year than me...I chose the wrong path =)

This isn't exactly "off topic" but I wasn't sure where else to put it. Let me start about my background. I'm 27, I've been working in IT for about 6 years, I'm an MCSA and do a lot of network admin stuff for small-medium sized businesses/networks. Everything from replacing mice to implementing/managing/maintaing Exchange Servers, Active Directory, backups, etc. etc. Like most, everything I know is self taught and a lot of times it's been"trial by fire". I get great joy from battling and removing a tough piece of malware and rootkits, and I posses a great deal of awe and fascination in the sophistication of these types of problems. However, I want to step up my malware removal game away from the defensive to the offensive. I want to do something along the same lines that your researches at MWB do, FireEye, ThreatPost, etc. etc. What I don't posses is any experience what so ever in software development or programming. What I do posses is a yearning and eagerness to learn, and a great ability to think abstractly, see the "big picture", and solve problems. Where do I start?

I would finish the install. In fact, it may be necessary to do so in order to receive important operating system updates from Microsoft. I would not foresee this being a problem installing WGA unless you know you have a non-legitimate copy of Windows. good luck

i'm sorry...i actually just read the forum rules and I'm not supposed to help...

Looks like you might be infected with Koobface...are you able to open the task manager? Press CTRL , ALT , and DELETE on your keyboard all at the same time and then release them to open the task manager. or, right click on the taskbar (the bar across the bottom of the screen) and choose "Task manager" If you're able to open the task manager , click the "Processes" Tab, then click the top of the "Image Name" column to sort all processes by name alphabetically. Highlight these processes (if applicable) , one at a time and choose "End Process". After you choose end process, task manager is going to give you a warning about ending a process, just click ok. Here are the processes to look for and end: ld08.exe sysguard.exe winav.exe Then try to open MWB and update and run it. If that does not work, let me know.

So weird...MWB did it again today...during a normal quick scan (latest updates) it flagged that same file as being a trojan again. However, as soon as I run mbam.exe /developer from the run box, it doesn't flag it. I then reboot, ran the scan again using the /developer switch...nothing. I have no real reason to believe that her computer is infected, I just like to do scans for ease of mind. We do banking and stuff on our computers and she's a myspace/facebook user as well.

well..the logs you posted after AdvancedSetup had you run the last Combofix script look good...he might say otherwise..and he would know more about that then me. It looks like TCP/IP may have been corrupted on your computer... Try following these KB articles to reset WINSOCK and TCP/IP http://support.microsoft.com/kb/811259 http://support.microsoft.com/kb/299357 basically... open Command prompt again type: netsh winsock reset press enter and reboot the computer try to access the internet... if no go... open command prompt again type: netsh int ip resetlog.txt press enter for good measure reboot... let us know...

Open the command prompt again by clicking start....choose run...type CMD and click ok.... Inside the command prompt and type: IPConfig /all and press enter... paste the results in here...