bob1996

Members

View Profile See their activity

Posts
7
Joined
January 12, 2013
Last visited
January 17, 2013

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by bob1996

FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

ComboFix 13-01-12.01 - home 01/16/2013 19:14:35.2.8 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.9207.7036 [GMT -6:00] Running from: c:\users\home\Desktop\ComboFix.exe Command switches used :: c:\users\home\Desktop\CFScript.txt SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-12-17 to 2013-01-17 ))))))))))))))))))))))))))))))) . . 2013-01-17 01:17 . 2013-01-17 01:17 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-01-17 01:17 . 2013-01-17 01:17 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-01-15 09:03 . 2013-01-15 09:03 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E26D9367-BC01-469E-B554-2F19C74F953C}\offreg.dll 2013-01-15 07:22 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E26D9367-BC01-469E-B554-2F19C74F953C}\mpengine.dll 2013-01-14 20:52 . 2013-01-14 20:52 -------- d-----w- c:\users\home\AppData\Local\ElevatedDiagnostics 2013-01-12 19:50 . 2013-01-12 19:50 -------- d-----w- c:\users\home\AppData\Local\Programs 2013-01-12 07:27 . 2013-01-12 07:27 -------- d-----w- C:\FRST 2013-01-09 12:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll 2013-01-09 12:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll 2013-01-09 12:10 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll 2013-01-09 12:10 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll 2013-01-09 12:10 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll 2013-01-09 12:10 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2013-01-09 12:10 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll 2013-01-09 12:10 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll 2013-01-09 12:10 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe 2013-01-09 12:10 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys 2013-01-06 00:23 . 2007-11-07 10:23 40464 ----a-w- c:\windows\system32\drivers\npf.sys 2013-01-06 00:22 . 2013-01-06 00:22 -------- d-----w- c:\program files (x86)\Belkin 2013-01-06 00:22 . 2013-01-06 00:22 -------- d-----w- c:\windows\{B7568C83-F271-4480-B694-3DC1813DEABF} 2013-01-03 22:54 . 2013-01-03 22:54 -------- d-----w- c:\users\home\AppData\Local\Xfinity.com 2012-12-21 09:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-21 09:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-21 09:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-21 09:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-10 09:05 . 2009-11-15 15:29 67599240 ----a-w- c:\windows\system32\MRT.exe 2013-01-09 05:42 . 2012-04-29 19:17 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-01-09 05:42 . 2011-05-22 11:45 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-12-14 22:49 . 2009-10-13 01:19 24176 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-20 20:24 . 2012-11-20 20:25 916456 ----a-w- c:\windows\system32\deployJava1.dll 2012-11-20 20:24 . 2012-11-20 20:25 289768 ----a-w- c:\windows\system32\javaws.exe 2012-11-20 20:24 . 2012-11-20 20:25 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-11-20 20:24 . 2012-11-20 20:25 189416 ----a-w- c:\windows\system32\javaw.exe 2012-11-20 20:24 . 2012-11-20 20:25 188904 ----a-w- c:\windows\system32\java.exe 2012-11-20 20:24 . 2012-11-20 20:25 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll 2012-11-14 07:06 . 2012-12-12 09:01 17811968 ----a-w- c:\windows\system32\mshtml.dll 2012-11-14 06:32 . 2012-12-12 09:01 10925568 ----a-w- c:\windows\system32\ieframe.dll 2012-11-14 06:11 . 2012-12-12 09:01 2312704 ----a-w- c:\windows\system32\jscript9.dll 2012-11-14 06:04 . 2012-12-12 09:01 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-11-14 06:04 . 2012-12-12 09:01 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-11-14 06:02 . 2012-12-12 09:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-14 06:02 . 2012-12-12 09:01 237056 ----a-w- c:\windows\system32\url.dll 2012-11-14 05:59 . 2012-12-12 09:01 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-11-14 05:58 . 2012-12-12 09:01 816640 ----a-w- c:\windows\system32\jscript.dll 2012-11-14 05:57 . 2012-12-12 09:01 599040 ----a-w- c:\windows\system32\vbscript.dll 2012-11-14 05:57 . 2012-12-12 09:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-11-14 05:55 . 2012-12-12 09:01 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-11-14 05:55 . 2012-12-12 09:01 729088 ----a-w- c:\windows\system32\msfeeds.dll 2012-11-14 05:53 . 2012-12-12 09:01 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-11-14 05:52 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-11-14 05:46 . 2012-12-12 09:01 248320 ----a-w- c:\windows\system32\ieui.dll 2012-11-14 02:09 . 2012-12-12 09:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-11-14 01:58 . 2012-12-12 09:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-11-14 01:57 . 2012-12-12 09:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-11-14 01:49 . 2012-12-12 09:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-11-14 01:48 . 2012-12-12 09:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll 2012-11-14 01:44 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-11-09 05:45 . 2012-12-11 20:54 2048 ----a-w- c:\windows\system32\tzres.dll 2012-11-09 04:42 . 2012-12-11 20:54 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2012-11-02 05:59 . 2012-12-11 20:53 478208 ----a-w- c:\windows\system32\dpnet.dll 2012-11-02 05:11 . 2012-12-11 20:53 376832 ----a-w- c:\windows\SysWow64\dpnet.dll 2012-10-27 16:50 . 2012-10-27 16:50 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll 2012-10-27 16:50 . 2010-05-16 01:24 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-12-14 824232] "SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720] "hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528] "Logitech G930"="c:\program files (x86)\Logitech\G930\G930.exe" [2011-03-23 1516888] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008] . c:\users\home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2002-1-8 0] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Belkin USB Wireless Adaptor Utility.lnk - c:\program files (x86)\Belkin\F7D4101\V1\PBN.exe [2012-4-13 114688] HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetPointII.exe [2009-7-21 815104] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 WLANBelkinService;Belkin WLAN service;c:\program files (x86)\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864] R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 24576] R3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2010-01-20 40320] R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528] R3 PcaSp60;Rawether NDIS 6.X SPR Protocol Driver;c:\windows\system32\DRIVERS\PcaSp60.sys [2010-09-07 38912] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1255736] S0 mv64xx;mv64xx;c:\windows\system32\DRIVERS\mv64xx.sys [2008-09-01 316456] S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2009-09-15 324928] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824] S3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [2009-11-06 838136] S3 LADF_BakerCOnly;BakerC Filter Driver;c:\windows\system32\DRIVERS\ladfBakerCamd64.sys [2011-03-18 410184] S3 LADF_BakerROnly;BakerR Filter Driver;c:\windows\system32\DRIVERS\ladfBakerRamd64.sys [2011-03-18 335688] S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-07-14 22408] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-01-12 02:07 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe . Contents of the 'Scheduled Tasks' folder . 2013-01-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 05:42] . 2013-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-23 21:24] . 2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-23 21:24] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576] "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-14 415752] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 2093064] "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-14 4195848] . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://xfinity.comcast.net/?cid=insDate01032013 mLocal Page = c:\windows\SysWOW64\blank.htm uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 192.168.2.1 . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-01-16 19:18:31 ComboFix-quarantined-files.txt 2013-01-17 01:18 ComboFix2.txt 2013-01-12 21:16 . Pre-Run: 79,347,445,760 bytes free Post-Run: 79,285,645,312 bytes free . - - End Of File - - 5AEE643583D9E7639AFB3A500D5A21F6 So far everything has been running fine, I have not been using the computer very much in the past few days though. Thanks again for your help.
- January 17, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

ComboFix 13-01-12.01 - home 01/12/2013 15:10:49.1.8 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.9207.7371 [GMT -6:00] Running from: c:\users\home\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\home\AppData\Local\assembly\tmp c:\windows\SysWow64\Packet.dll c:\windows\SysWow64\pthreadVC.dll c:\windows\SysWow64\wpcap.dll . . ((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 ))))))))))))))))))))))))))))))) . . 2013-01-12 21:15 . 2013-01-12 21:15 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-01-12 21:15 . 2013-01-12 21:15 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-01-12 19:50 . 2013-01-12 19:50 -------- d-----w- c:\users\home\AppData\Local\Programs 2013-01-12 07:27 . 2013-01-12 07:27 -------- d-----w- C:\FRST 2013-01-11 20:19 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6EA58BF8-F20A-4F01-A86C-46BD3A6C6564}\mpengine.dll 2013-01-09 12:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll 2013-01-09 12:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll 2013-01-09 12:10 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll 2013-01-09 12:10 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll 2013-01-09 12:10 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll 2013-01-09 12:10 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2013-01-09 12:10 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll 2013-01-09 12:10 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll 2013-01-09 12:10 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe 2013-01-09 12:10 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys 2013-01-06 00:23 . 2007-11-07 10:23 40464 ----a-w- c:\windows\system32\drivers\npf.sys 2013-01-06 00:22 . 2013-01-06 00:22 -------- d-----w- c:\program files (x86)\Belkin 2013-01-06 00:22 . 2013-01-06 00:22 -------- d-----w- c:\windows\{B7568C83-F271-4480-B694-3DC1813DEABF} 2013-01-03 22:54 . 2013-01-03 22:54 -------- d-----w- c:\users\home\AppData\Local\Xfinity.com 2012-12-21 09:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-21 09:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-21 09:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-21 09:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-10 09:05 . 2009-11-15 15:29 67599240 ----a-w- c:\windows\system32\MRT.exe 2013-01-09 05:42 . 2012-04-29 19:17 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-01-09 05:42 . 2011-05-22 11:45 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-12-14 22:49 . 2009-10-13 01:19 24176 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-20 20:24 . 2012-11-20 20:25 916456 ----a-w- c:\windows\system32\deployJava1.dll 2012-11-20 20:24 . 2012-11-20 20:25 289768 ----a-w- c:\windows\system32\javaws.exe 2012-11-20 20:24 . 2012-11-20 20:25 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-11-20 20:24 . 2012-11-20 20:25 189416 ----a-w- c:\windows\system32\javaw.exe 2012-11-20 20:24 . 2012-11-20 20:25 188904 ----a-w- c:\windows\system32\java.exe 2012-11-20 20:24 . 2012-11-20 20:25 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll 2012-11-14 07:06 . 2012-12-12 09:01 17811968 ----a-w- c:\windows\system32\mshtml.dll 2012-11-14 06:32 . 2012-12-12 09:01 10925568 ----a-w- c:\windows\system32\ieframe.dll 2012-11-14 06:11 . 2012-12-12 09:01 2312704 ----a-w- c:\windows\system32\jscript9.dll 2012-11-14 06:04 . 2012-12-12 09:01 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-11-14 06:04 . 2012-12-12 09:01 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-11-14 06:02 . 2012-12-12 09:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-14 06:02 . 2012-12-12 09:01 237056 ----a-w- c:\windows\system32\url.dll 2012-11-14 05:59 . 2012-12-12 09:01 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-11-14 05:58 . 2012-12-12 09:01 816640 ----a-w- c:\windows\system32\jscript.dll 2012-11-14 05:57 . 2012-12-12 09:01 599040 ----a-w- c:\windows\system32\vbscript.dll 2012-11-14 05:57 . 2012-12-12 09:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-11-14 05:55 . 2012-12-12 09:01 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-11-14 05:55 . 2012-12-12 09:01 729088 ----a-w- c:\windows\system32\msfeeds.dll 2012-11-14 05:53 . 2012-12-12 09:01 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-11-14 05:52 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-11-14 05:46 . 2012-12-12 09:01 248320 ----a-w- c:\windows\system32\ieui.dll 2012-11-14 02:09 . 2012-12-12 09:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-11-14 01:58 . 2012-12-12 09:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-11-14 01:57 . 2012-12-12 09:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-11-14 01:49 . 2012-12-12 09:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-11-14 01:48 . 2012-12-12 09:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll 2012-11-14 01:44 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-11-09 05:45 . 2012-12-11 20:54 2048 ----a-w- c:\windows\system32\tzres.dll 2012-11-09 04:42 . 2012-12-11 20:54 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2012-11-02 05:59 . 2012-12-11 20:53 478208 ----a-w- c:\windows\system32\dpnet.dll 2012-11-02 05:11 . 2012-12-11 20:53 376832 ----a-w- c:\windows\SysWow64\dpnet.dll 2012-10-27 16:50 . 2012-10-27 16:50 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll 2012-10-27 16:50 . 2010-05-16 01:24 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-12-14 824232] "SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720] "hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528] "Logitech G930"="c:\program files (x86)\Logitech\G930\G930.exe" [2011-03-23 1516888] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008] . c:\users\home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2002-1-8 0] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Belkin USB Wireless Adaptor Utility.lnk - c:\program files (x86)\Belkin\F7D4101\V1\PBN.exe [2012-4-13 114688] HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetPointII.exe [2009-7-21 815104] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 WLANBelkinService;Belkin WLAN service;c:\program files (x86)\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864] R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 24576] R3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2010-01-20 40320] R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528] R3 PcaSp60;Rawether NDIS 6.X SPR Protocol Driver;c:\windows\system32\DRIVERS\PcaSp60.sys [2010-09-07 38912] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1255736] S0 mv64xx;mv64xx;c:\windows\system32\DRIVERS\mv64xx.sys [2008-09-01 316456] S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2009-09-15 324928] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824] S3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [2009-11-06 838136] S3 LADF_BakerCOnly;BakerC Filter Driver;c:\windows\system32\DRIVERS\ladfBakerCamd64.sys [2011-03-18 410184] S3 LADF_BakerROnly;BakerR Filter Driver;c:\windows\system32\DRIVERS\ladfBakerRamd64.sys [2011-03-18 335688] S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-07-14 22408] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-01-12 02:07 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe . Contents of the 'Scheduled Tasks' folder . 2013-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 05:42] . 2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-23 21:24] . 2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-23 21:24] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576] "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-14 415752] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 2093064] "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-14 4195848] . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://xfinity.comcast.net/?cid=insDate01032013 mLocal Page = c:\windows\SysWOW64\blank.htm uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 192.168.2.1 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-01-12 15:16:41 ComboFix-quarantined-files.txt 2013-01-12 21:16 . Pre-Run: 76,190,679,040 bytes free Post-Run: 75,547,652,096 bytes free . - - End Of File - - D4CDF875E04B7A842119214F7440ED73 Computer seems to be running fine now, going to keep testing to make sure. Thanks again, this was great advice.
- January 12, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

# AdwCleaner v2.105 - Logfile created 01/12/2013 at 14:50:29 # Updated 08/01/2013 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : home - HOME-1 # Boot Mode : Normal # Running from : C:\Users\home\Downloads\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Program Files (x86)\Conduit Folder Deleted : C:\Program Files (x86)\IZArc\OpenCandy Folder Deleted : C:\Users\home\AppData\Local\Conduit Folder Deleted : C:\Users\home\AppData\LocalLow\Conduit ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\Headlight Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Google Chrome v24.0.1312.52 File : C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[s1].txt - [1131 octets] - [12/01/2013 14:50:29] ########## EOF - C:\AdwCleaner[s1].txt - [1191 octets] ########## RogueKiller V8.4.3 [Jan 10 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : home [Admin rights] Mode : Remove -- Date : 01/12/2013 14:57:19 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2) [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1) [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ] HKCU\[...]\Command Processor : AutoRun ("C:\Users\home\AppData\Local\_gzysxapmk.exe") -> DELETED ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3250310AS ATA Device +++++ --- User --- [MBR] 7c374c2e02bf48e5c8a42d3d4b60b3f9 [bSP] b964e15a9ed31c2b836e4c4073fff1db : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_D_01122013_02d1457.txt >> RKreport[1]_S_01122013_02d1456.txt ; RKreport[2]_D_01122013_02d1457.txt Thanks again for all your help!
- January 12, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

okay, logged in normally, any reccomended antivirus that will squash this thing entirely without killing my PC performance? currently running CCleaner and Antimalwarebytes
- January 12, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

couldnt log in, ran the fix again, here is the new log, looks much better Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013 Ran by SYSTEM at 2013-01-12 13:43:49 Run:2 Running from E:\ ============================================== HKEY_USERS\home\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully . C:\Users\home\AppData\Roaming\_gzysxapmk.exe moved successfully. C:\Users\home\AppData\Local\_gzysxapmk.exe moved successfully. C:\Users\All Users\_gzysxapmk.exe moved successfully. ==== End of Fixlog ====
- January 12, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 replied to bob1996's topic in Resolved Malware Removal Logs

thanks a lot for the help, here was the result of the fix log Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013 Ran by SYSTEM at 2013-01-12 09:41:45 Run:1 Running from E:\ ============================================== {\fonttbl\f0\fmodern\fcharsetCourier service not found. C:\\Users\\home\\AppData\\Roaming\\_gzysxapmk.exe\ not found. C:\\Users\\home\\AppData\\Local\\_gzysxapmk.exe\ not found. C:\\Users\\All Users\\_gzysxapmk.exe\ moved successfully. ==== End of Fixlog ====
- January 12, 2013
- 16 replies
FBI Virus 01/10/13

bob1996 posted a topic in Resolved Malware Removal Logs

Here are my FRST64.exe logs, booting in safe mode still gets me the virus screen so no luck in running anti virus at this point, any help would be greatly appreciated. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013 Ran by SYSTEM at 11-01-2013 23:28:11 Running from E:\ Windows 7 Ultimate (X64) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x] HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415752 2009-08-13] (Logitech Inc.) HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2093064 2009-08-13] (Logitech Inc.) HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4195848 2009-08-13] (Logitech Inc.) HKLM\...\Run: [soundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe /tray [3866624 2009-05-18] (Analog Devices, Inc.) HKLM-x32\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981656 2012-09-29] (Malwarebytes Corporation) HKLM-x32\...\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-06-05] (Analog Devices, Inc.) HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard) HKLM-x32\...\Run: [Logitech G930] C:\Program Files (x86)\Logitech\G930\G930.exe [1516888 2011-03-23] (Logitech©) HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated) HKU\home\...\Policies\system: [DisableTaskMgr] 1 HKLM\...\Winlogon: [shell] explorer.exe, C:\Users\home\AppData\Roaming\_gzysxapmk [x ] () Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 Startup: C:\Users\All Users\Start Menu\Programs\Startup\Belkin USB Wireless Adaptor Utility.lnk ShortcutTarget: Belkin USB Wireless Adaptor Utility.lnk -> C:\Program Files (x86)\Belkin\F7D4101\V1\PBN.exe () Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\SetPointII.lnk ShortcutTarget: SetPointII.lnk -> C:\Program Files\Logitech\SetPoint II\SetPointII.exe (Logitech Inc.) Startup: C:\Users\home\Start Menu\Programs\Startup\CurseClientStartup.ccip () ==================== Services (Whitelisted) =================== 2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation) 2 astcc; C:\Windows\SysWOW64\ASTSRV.EXE [61760 2009-09-15] (Nalpeiron Ltd.) 2 NitroDriverReadSpool; "C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe" [324928 2009-09-15] (Nitro PDF Software) 2 WLANBelkinService; C:\Program Files (x86)\Belkin\F7D4101\V1\wlansrv.exe [36864 2009-12-28] () ==================== Drivers (Whitelisted) ===================== 3 FlyUsb; C:\Windows\System32\Drivers\FlyUsb.sys [24576 2009-11-10] (LeapFrog) 3 LADF_BakerCOnly; C:\Windows\System32\DRIVERS\ladfBakerCamd64.sys [410184 2011-03-18] (Logitech) 3 LADF_BakerROnly; C:\Windows\System32\DRIVERS\ladfBakerRamd64.sys [335688 2011-03-18] (Logitech) 3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] () 0 mv64xx; C:\Windows\System32\Drivers\mv64xx.sys [316456 2008-08-31] (Marvell Semiconductor, Inc.) 3 PcaSp60; C:\Windows\SysWow64\Drivers\PcaSp60.sys [38912 2010-09-06] (Printing Communications Assoc., Inc. (PCAUSA)) 0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows ® Server 2003 DDK provider) 3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x] 3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x] 3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x] ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2013-01-11 23:27 - 2013-01-11 23:27 - 00000000 ____D C:\FRST 2013-01-11 20:49 - 2013-01-11 20:51 - 00054272 __ASH C:\Users\home\Documents\Thumbs.db 2013-01-11 20:37 - 2013-01-11 20:40 - 00028516 ____A C:\Windows\setupact.log 2013-01-11 20:37 - 2013-01-11 20:37 - 00000000 ____A C:\Windows\setuperr.log 2013-01-11 19:11 - 2013-01-11 21:16 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\home\AppData\Roaming\_gzysxapmk.exe 2013-01-11 19:10 - 2013-01-11 21:16 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\home\AppData\Local\_gzysxapmk.exe 2013-01-11 19:10 - 2013-01-11 21:02 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\All Users\_gzysxapmk.exe 2013-01-11 14:42 - 2013-01-11 14:42 - 00750240 ____A C:\Users\home\Downloads\game.dcr 2013-01-09 04:10 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-01-09 04:10 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe 2013-01-09 04:10 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2013-01-09 04:10 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2013-01-09 04:10 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-01-09 04:10 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-01-09 04:10 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2013-01-09 04:10 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2013-01-09 04:10 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2013-01-09 04:10 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2013-01-05 16:23 - 2013-01-05 16:23 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf 2013-01-05 16:23 - 2007-11-07 02:23 - 00040464 ____A (CACE Technologies) C:\Windows\System32\Drivers\npf.sys 2013-01-05 16:22 - 2013-01-05 16:22 - 00000000 ____D C:\Windows\{B7568C83-F271-4480-B694-3DC1813DEABF} 2013-01-05 16:22 - 2013-01-05 16:22 - 00000000 ____D C:\Program Files (x86)\Belkin 2013-01-03 14:54 - 2013-01-03 14:55 - 00001462 ____A C:\comcastrelease.log 2013-01-03 14:54 - 2013-01-03 14:54 - 00776792 ____A C:\Users\home\Downloads\Comcast_Desktop_Software_1203 (1).exe 2013-01-03 14:54 - 2013-01-03 14:54 - 00000000 ____D C:\Users\home\AppData\Local\Xfinity.com 2013-01-03 14:53 - 2013-01-03 14:54 - 00776792 ____A C:\Users\home\Downloads\Comcast_Desktop_Software_1203.exe 2012-12-29 18:48 - 2013-01-11 20:40 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2012-12-23 17:00 - 2012-12-23 17:00 - 00000000 ___HD C:\Users\home\Downloads\.picasaoriginals 2012-12-23 16:59 - 2012-12-23 17:20 - 00000070 ___AH C:\Users\home\Downloads\.picasa.ini 2012-12-21 01:00 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll 2012-12-21 01:00 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll 2012-12-21 01:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2012-12-21 01:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll 2012-12-12 14:47 - 2012-12-12 14:47 - 00000000 ____D C:\ui_backup 2012-12-12 01:01 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-12-12 01:01 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-12-12 01:01 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-12-12 01:01 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-12-12 01:01 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-12-12 01:01 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-12-12 01:01 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-12-12 01:01 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-12-12 01:01 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-12-12 01:01 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2012-12-12 01:01 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-12-12 01:01 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-12-12 01:01 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2012-12-12 01:01 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-12-12 01:01 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-12-12 01:01 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-12-12 01:01 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-12-12 01:01 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-12-12 01:01 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-12-12 01:01 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-12-12 01:01 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-12-12 01:01 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-12-12 01:01 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-12-12 01:01 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-12-12 01:01 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-12-12 01:01 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2012-12-12 01:01 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2012-12-12 01:01 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-12-12 01:01 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-12-12 01:01 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-12-12 01:01 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-12-12 01:00 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll ==================== One Month Modified Files and Folders ======= 2013-01-11 23:27 - 2013-01-11 23:27 - 00000000 ____D C:\FRST 2013-01-11 21:16 - 2013-01-11 19:11 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\home\AppData\Roaming\_gzysxapmk.exe 2013-01-11 21:16 - 2013-01-11 19:10 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\home\AppData\Local\_gzysxapmk.exe 2013-01-11 21:02 - 2013-01-11 19:10 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\All Users\_gzysxapmk.exe 2013-01-11 20:51 - 2013-01-11 20:49 - 00054272 __ASH C:\Users\home\Documents\Thumbs.db 2013-01-11 20:49 - 2009-07-13 21:13 - 00779266 ____A C:\Windows\System32\PerfStringBackup.INI 2013-01-11 20:40 - 2013-01-11 20:37 - 00028516 ____A C:\Windows\setupact.log 2013-01-11 20:40 - 2012-12-29 18:48 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2013-01-11 20:40 - 2011-09-23 13:24 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-01-11 20:40 - 2009-10-12 16:37 - 00000000 ____D C:\Users\All Users\NVIDIA 2013-01-11 20:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-01-11 20:38 - 2002-01-08 19:19 - 00000000 ____D C:\Users\home\AppData\Local\Deployment 2013-01-11 20:37 - 2013-01-11 20:37 - 00000000 ____A C:\Windows\setuperr.log 2013-01-11 19:17 - 2009-10-25 15:27 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-01-11 19:17 - 2009-10-25 15:27 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-01-11 19:06 - 2011-09-23 13:24 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-01-11 18:42 - 2012-04-29 11:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-01-11 14:42 - 2013-01-11 14:42 - 00750240 ____A C:\Users\home\Downloads\game.dcr 2013-01-10 01:28 - 2009-07-13 20:45 - 00334368 ____A C:\Windows\System32\FNTCACHE.DAT 2013-01-10 01:10 - 2010-12-31 11:47 - 00772990 ____A C:\Windows\SysWOW64\PerfStringBackup.INI 2013-01-10 01:06 - 2009-10-25 14:22 - 00000000 ____D C:\Users\All Users\Microsoft Help 2013-01-10 01:05 - 2009-11-15 07:29 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-01-08 21:42 - 2012-04-29 11:17 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-01-08 21:42 - 2011-05-22 03:45 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-01-05 20:14 - 2010-01-12 16:54 - 00000000 ____D C:\Users\home\AppData\Roaming\Nitro PDF 2013-01-05 16:23 - 2013-01-05 16:23 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf 2013-01-05 16:22 - 2013-01-05 16:22 - 00000000 ____D C:\Windows\{B7568C83-F271-4480-B694-3DC1813DEABF} 2013-01-05 16:22 - 2013-01-05 16:22 - 00000000 ____D C:\Program Files (x86)\Belkin 2013-01-05 16:22 - 2010-07-25 16:58 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2013-01-04 14:48 - 2012-12-06 18:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2013-01-04 14:48 - 2009-10-12 16:51 - 00000000 ____D C:\Users\home\AppData\Roaming\Mozilla 2013-01-03 14:55 - 2013-01-03 14:54 - 00001462 ____A C:\comcastrelease.log 2013-01-03 14:54 - 2013-01-03 14:54 - 00776792 ____A C:\Users\home\Downloads\Comcast_Desktop_Software_1203 (1).exe 2013-01-03 14:54 - 2013-01-03 14:54 - 00000000 ____D C:\Users\home\AppData\Local\Xfinity.com 2013-01-03 14:54 - 2013-01-03 14:53 - 00776792 ____A C:\Users\home\Downloads\Comcast_Desktop_Software_1203.exe 2012-12-31 09:01 - 2012-05-16 17:09 - 00000000 ____D C:\Users\home\AppData\Local\CrashDumps 2012-12-31 08:59 - 2012-10-07 12:01 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-12-31 08:58 - 2012-10-07 11:56 - 00000000 ____D C:\Program Files (x86)\QuickTime 2012-12-31 08:55 - 2009-10-12 18:05 - 00000000 ____D C:\Users\home\AppData\Roaming\Apple Computer 2012-12-29 18:56 - 2009-10-25 15:31 - 00000000 ____D C:\users\home 2012-12-29 18:56 - 2009-10-12 18:05 - 00000000 ____D C:\Users\home\AppData\Local\Apple Computer 2012-12-29 18:28 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries 2012-12-23 17:20 - 2012-12-23 16:59 - 00000070 ___AH C:\Users\home\Downloads\.picasa.ini 2012-12-23 17:00 - 2012-12-23 17:00 - 00000000 ___HD C:\Users\home\Downloads\.picasaoriginals 2012-12-17 08:15 - 2011-05-29 19:29 - 00000000 ____D C:\Program Files (x86)\Diablo II 2012-12-16 09:11 - 2012-12-21 01:00 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll 2012-12-16 06:45 - 2012-12-21 01:00 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll 2012-12-16 06:13 - 2012-12-21 01:00 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2012-12-16 06:13 - 2012-12-21 01:00 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll 2012-12-12 14:47 - 2012-12-12 14:47 - 00000000 ____D C:\ui_backup 2012-12-12 14:47 - 2002-01-07 20:26 - 00000000 ____D C:\Users\Public\Games 2012-12-12 01:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-01-04 11:50:20 Restore point made on: 2013-01-05 16:22:35 Restore point made on: 2013-01-08 06:39:26 Restore point made on: 2013-01-10 01:00:14 ==================== Memory info =========================== Percentage of memory in use: 8% Total physical RAM: 9207.11 MB Available physical RAM: 8380.29 MB Total Pagefile: 9205.26 MB Available Pagefile: 8371.26 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ==================== Partitions ============================= 2 Drive c: () (Fixed) (Total:232.88 GB) (Free:70.64 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 3 Drive d: (F9L1101v1) (CDROM) (Total:0.11 GB) (Free:0 GB) UDF 4 Drive e: (DIABLO II) (Removable) (Total:3.73 GB) (Free:3.71 GB) FAT32 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 232 GB 9 MB Disk 1 Online 3816 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 232 GB 31 KB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C NTFS Partition 232 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3823 MB 564 KB ================================================================================== Disk: 1 Partition 1 Type : 0C Hidden: No Active: Yes Farbar Recovery Scan Tool (x64) Version: 09-01-2013 Ran by SYSTEM at 2013-01-11 23:35:39 Running from E:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB ====== End Of Search ====== Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 E DIABLO II FAT32 Removable 3823 MB Healthy ========================================================= Last Boot: 2013-01-04 11:19 ==================== End Of Log =============================
- January 12, 2013
- 16 replies

Sign In

bob1996

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by bob1996

FBI Virus 01/10/13

FBI Virus 01/10/13

FBI Virus 01/10/13

FBI Virus 01/10/13

FBI Virus 01/10/13

FBI Virus 01/10/13

FBI Virus 01/10/13

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information