Jump to content

Recommended Posts

Request for help regarding detection of "Pup BitMiner Virus" and if I've rid it from my computer.

I've run latest version of MBAM as suggested. Attached are DDS and ATTACH files.

Thank you!

Followed instructions as per Malwarebytes "I'm Infected what do I do now" and still getting random popups. Running 5th scan and getting PUP.BitMiner again. It appears unselcted so must put check mark next to name. Waiting for help if you've got a chance. Thanks.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.6001.18999

Run by Harley at 13:11:17 on 2011-12-17

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6509 [GMT -8:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\ProgramData\Verizon\UA_ar\UtilityApplication.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\agr64svc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\splwow64.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/calendar/render?gsessionid=OK

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mWinlogon: Userinit=userinit.exe,

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

mRun: [eRecoveryService]

mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\ProgramData\Verizon\UA_ar\UtilityApplication.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvLsp.dll

LSP: mswsock.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://www.foodsdatabase.com/Reserved.ReportViewerWebControl.axd?ReportSession=sv1y5pivza5bfl55xmuc2p55&ControlID=093a6e05673e42afbc8a4fe0c0c7f18b&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [eRecoveryService]

mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]

R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]

R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes

2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-16 18:59:42 -------- d-----we C:\Windows\system64

2011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

==================== Find3M ====================

.

2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe

.

============= FINISH: 13:11:44.66 ===============

DDS.txt

Attach.txt

Link to post
Share on other sites

With all respect to this board, after 48 hours I've decided to make some preemptive decisions to rid myself of the Google ReDirect issues.

I've followed the instructions posted to other users and so far, it seems to have worked. (It's important to note I researched the heck out of this.)

I used a combo of TDSS Fix Tool, rkill, SuperAntiSpyware(FreeVersion), Malwarebytes and Spybot Search & Destroy.

(I looked at StopZilla which seemed decent (similar to SuperAntiSpyware) and RegCleanPro (leary and a bit consuming)

Original ReDirect Issues were:

Rootkit.TDSS

Trojan.exe.shell

pup.BitMiner

pup.RewardsArcade

Machine has been running nicely for 4 hours. Doing consistant scans and preventing typical adware cookies (doubleclick, etc.) Running 3x faster than I've been for weeks.

NOTE: IN NO WAY am I advocating a position or suggesting anyone do the same. I'm just saying ther seems to be a way out of this mess (fingers crossed)

Link to post
Share on other sites

:welcome:

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Clicked the LINK 1 and it gave me a run prompt. I selected it and it downloaded the combofix icon to my desktop. However, when I double clicked it, it opened a window saying "Combofix no longer supports Windows 2000". I have Vista so that's odd.

The second LINK2 was in spanish and locked up my IE. Not good.

Suggestions?

Link to post
Share on other sites

Clicked the LINK 1 and it gave me a run prompt so I selected it and downloaded to my desktop. However, when I double clicked the ICON, it opened a window saying "Combofix no longer supports Windows 2000". I have Windows Vista Home Premium. So combofix doesn't work here.

The second LINK2 was in spanish and locked up my IE. So combo fix not working here either.

Suggestions?

Link to post
Share on other sites

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Computer has ben behaving fine today. A little slow but functioning properly. Noticed Windows Defender has been permenently disabled and not sure how or when, may be unrelated.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8403

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/20/2011 08:36:54

mbam-log-2011-12-20 (08-36-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 342258

Time elapsed: 30 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Attached are 6 logs:

First log removes Rootkit.TDSS and Trojan.exeShell.gen. PUP.BitMiner was not checked off (didn't see it had to be done manually) and so was not selected for removal.

Second log removes selected PUP.BitMiner.

Ran two more scans and no infections appeared. Then...

Third Log below represents reappearance of PUP.BitMiner.

Ran two more scans and no infections appeared. Then...

Forth log shows getting hit with PUP.RewardsArcade.

Fifth log removes las remnant of PUP.RewardsArcade.

Sixth log is a reaccuring "protection log" I receive each day showing error for "IP protetion failed"

All 5 recent scans have been error free.

----------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8388

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/17/2011 12:11:15

mbam-log-2011-12-17 (12-11-15).txt

Scan type: Full scan (C:\|)

Objects scanned: 332864

Time elapsed: 24 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\$Recycle.Bin\s-1-5-21-278700290-3637369481-1809467469-1000\$RUZ9QUR.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\lrq.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Not selected for removal.

-------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8388

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/17/2011 12:59:14

mbam-log-2011-12-17 (12-59-14).txt

Scan type: Full scan (C:\|)

Objects scanned: 333795

Time elapsed: 23 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

----------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8393

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/18/2011 10:05:33

mbam-log-2011-12-18 (10-05-33).txt

Scan type: Full scan (C:\|)

Objects scanned: 337954

Time elapsed: 29 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

--------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8395

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/18/2011 20:16:33

mbam-log-2011-12-18 (20-16-33).txt

Scan type: Full scan (C:\|)

Objects scanned: 334612

Time elapsed: 25 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 29

Files Infected: 86

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{25514C64-8321-494e-BD3E-3DBAB3F8CEBA} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\RewardsArcade.FBApi.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\RewardsArcade.FBApi (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files (x86)\rewardsarcade (PUP.RewardsArcade) -> Delete on reboot.

c:\Users\Harley\AppData\Local\rewardsarcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.

Files Infected:

c:\program files (x86)\rewardsarcade\rewardsarcade.dll (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\fb.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\appapiinternalwrapper.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\jquery.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\json.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\rewardsarcade.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\uninstall.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\program files (x86)\rewardsarcade\userconfirmation.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.

---------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8395

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18999

12/18/2011 22:04:52

mbam-log-2011-12-18 (22-04-52).txt

Scan type: Quick scan

Objects scanned: 170553

Time elapsed: 1 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------------------------------------

07:57:12 Harley MESSAGE Protection started successfully

07:57:15 Harley ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

08:05:50 Harley MESSAGE Database updated successfully

08:52:13 Harley MESSAGE Protection started successfully

08:52:17 Harley ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

Link to post
Share on other sites

Thank you for your help LDTate.

Downloaded and ran UnHackMe and it did not find any root issues. Pop up said "That's all right! There is no trojan found".

So I did not have to go through the stop/start/removal proceedure.

I did do a virus scan using unhackme and it came up clean. It created a Spyhole log using regrun and I suppose all is good there.

I ran another MBAM quick scan and all looked good.

I think I'm in the clear? Seems like it!

Let me know if you think we're good and can close. Thanks!

Link to post
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.6001.19088

Run by Harley at 14:03:06 on 2011-12-20

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6361 [GMT -8:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\system32\agr64svc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\mobsync.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\ProgramData\WeCareReminder\ReminderHelper.exe

C:\Windows\splwow64.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/calendar/render?gsessionid=OK

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

mRun: [eRecoveryService]

mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

LSP: mswsock.dll

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO-X64: WeCareReminder - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [eRecoveryService]

mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]

R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat

2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe

2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder

2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll

2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll

2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll

2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll

2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation

2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.0

2011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui

2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi

2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe

2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll

2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll

2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi

2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe

2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll

2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll

2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll

2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll

2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll

2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll

2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll

2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll

2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll

2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll

2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll

2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll

2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll

2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll

2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys

2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak

2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe

2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools

2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes

2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-16 18:59:42 -------- d-----we C:\Windows\system64

2011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

==================== Find3M ====================

.

2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe

.

============= FINISH: 14:03:41.10 ===============

Link to post
Share on other sites

LSP: mswsock.dll

You're still infected with a BackDoor infection

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Using either Link 1 or Link 2, I save to my desktop. I then click the icon to open and get a combofix popup that says:

-----------------------------------------

This operating system is not supported!

ComboFix only runs on:

*Windows XP (32 bit)

*Windows Vista (32/64 bit)

*Windows 7 (32/64 bit)

Windows 2000 is no longer supported.

-----------------------------------------

I'm running Windows Vista so something's wrong.

Link to post
Share on other sites

Delete the combofix from the desktop and try this.

Be sure to rename it before saving.

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites

ComboFix 11-12-20.04 - Harley 12/20/2011 14:57:38.1.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6522 [GMT -8:00]

Running from: c:\users\Harley\Desktop\Iexplorer.com

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Images

c:\images\DirCfg.ini

c:\windows\iun6002.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))

.

.

2011-12-20 23:07 . 2011-12-20 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-20 21:16 . 2011-12-20 21:16 2 --shatr- c:\windows\winstart.bat

2011-12-20 21:16 . 2011-12-20 21:28 -------- d-----w- c:\program files (x86)\UnHackMe

2011-12-20 21:15 . 2011-12-20 21:15 -------- d-----w- c:\programdata\WeCareReminder

2011-12-20 17:17 . 2011-12-20 17:17 -------- d-----w- c:\users\UpdatusUser

2011-12-20 17:17 . 2011-12-20 17:17 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2011-12-20 17:17 . 2011-05-21 14:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll

2011-12-20 17:17 . 2011-05-21 14:01 61544 ----a-w- c:\windows\system32\nvshext.dll

2011-12-20 17:17 . 2011-05-21 14:01 117864 ----a-w- c:\windows\system32\nvmctray.dll

2011-12-20 17:17 . 2010-08-12 19:46 758272 ----a-w- c:\windows\system32\cohelper.dll

2011-12-20 17:15 . 2011-12-20 17:15 -------- d-----w- c:\programdata\NVIDIA Corporation

2011-12-20 16:13 . 2011-12-20 16:13 -------- d-----w- c:\program files (x86)\MSXML 4.0

2011-12-20 16:02 . 2011-06-02 13:22 2762240 ----a-w- c:\windows\system32\win32k.sys

2011-12-20 16:02 . 2011-04-29 13:12 176128 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-12-20 16:02 . 2011-04-29 13:12 144896 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-12-20 16:02 . 2009-11-03 22:42 28160 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui

2011-12-20 16:00 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00 . 2011-02-27 15:53 18320 ----a-w- c:\windows\system32\kdcom.dll

2011-12-20 16:00 . 2011-02-27 15:53 1075600 ----a-w- c:\windows\system32\winload.efi

2011-12-20 16:00 . 2011-02-27 15:53 990096 ----a-w- c:\windows\system32\winresume.efi

2011-12-20 16:00 . 2011-02-27 15:53 979344 ----a-w- c:\windows\system32\winresume.exe

2011-12-20 16:00 . 2011-02-27 15:53 18832 ----a-w- c:\windows\system32\kd1394.dll

2011-12-20 16:00 . 2011-02-27 15:53 1062800 ----a-w- c:\windows\system32\winload.exe

2011-12-20 16:00 . 2011-02-27 15:53 20880 ----a-w- c:\windows\system32\kdusb.dll

2011-12-20 06:13 . 2010-10-15 14:02 4692368 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-12-20 06:13 . 2011-02-16 15:36 48128 ----a-w- c:\windows\system32\atmlib.dll

2011-12-20 06:13 . 2011-02-16 15:29 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2011-12-20 06:13 . 2011-02-16 13:44 367616 ----a-w- c:\windows\system32\atmfd.dll

2011-12-20 06:13 . 2011-02-16 13:24 292864 ----a-w- c:\windows\SysWow64\atmfd.dll

2011-12-20 06:13 . 2010-10-15 13:43 1167488 ----a-w- c:\windows\SysWow64\ntdll.dll

2011-12-20 06:13 . 2010-10-15 13:43 1560960 ----a-w- c:\windows\system32\ntdll.dll

2011-12-20 06:13 . 2011-03-02 15:10 117760 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-12-20 06:13 . 2009-05-04 10:38 28672 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-12-20 06:13 . 2009-05-04 10:11 25088 ----a-w- c:\windows\SysWow64\dnscacheugc.exe

2011-12-20 06:12 . 2011-03-03 15:06 32256 ----a-w- c:\windows\system32\Apphlpdm.dll

2011-12-20 06:12 . 2011-03-03 14:56 28672 ----a-w- c:\windows\SysWow64\Apphlpdm.dll

2011-12-20 06:12 . 2011-03-03 13:01 4240384 ----a-w- c:\windows\SysWow64\GameUXLegacyGDFs.dll

2011-12-20 06:12 . 2011-03-03 13:25 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2011-12-20 06:09 . 2011-05-02 16:35 975360 ----a-w- c:\windows\system32\inetcomm.dll

2011-12-20 06:09 . 2011-05-02 15:58 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll

2011-12-20 06:09 . 2011-03-10 16:30 1360384 ----a-w- c:\windows\system32\mfc42u.dll

2011-12-20 06:09 . 2011-03-10 16:30 1398784 ----a-w- c:\windows\system32\mfc42.dll

2011-12-20 06:09 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\SysWow64\mfc42u.dll

2011-12-20 06:09 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\SysWow64\mfc42.dll

2011-12-20 06:09 . 2011-04-29 15:25 344576 ----a-w- c:\windows\system32\schannel.dll

2011-12-20 06:09 . 2011-04-29 14:54 276992 ----a-w- c:\windows\SysWow64\schannel.dll

2011-12-20 06:09 . 2011-04-20 15:16 450048 ----a-w- c:\windows\system32\winsrv.dll

2011-12-20 06:09 . 2011-04-20 15:11 85504 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-20 06:09 . 2011-04-14 14:45 97792 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-12-19 19:47 . 2011-12-19 19:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-19 04:31 . 2011-12-19 04:31 -------- d-----w- c:\users\Harley\AppData\Roaming\SUPERAntiSpyware.com

2011-12-19 04:30 . 2011-12-19 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-12-19 04:30 . 2011-12-19 04:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-12-19 03:25 . 2011-12-19 04:48 -------- d-----w- c:\users\Harley\AppData\Roaming\Systweak

2011-12-19 03:25 . 2011-07-07 21:26 18816 ----a-w- c:\windows\system32\roboot64.exe

2011-12-18 23:46 . 2011-12-19 00:54 -------- d-----w- c:\programdata\PC Tools

2011-12-17 19:43 . 2011-12-17 19:43 -------- d-----w- c:\users\Harley\AppData\Roaming\Malwarebytes

2011-12-17 19:42 . 2011-12-17 19:42 -------- d-----w- c:\programdata\Malwarebytes

2011-12-17 19:42 . 2011-12-17 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-12-17 19:42 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-16 18:59 . 2011-12-16 18:59 -------- d-----we c:\windows\system64

2011-12-14 04:11 . 2011-12-14 04:11 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-24 14:42 . 2011-09-24 14:42 1393736 ----a-w- c:\users\Harley\gotomypc_626.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-01 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 5486464]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2011-8-15 45056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [x]

S0 nvamacpi;Nvidia Away Mode System;c:\windows\system32\DRIVERS\NVAMACPI.sys [x]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]

S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD64.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 17:41]

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 17:41]

.

2011-12-20 c:\windows\Tasks\User_Feed_Synchronization-{EDDC0795-DC79-44F1-AF35-1400D1E03959}.job

- c:\windows\system32\msfeedssync.exe [2011-12-20 04:32]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/calendar/render?gsessionid=OK

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Add to &Evernote - c:\program files (x86)\Evernote\Evernote3.5\enbar.dll/2000

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-eRecoveryService - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

.

**************************************************************************

.

Completion time: 2011-12-20 15:14:08 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-20 23:14

.

Pre-Run: 469,976,641,536 bytes free

Post-Run: 469,860,818,944 bytes free

.

- - End Of File - - D662CB1B5771BB3249CFC8E34EE19F9B

Link to post
Share on other sites

ComboFox did need to be renamed (to Iexplorer) in order for me to execute.

Pasted below is most recent DDS. Appears that rogue LSP (Layered Service Provider) is gone. Machine is running nice. Can you tell from report if anything else occured and if I'm good? Curious if ComboFox also removed anything else nasty, organized, cleaned up, etc.

Thank you Sir Larry!

------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.6001.19088

Run by Harley at 15:24:51 on 2011-12-20

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6500 [GMT -8:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\system32\agr64svc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\system32\notepad.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/calendar/render?gsessionid=OK

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

uURLSearchHooks: H - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO-X64: WeCareReminder - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]

R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-12-20 23:14:10 -------- d-----w- C:\Users\Harley\AppData\Local\temp

2011-12-20 23:08:39 -------- d-----w- C:\$RECYCLE.BIN

2011-12-20 22:56:37 98816 ----a-w- C:\Windows\sed.exe

2011-12-20 22:56:37 518144 ----a-w- C:\Windows\SWREG.exe

2011-12-20 22:56:37 256000 ----a-w- C:\Windows\PEV.exe

2011-12-20 22:56:37 208896 ----a-w- C:\Windows\MBR.exe

2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat

2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe

2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder

2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll

2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll

2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll

2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll

2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation

2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.0

2011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui

2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi

2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe

2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll

2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll

2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi

2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe

2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll

2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll

2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll

2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll

2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll

2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll

2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll

2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll

2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll

2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll

2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll

2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll

2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll

2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll

2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys

2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak

2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe

2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools

2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes

2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-16 18:59:42 -------- d-----we C:\Windows\system64

2011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

==================== Find3M ====================

.

2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe

.

============= FINISH: 15:25:19.25 ===============

Link to post
Share on other sites

I can't tell what all combofix removed.

Rename Iexplorer.com to combofix.exe then do this.

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Seems to be running smoothly. I did have to rename combofix and call it Iexplorer in order to get it to work on my computer.

Here is the most recent DDS.

Can you share thoughts on what's been removed (in gross). Do I look good to go?

---------------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.6001.19088

Run by Harley at 15:24:51 on 2011-12-20

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6500 [GMT -8:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\system32\agr64svc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\system32\notepad.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/calendar/render?gsessionid=OK

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01

uURLSearchHooks: H - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO-X64: WeCareReminder - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]

R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-12-20 23:14:10 -------- d-----w- C:\Users\Harley\AppData\Local\temp

2011-12-20 23:08:39 -------- d-----w- C:\$RECYCLE.BIN

2011-12-20 22:56:37 98816 ----a-w- C:\Windows\sed.exe

2011-12-20 22:56:37 518144 ----a-w- C:\Windows\SWREG.exe

2011-12-20 22:56:37 256000 ----a-w- C:\Windows\PEV.exe

2011-12-20 22:56:37 208896 ----a-w- C:\Windows\MBR.exe

2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat

2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe

2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder

2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll

2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll

2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll

2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll

2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation

2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.0

2011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui

2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll

2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi

2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe

2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll

2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll

2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi

2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe

2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll

2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll

2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll

2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll

2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll

2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll

2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll

2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll

2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll

2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll

2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll

2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll

2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll

2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll

2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys

2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak

2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe

2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools

2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes

2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-16 18:59:42 -------- d-----we C:\Windows\system64

2011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

==================== Find3M ====================

.

2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe

.

============= FINISH: 15:25:19.25 ===============

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.