MallBrat Posted December 17, 2011 ID:506034 Share Posted December 17, 2011 Request for help regarding detection of "Pup BitMiner Virus" and if I've rid it from my computer.I've run latest version of MBAM as suggested. Attached are DDS and ATTACH files. Thank you!Followed instructions as per Malwarebytes "I'm Infected what do I do now" and still getting random popups. Running 5th scan and getting PUP.BitMiner again. It appears unselcted so must put check mark next to name. Waiting for help if you've got a chance. Thanks..DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.6001.18999Run by Harley at 13:11:17 on 2011-12-17Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6509 [GMT -8:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Windows\ehome\ehtray.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\ProgramData\Verizon\UA_ar\UtilityApplication.exeC:\Windows\ehome\ehmsas.exeC:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\system32\agr64svc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\WUDFHost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Windows\ehome\ehsched.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\Windows\ehome\ehRecvr.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wuauclt.exeC:\Windows\splwow64.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = https://www.google.com/calendar/render?gsessionid=OKuDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mWinlogon: Userinit=userinit.exe,BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dlluRun: [ehTray.exe] C:\Windows\ehome\ehTray.exeuRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exemRun: [eRecoveryService] mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\ProgramData\Verizon\UA_ar\UtilityApplication.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exeuPolicies-explorer: HideSCAHealth = 1 (0x1)mPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000LSP: %SYSTEMROOT%\system32\nvLsp.dllLSP: mswsock.dllDPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://www.foodsdatabase.com/Reserved.ReportViewerWebControl.axd?ReportSession=sv1y5pivza5bfl55xmuc2p55&ControlID=093a6e05673e42afbc8a4fe0c0c7f18b&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllmRun-x64: [eRecoveryService] mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayHosts: 127.0.0.1 www.spywareinfo.com.============= SERVICES / DRIVERS ===============.R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?].=============== File Associations ===============.JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*.=============== Created Last 30 ================.2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-12-16 18:59:42 -------- d-----we C:\Windows\system642011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll.==================== Find3M ====================.2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe.============= FINISH: 13:11:44.66 ===============DDS.txtAttach.txt Link to post Share on other sites More sharing options...
MallBrat Posted December 19, 2011 Author ID:506668 Share Posted December 19, 2011 With all respect to this board, after 48 hours I've decided to make some preemptive decisions to rid myself of the Google ReDirect issues. I've followed the instructions posted to other users and so far, it seems to have worked. (It's important to note I researched the heck out of this.)I used a combo of TDSS Fix Tool, rkill, SuperAntiSpyware(FreeVersion), Malwarebytes and Spybot Search & Destroy.(I looked at StopZilla which seemed decent (similar to SuperAntiSpyware) and RegCleanPro (leary and a bit consuming)Original ReDirect Issues were:Rootkit.TDSSTrojan.exe.shellpup.BitMinerpup.RewardsArcade Machine has been running nicely for 4 hours. Doing consistant scans and preventing typical adware cookies (doubleclick, etc.) Running 3x faster than I've been for weeks. NOTE: IN NO WAY am I advocating a position or suggesting anyone do the same. I'm just saying ther seems to be a way out of this mess (fingers crossed) Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:506825 Share Posted December 20, 2011 Please do not attach the scan results from Combofx. Use copy/paste.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Download ComboFix from one of these locations:Link 1Link 2 If using this link, Right Click and select Save As.* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective ProgramsDouble click on ComboFix.exe & follow the prompts.Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7. Note: If you have XP SP3, use the XP SP2 package.If Vista or Windows 7, skip the Recovery Console partAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.Notes:1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.Give it atleast 20-30 minutes to finish if needed.Please do not attach the scan results from Combofx. Use copy/paste.Also please describe how your computer behaves at the moment. Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:506885 Share Posted December 20, 2011 Clicked the LINK 1 and it gave me a run prompt. I selected it and it downloaded the combofix icon to my desktop. However, when I double clicked it, it opened a window saying "Combofix no longer supports Windows 2000". I have Vista so that's odd.The second LINK2 was in spanish and locked up my IE. Not good. Suggestions? Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:506887 Share Posted December 20, 2011 Clicked the LINK 1 and it gave me a run prompt so I selected it and downloaded to my desktop. However, when I double clicked the ICON, it opened a window saying "Combofix no longer supports Windows 2000". I have Windows Vista Home Premium. So combofix doesn't work here. The second LINK2 was in spanish and locked up my IE. So combo fix not working here either. Suggestions? Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:506951 Share Posted December 20, 2011 Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.Consider what other private information could possibly have been taken from your computer and take appropriate stepsRemoving this infection can also disable the ability to connect to the internet.This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.Please post back to let me know how you wish to proceed.Logs will be closed if you haven't replied within 3 days Please don't attach the scans / logs for these tools, use "copy/paste".DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Please run a new MBAM scan being sure to update before scanning.Post the scan resultsAlso please describe how your computer behaves at the moment.Please don't attach the scans / logs, use "copy/paste". Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507003 Share Posted December 20, 2011 Yes I'd like to clean it. Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507019 Share Posted December 20, 2011 Are you still seeing this?pup.BitMiner Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507023 Share Posted December 20, 2011 Computer has ben behaving fine today. A little slow but functioning properly. Noticed Windows Defender has been permenently disabled and not sure how or when, may be unrelated. Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8403Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/20/2011 08:36:54mbam-log-2011-12-20 (08-36-54).txtScan type: Full scan (C:\|)Objects scanned: 342258Time elapsed: 30 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507025 Share Posted December 20, 2011 Can you opem MBAM and click Logs and post the MBAM scan that removed pup.BitMiner Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507047 Share Posted December 20, 2011 Attached are 6 logs: First log removes Rootkit.TDSS and Trojan.exeShell.gen. PUP.BitMiner was not checked off (didn't see it had to be done manually) and so was not selected for removal. Second log removes selected PUP.BitMiner. Ran two more scans and no infections appeared. Then... Third Log below represents reappearance of PUP.BitMiner. Ran two more scans and no infections appeared. Then...Forth log shows getting hit with PUP.RewardsArcade.Fifth log removes las remnant of PUP.RewardsArcade.Sixth log is a reaccuring "protection log" I receive each day showing error for "IP protetion failed" All 5 recent scans have been error free.----------------------------------Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8388Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/17/2011 12:11:15mbam-log-2011-12-17 (12-11-15).txtScan type: Full scan (C:\|)Objects scanned: 332864Time elapsed: 24 minute(s), 21 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\$Recycle.Bin\s-1-5-21-278700290-3637369481-1809467469-1000\$RUZ9QUR.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\lrq.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Not selected for removal.-------------------------------------Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8388Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/17/2011 12:59:14mbam-log-2011-12-17 (12-59-14).txtScan type: Full scan (C:\|)Objects scanned: 333795Time elapsed: 23 minute(s), 49 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.----------------------------------Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8393Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/18/2011 10:05:33mbam-log-2011-12-18 (10-05-33).txtScan type: Full scan (C:\|)Objects scanned: 337954Time elapsed: 29 minute(s), 48 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.--------------------------------Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8395Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/18/2011 20:16:33mbam-log-2011-12-18 (20-16-33).txtScan type: Full scan (C:\|)Objects scanned: 334612Time elapsed: 25 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 10Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 29Files Infected: 86Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{25514C64-8321-494e-BD3E-3DBAB3F8CEBA} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\RewardsArcade.FBApi.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\RewardsArcade.FBApi (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:c:\program files (x86)\rewardsarcade (PUP.RewardsArcade) -> Delete on reboot.c:\Users\Harley\AppData\Local\rewardsarcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.Files Infected:c:\program files (x86)\rewardsarcade\rewardsarcade.dll (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\fb.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\appapiinternalwrapper.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\jquery.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\json.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\rewardsarcade.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\uninstall.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\program files (x86)\rewardsarcade\userconfirmation.exe (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\AppData\Local\rewardsarcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.c:\Users\Harley\local settings\application data\rewardsarcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.---------------------------------Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8395Windows 6.0.6001 Service Pack 1Internet Explorer 8.0.6001.1899912/18/2011 22:04:52mbam-log-2011-12-18 (22-04-52).txtScan type: Quick scanObjects scanned: 170553Time elapsed: 1 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)---------------------------------------07:57:12 Harley MESSAGE Protection started successfully07:57:15 Harley ERROR IP protection failed: FwpmEngineOpen0 failed with error code 175308:05:50 Harley MESSAGE Database updated successfully08:52:13 Harley MESSAGE Protection started successfully08:52:17 Harley ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753 Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507076 Share Posted December 20, 2011 Thank you for those.Download and run the Trial version of Unhack mehttp://download.cnet.com/UnHackMe/3000-2239_4-68786.htmlLet me know if anything was fixed and how it's running. Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507140 Share Posted December 20, 2011 Thank you for your help LDTate. Downloaded and ran UnHackMe and it did not find any root issues. Pop up said "That's all right! There is no trojan found". So I did not have to go through the stop/start/removal proceedure. I did do a virus scan using unhackme and it came up clean. It created a Spyhole log using regrun and I suppose all is good there. I ran another MBAM quick scan and all looked good. I think I'm in the clear? Seems like it!Let me know if you think we're good and can close. Thanks! Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507141 Share Posted December 20, 2011 Can you run a new DDS scan and post the results?I'm concerned about an item or two that was in your first scan Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507150 Share Posted December 20, 2011 .DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.6001.19088Run by Harley at 14:03:06 on 2011-12-20Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6361 [GMT -8:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Windows\ehome\ehtray.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\ehome\ehmsas.exeC:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Windows\system32\agr64svc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Windows\system32\WUDFHost.exeC:\Windows\ehome\ehsched.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\mobsync.exeC:\Windows\ehome\ehRecvr.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\ProgramData\WeCareReminder\ReminderHelper.exeC:\Windows\splwow64.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = https://www.google.com/calendar/render?gsessionid=OKuDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01uURLSearchHooks: H - No FilemWinlogon: Userinit=userinit.exe,BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dlluRun: [ehTray.exe] C:\Windows\ehome\ehTray.exeuRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exemRun: [eRecoveryService] mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exeuPolicies-explorer: HideSCAHealth = 1 (0x1)mPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000LSP: mswsock.dllDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllBHO-X64: WeCareReminder - No FileTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllmRun-x64: [eRecoveryService] mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray.============= SERVICES / DRIVERS ===============.R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184].=============== File Associations ===============.JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*.=============== Created Last 30 ================.2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.02011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-12-16 18:59:42 -------- d-----we C:\Windows\system642011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll.==================== Find3M ====================.2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe.============= FINISH: 14:03:41.10 =============== Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507151 Share Posted December 20, 2011 LSP: mswsock.dllYou're still infected with a BackDoor infectionPlease do not attach the scan results from Combofx. Use copy/paste.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Download ComboFix from one of these locations:Link 1Link 2 If using this link, Right Click and select Save As.* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective ProgramsDouble click on ComboFix.exe & follow the prompts.Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7. Note: If you have XP SP3, use the XP SP2 package.If Vista or Windows 7, skip the Recovery Console partAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.Notes:1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.Give it atleast 20-30 minutes to finish if needed.Please do not attach the scan results from Combofx. Use copy/paste.Also please describe how your computer behaves at the moment. Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507166 Share Posted December 20, 2011 Using either Link 1 or Link 2, I save to my desktop. I then click the icon to open and get a combofix popup that says:-----------------------------------------This operating system is not supported!ComboFix only runs on:*Windows XP (32 bit)*Windows Vista (32/64 bit)*Windows 7 (32/64 bit)Windows 2000 is no longer supported. -----------------------------------------I'm running Windows Vista so something's wrong. Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507168 Share Posted December 20, 2011 Delete the combofix from the desktop and try this.Be sure to rename it before saving.Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop. * IMPORTANT !!! Save Iexplorer.com to your DesktopLink 1Link 2<--Right Click and use Save As if using this link.Double click on the Iexplorer.com ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system. Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507180 Share Posted December 20, 2011 ComboFix 11-12-20.04 - Harley 12/20/2011 14:57:38.1.4 - x64Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6522 [GMT -8:00]Running from: c:\users\Harley\Desktop\Iexplorer.comSP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\Imagesc:\images\DirCfg.inic:\windows\iun6002.exe..((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))..2011-12-20 23:07 . 2011-12-20 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp2011-12-20 21:16 . 2011-12-20 21:16 2 --shatr- c:\windows\winstart.bat2011-12-20 21:16 . 2011-12-20 21:28 -------- d-----w- c:\program files (x86)\UnHackMe2011-12-20 21:15 . 2011-12-20 21:15 -------- d-----w- c:\programdata\WeCareReminder2011-12-20 17:17 . 2011-12-20 17:17 -------- d-----w- c:\users\UpdatusUser2011-12-20 17:17 . 2011-12-20 17:17 -------- d-----w- c:\program files (x86)\NVIDIA Corporation2011-12-20 17:17 . 2011-05-21 14:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll2011-12-20 17:17 . 2011-05-21 14:01 61544 ----a-w- c:\windows\system32\nvshext.dll2011-12-20 17:17 . 2011-05-21 14:01 117864 ----a-w- c:\windows\system32\nvmctray.dll2011-12-20 17:17 . 2010-08-12 19:46 758272 ----a-w- c:\windows\system32\cohelper.dll2011-12-20 17:15 . 2011-12-20 17:15 -------- d-----w- c:\programdata\NVIDIA Corporation2011-12-20 16:13 . 2011-12-20 16:13 -------- d-----w- c:\program files (x86)\MSXML 4.02011-12-20 16:02 . 2011-06-02 13:22 2762240 ----a-w- c:\windows\system32\win32k.sys2011-12-20 16:02 . 2011-04-29 13:12 176128 ----a-w- c:\windows\system32\drivers\srv2.sys2011-12-20 16:02 . 2011-04-29 13:12 144896 ----a-w- c:\windows\system32\drivers\srvnet.sys2011-12-20 16:02 . 2009-11-03 22:42 28160 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui2011-12-20 16:00 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00 . 2011-02-27 15:53 18320 ----a-w- c:\windows\system32\kdcom.dll2011-12-20 16:00 . 2011-02-27 15:53 1075600 ----a-w- c:\windows\system32\winload.efi2011-12-20 16:00 . 2011-02-27 15:53 990096 ----a-w- c:\windows\system32\winresume.efi2011-12-20 16:00 . 2011-02-27 15:53 979344 ----a-w- c:\windows\system32\winresume.exe2011-12-20 16:00 . 2011-02-27 15:53 18832 ----a-w- c:\windows\system32\kd1394.dll2011-12-20 16:00 . 2011-02-27 15:53 1062800 ----a-w- c:\windows\system32\winload.exe2011-12-20 16:00 . 2011-02-27 15:53 20880 ----a-w- c:\windows\system32\kdusb.dll2011-12-20 06:13 . 2010-10-15 14:02 4692368 ----a-w- c:\windows\system32\ntoskrnl.exe2011-12-20 06:13 . 2011-02-16 15:36 48128 ----a-w- c:\windows\system32\atmlib.dll2011-12-20 06:13 . 2011-02-16 15:29 34304 ----a-w- c:\windows\SysWow64\atmlib.dll2011-12-20 06:13 . 2011-02-16 13:44 367616 ----a-w- c:\windows\system32\atmfd.dll2011-12-20 06:13 . 2011-02-16 13:24 292864 ----a-w- c:\windows\SysWow64\atmfd.dll2011-12-20 06:13 . 2010-10-15 13:43 1167488 ----a-w- c:\windows\SysWow64\ntdll.dll2011-12-20 06:13 . 2010-10-15 13:43 1560960 ----a-w- c:\windows\system32\ntdll.dll2011-12-20 06:13 . 2011-03-02 15:10 117760 ----a-w- c:\windows\system32\dnsrslvr.dll2011-12-20 06:13 . 2009-05-04 10:38 28672 ----a-w- c:\windows\system32\dnscacheugc.exe2011-12-20 06:13 . 2009-05-04 10:11 25088 ----a-w- c:\windows\SysWow64\dnscacheugc.exe2011-12-20 06:12 . 2011-03-03 15:06 32256 ----a-w- c:\windows\system32\Apphlpdm.dll2011-12-20 06:12 . 2011-03-03 14:56 28672 ----a-w- c:\windows\SysWow64\Apphlpdm.dll2011-12-20 06:12 . 2011-03-03 13:01 4240384 ----a-w- c:\windows\SysWow64\GameUXLegacyGDFs.dll2011-12-20 06:12 . 2011-03-03 13:25 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll2011-12-20 06:09 . 2011-05-02 16:35 975360 ----a-w- c:\windows\system32\inetcomm.dll2011-12-20 06:09 . 2011-05-02 15:58 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll2011-12-20 06:09 . 2011-03-10 16:30 1360384 ----a-w- c:\windows\system32\mfc42u.dll2011-12-20 06:09 . 2011-03-10 16:30 1398784 ----a-w- c:\windows\system32\mfc42.dll2011-12-20 06:09 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\SysWow64\mfc42u.dll2011-12-20 06:09 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\SysWow64\mfc42.dll2011-12-20 06:09 . 2011-04-29 15:25 344576 ----a-w- c:\windows\system32\schannel.dll2011-12-20 06:09 . 2011-04-29 14:54 276992 ----a-w- c:\windows\SysWow64\schannel.dll2011-12-20 06:09 . 2011-04-20 15:16 450048 ----a-w- c:\windows\system32\winsrv.dll2011-12-20 06:09 . 2011-04-20 15:11 85504 ----a-w- c:\windows\system32\csrsrv.dll2011-12-20 06:09 . 2011-04-14 14:45 97792 ----a-w- c:\windows\system32\drivers\dfsc.sys2011-12-19 19:47 . 2011-12-19 19:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-19 04:31 . 2011-12-19 04:31 -------- d-----w- c:\users\Harley\AppData\Roaming\SUPERAntiSpyware.com2011-12-19 04:30 . 2011-12-19 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware2011-12-19 04:30 . 2011-12-19 04:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com2011-12-19 03:25 . 2011-12-19 04:48 -------- d-----w- c:\users\Harley\AppData\Roaming\Systweak2011-12-19 03:25 . 2011-07-07 21:26 18816 ----a-w- c:\windows\system32\roboot64.exe2011-12-18 23:46 . 2011-12-19 00:54 -------- d-----w- c:\programdata\PC Tools2011-12-17 19:43 . 2011-12-17 19:43 -------- d-----w- c:\users\Harley\AppData\Roaming\Malwarebytes2011-12-17 19:42 . 2011-12-17 19:42 -------- d-----w- c:\programdata\Malwarebytes2011-12-17 19:42 . 2011-12-17 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2011-12-17 19:42 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys2011-12-16 18:59 . 2011-12-16 18:59 -------- d-----we c:\windows\system642011-12-14 04:11 . 2011-12-14 04:11 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-09-24 14:42 . 2011-09-24 14:42 1393736 ----a-w- c:\users\Harley\gotomypc_626.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-01 68856]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 5486464].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2011-8-15 45056].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [x]S0 nvamacpi;Nvidia Away Mode System;c:\windows\system32\DRIVERS\NVAMACPI.sys [x]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]S2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD64.sys [x]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [x]..Contents of the 'Scheduled Tasks' folder.2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 17:41].2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 17:41].2011-12-20 c:\windows\Tasks\User_Feed_Synchronization-{EDDC0795-DC79-44F1-AF35-1400D1E03959}.job- c:\windows\system32\msfeedssync.exe [2011-12-20 04:32]..--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uStart Page = https://www.google.com/calendar/render?gsessionid=OKuLocal Page = c:\windows\system32\blank.htmmStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01mLocal Page = c:\windows\SysWOW64\blank.htmIE: Add to &Evernote - c:\program files (x86)\Evernote\Evernote3.5\enbar.dll/2000IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.1.1CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll.- - - - ORPHANS REMOVED - - - -.Wow6432Node-HKLM-Run-eRecoveryService - (no file)AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]@Denied: (A 2) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]@="Shockwave Flash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]@Denied: (A 2) (Everyone)@="".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]@="FlashBroker".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000"MSCurrentCountry"=dword:000000b5.------------------------ Other Running Processes ------------------------.c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files (x86)\Bonjour\mDNSResponder.exe.**************************************************************************.Completion time: 2011-12-20 15:14:08 - machine was rebootedComboFix-quarantined-files.txt 2011-12-20 23:14.Pre-Run: 469,976,641,536 bytes freePost-Run: 469,860,818,944 bytes free.- - End Of File - - D662CB1B5771BB3249CFC8E34EE19F9B Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507187 Share Posted December 20, 2011 How's it running? Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507189 Share Posted December 20, 2011 ComboFox did need to be renamed (to Iexplorer) in order for me to execute.Pasted below is most recent DDS. Appears that rogue LSP (Layered Service Provider) is gone. Machine is running nice. Can you tell from report if anything else occured and if I'm good? Curious if ComboFox also removed anything else nasty, organized, cleaned up, etc. Thank you Sir Larry!------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.6001.19088Run by Harley at 15:24:51 on 2011-12-20Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6500 [GMT -8:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Windows\system32\agr64svc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Windows\system32\taskeng.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Windows\system32\WUDFHost.exeC:\Windows\ehome\ehtray.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\ehome\ehmsas.exeC:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\ehome\ehsched.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Windows\ehome\ehRecvr.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeC:\Windows\system32\notepad.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\Windows\system32\taskeng.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = https://www.google.com/calendar/render?gsessionid=OKmStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01uURLSearchHooks: H - No FileBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dlluRun: [ehTray.exe] C:\Windows\ehome\ehTray.exeuRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exemRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exemPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllBHO-X64: WeCareReminder - No FileTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllmRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray.============= SERVICES / DRIVERS ===============.R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184].=============== File Associations ===============.JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*.=============== Created Last 30 ================.2011-12-20 23:14:10 -------- d-----w- C:\Users\Harley\AppData\Local\temp2011-12-20 23:08:39 -------- d-----w- C:\$RECYCLE.BIN2011-12-20 22:56:37 98816 ----a-w- C:\Windows\sed.exe2011-12-20 22:56:37 518144 ----a-w- C:\Windows\SWREG.exe2011-12-20 22:56:37 256000 ----a-w- C:\Windows\PEV.exe2011-12-20 22:56:37 208896 ----a-w- C:\Windows\MBR.exe2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.02011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-12-16 18:59:42 -------- d-----we C:\Windows\system642011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll.==================== Find3M ====================.2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe.============= FINISH: 15:25:19.25 =============== Link to post Share on other sites More sharing options...
LDTate Posted December 20, 2011 ID:507193 Share Posted December 20, 2011 I can't tell what all combofix removed. Rename Iexplorer.com to combofix.exe then do this.Good job The following will implement some cleanup procedures as well as reset System Restore points:For XP: Click START run Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.For Vista / Windows 7 Click START Search Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.If you used DeFoggerTo re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.Here's my usual all clean postTo be on the safe side, I would also change all my passwords. This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.Log looks good Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.Without a firewall your computer is succeptible to being hacked and taken over.I am very serious about this and see it happen almost every day with my clients.Simply using a Firewall in its default configuration can lower your risk greatly.Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.•Free browser plug-in for Internet Explorer and Firefox•Real-time safety ratings•Ideal for Facebook, Twitter and LinkedIn JAVA Click this link and click on the Free JAVA DownloadVisit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.This will ensure your computer has always the latest security updates available installed on your computer.If there are new updates to install, install them immediately, reboot your computer, and revisit the siteuntil there are no more critical updates.Only run one Anti-Virus and Firewall program.I would suggest you read:PC Safety and Security--What Do I Need?.How to Prevent Malware:The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & ServersMalware Execution PreventionSave yourself the hassle and get protected. Link to post Share on other sites More sharing options...
MallBrat Posted December 20, 2011 Author ID:507205 Share Posted December 20, 2011 Seems to be running smoothly. I did have to rename combofix and call it Iexplorer in order to get it to work on my computer.Here is the most recent DDS. Can you share thoughts on what's been removed (in gross). Do I look good to go?---------------------------------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.6001.19088Run by Harley at 15:24:51 on 2011-12-20Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6500 [GMT -8:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Windows\system32\agr64svc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Windows\system32\taskeng.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Windows\system32\WUDFHost.exeC:\Windows\ehome\ehtray.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\ehome\ehmsas.exeC:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\ehome\ehsched.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Windows\ehome\ehRecvr.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeC:\Windows\system32\notepad.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\Windows\system32\taskeng.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = https://www.google.com/calendar/render?gsessionid=OKmStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1208&m=lx6810-01uURLSearchHooks: H - No FileBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dlluRun: [ehTray.exe] C:\Windows\ehome\ehTray.exeuRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exemRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PALOAL~1.LNK - C:\Windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exemPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{1382C867-F693-43B0-A71F-1B14D6A9E1E6} : DhcpNameServer = 192.168.1.1BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dllBHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dllBHO-X64: WeCareReminder - No FileTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllmRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osbootmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray.============= SERVICES / DRIVERS ===============.R0 nvamacpi;Nvidia Away Mode System;C:\Windows\system32\DRIVERS\NVAMACPI.sys --> C:\Windows\system32\DRIVERS\NVAMACPI.sys [?]R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-19 24576]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-17 366152]R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2214504]R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD64.sys --> C:\Windows\system32\drivers\AVer88xHD64.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS\WPN111vx.sys [?]S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-1 93184].=============== File Associations ===============.JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*.=============== Created Last 30 ================.2011-12-20 23:14:10 -------- d-----w- C:\Users\Harley\AppData\Local\temp2011-12-20 23:08:39 -------- d-----w- C:\$RECYCLE.BIN2011-12-20 22:56:37 98816 ----a-w- C:\Windows\sed.exe2011-12-20 22:56:37 518144 ----a-w- C:\Windows\SWREG.exe2011-12-20 22:56:37 256000 ----a-w- C:\Windows\PEV.exe2011-12-20 22:56:37 208896 ----a-w- C:\Windows\MBR.exe2011-12-20 21:16:50 2 --shatr- C:\Windows\winstart.bat2011-12-20 21:16:45 -------- d-----w- C:\Program Files (x86)\UnHackMe2011-12-20 21:15:36 -------- d-----w- C:\ProgramData\WeCareReminder2011-12-20 17:17:29 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation2011-12-20 17:17:21 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll2011-12-20 17:17:21 61544 ----a-w- C:\Windows\System32\nvshext.dll2011-12-20 17:17:21 117864 ----a-w- C:\Windows\System32\nvmctray.dll2011-12-20 17:17:18 758272 ----a-w- C:\Windows\System32\cohelper.dll2011-12-20 17:15:52 -------- d-----w- C:\ProgramData\NVIDIA Corporation2011-12-20 16:13:48 -------- d-----w- C:\Program Files (x86)\MSXML 4.02011-12-20 16:02:39 2762240 ----a-w- C:\Windows\System32\win32k.sys2011-12-20 16:02:37 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys2011-12-20 16:02:37 144896 ----a-w- C:\Windows\System32\drivers\srvnet.sys2011-12-20 16:02:31 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui2011-12-20 16:00:58 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:58 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll2011-12-20 16:00:55 990096 ----a-w- C:\Windows\System32\winresume.efi2011-12-20 16:00:55 979344 ----a-w- C:\Windows\System32\winresume.exe2011-12-20 16:00:55 18832 ----a-w- C:\Windows\System32\kd1394.dll2011-12-20 16:00:55 18320 ----a-w- C:\Windows\System32\kdcom.dll2011-12-20 16:00:55 1075600 ----a-w- C:\Windows\System32\winload.efi2011-12-20 16:00:55 1062800 ----a-w- C:\Windows\System32\winload.exe2011-12-20 16:00:54 20880 ----a-w- C:\Windows\System32\kdusb.dll2011-12-20 06:13:46 4692368 ----a-w- C:\Windows\System32\ntoskrnl.exe2011-12-20 06:13:45 48128 ----a-w- C:\Windows\System32\atmlib.dll2011-12-20 06:13:45 367616 ----a-w- C:\Windows\System32\atmfd.dll2011-12-20 06:13:45 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2011-12-20 06:13:45 292864 ----a-w- C:\Windows\SysWow64\atmfd.dll2011-12-20 06:13:45 1560960 ----a-w- C:\Windows\System32\ntdll.dll2011-12-20 06:13:45 1167488 ----a-w- C:\Windows\SysWow64\ntdll.dll2011-12-20 06:13:44 28672 ----a-w- C:\Windows\System32\dnscacheugc.exe2011-12-20 06:13:44 25088 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe2011-12-20 06:13:44 117760 ----a-w- C:\Windows\System32\dnsrslvr.dll2011-12-20 06:12:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll2011-12-20 06:12:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll2011-12-20 06:12:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll2011-12-20 06:12:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll2011-12-20 06:09:14 975360 ----a-w- C:\Windows\System32\inetcomm.dll2011-12-20 06:09:14 738816 ----a-w- C:\Windows\SysWow64\inetcomm.dll2011-12-20 06:09:13 1398784 ----a-w- C:\Windows\System32\mfc42.dll2011-12-20 06:09:13 1360384 ----a-w- C:\Windows\System32\mfc42u.dll2011-12-20 06:09:13 1161728 ----a-w- C:\Windows\SysWow64\mfc42u.dll2011-12-20 06:09:13 1136640 ----a-w- C:\Windows\SysWow64\mfc42.dll2011-12-20 06:09:12 344576 ----a-w- C:\Windows\System32\schannel.dll2011-12-20 06:09:12 276992 ----a-w- C:\Windows\SysWow64\schannel.dll2011-12-20 06:09:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll2011-12-20 06:09:07 450048 ----a-w- C:\Windows\System32\winsrv.dll2011-12-20 06:09:06 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys2011-12-19 19:47:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-19 04:31:22 -------- d-----w- C:\Users\Harley\AppData\Roaming\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com2011-12-19 04:30:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware2011-12-19 03:25:17 -------- d-----w- C:\Users\Harley\AppData\Roaming\Systweak2011-12-19 03:25:16 18816 ----a-w- C:\Windows\System32\roboot64.exe2011-12-18 23:46:05 -------- d-----w- C:\ProgramData\PC Tools2011-12-17 19:43:16 -------- d-----w- C:\Users\Harley\AppData\Roaming\Malwarebytes2011-12-17 19:42:47 -------- d-----w- C:\ProgramData\Malwarebytes2011-12-17 19:42:43 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-12-17 19:42:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-12-16 18:59:42 -------- d-----we C:\Windows\system642011-12-14 04:11:44 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll.==================== Find3M ====================.2011-09-24 14:42:25 1393736 ----a-w- C:\Users\Harley\gotomypc_626.exe.============= FINISH: 15:25:19.25 =============== Link to post Share on other sites More sharing options...
LDTate Posted December 21, 2011 ID:507215 Share Posted December 21, 2011 I can't tell what all combofix removed. Do you have a anti-virus program?If you uninstalled combofix like I posted, you should be good to go. Link to post Share on other sites More sharing options...
MallBrat Posted December 21, 2011 Author ID:507223 Share Posted December 21, 2011 Sorry for the double post previous. I've renamed Iexplorer.exe to combofix.exe. Then with Vista I go to START SEARCH and enter ComboFix /Uninstall and it doesn't find anything to uninstall. Link to post Share on other sites More sharing options...
Recommended Posts