Mediashifting

Toum2 · February 11, 2012

Got the known problem with mediashifting.

This is my malwarebyte results. Although it can find them after running it again (after a restart of course), mediashifting is still there

Thank you.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.06.05

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Toumazis :: TOUMAZIS-PC [administrator]

11/02/2012 10:05:35 πμ

mbam-log-2012-02-11 (10-09-28).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 258980

Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Windows\System32\ofcservice.dll (Rootkit.0Access) -> No action taken.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 7

C:\Windows\System32\ofcservice.dll (Rootkit.0Access) -> No action taken.

C:\Windows\System32\tdrpman.dll (Rootkit.0Access) -> No action taken.

C:\Users\Toumazis\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> No action taken.

C:\Users\UpdatusUser\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> No action taken.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> No action taken.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> No action taken.

C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> No action taken.

(end)

Elise · February 11, 2012

Hello and :welcome:

Unfortunately you have a nasty rootkit infection. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Toum2 · February 11, 2012

Thank you vary much for the reply. Here is the combofix.txt

ComboFix 12-02-10.03 - Toumazis 11/02/2012 21:07:51.1.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3191.2270 [GMT 2:00]

Running from: c:\users\Toumazis\Downloads\ComboFix.exe

AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\hpeD778.dll

c:\users\Toumazis\AppData\Local\ade2b215\U

c:\users\Toumazis\AppData\Local\ade2b215\U\00000001.@

c:\users\Toumazis\AppData\Local\ade2b215\U\000000c0.@

c:\users\Toumazis\AppData\Local\ade2b215\U\000000cb.@

c:\users\Toumazis\AppData\Local\ade2b215\U\000000cf.@

c:\users\Toumazis\AppData\Local\ade2b215\U\80000000.@

c:\users\Toumazis\AppData\Local\ade2b215\U\800000c0.@

c:\users\Toumazis\AppData\Local\ade2b215\U\800000cb.@

c:\users\Toumazis\AppData\Local\ade2b215\U\800000cf.@

c:\users\Toumazis\AppData\Local\ade2b215\X

c:\windows\$NtUninstallKB57352$

c:\windows\$NtUninstallKB57352$\2917315093\@

c:\windows\$NtUninstallKB57352$\2917315093\L\xadqgnnk

c:\windows\$NtUninstallKB57352$\2917315093\loader.tlb

c:\windows\$NtUninstallKB57352$\2917315093\U\@00000001

c:\windows\$NtUninstallKB57352$\2917315093\U\@000000c0

c:\windows\$NtUninstallKB57352$\2917315093\U\@000000cb

c:\windows\$NtUninstallKB57352$\2917315093\U\@000000cf

c:\windows\$NtUninstallKB57352$\2917315093\U\@80000000

c:\windows\$NtUninstallKB57352$\2917315093\U\@800000c0

c:\windows\$NtUninstallKB57352$\2917315093\U\@800000cb

c:\windows\$NtUninstallKB57352$\2917315093\U\@800000cf

c:\windows\$NtUninstallKB57352$\3184389296

c:\windows\system32\

c:\windows\system32\c_00805.nls

c:\windows\system32\dds_log_trash.cmd

c:\windows\system32\QPCapSvc.dll

c:\windows\system32\regobj.dll

c:\windows\system32\roboot.exe

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . . . is infected!!

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . . . was deleted!! You should re-install the program it pertains to

.

Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected

Restored copy from - c:\program files\Google\Update\

.

Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected

Restored copy from - c:\program files\Google\Common\Google Updater\

.

Infected copy of c:\program files\TeamViewer\Version7\TeamViewer_Service.exe was found and disinfected

Restored copy from - c:\program files\TeamViewer\Version7\

.

((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))

.

2012-02-11 19:16 . 2012-02-11 19:17 -------- d-----w- c:\users\Toumazis\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 19:16 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 19:16 -------- d-----w- c:\users\Toumazis.Toumazis-PC\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 19:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 19:16 -------- d-----w- c:\users\Admin\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 19:16 -------- d-----w- c:\users\Admin.Toumazis-PC\AppData\Local\temp

2012-02-11 19:04 . 2010-11-20 08:39 187904 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-02-06 21:03 . 2012-02-06 21:03 237 ----a-w- C:\user.js

2012-02-06 21:03 . 2012-02-06 21:03 -------- d-----w- c:\program files\BabylonToolbar

2012-02-06 21:03 . 2012-02-06 21:03 -------- d-----w- c:\users\Toumazis\AppData\Local\Babylon

2012-02-06 21:03 . 2012-02-06 21:03 -------- d-----w- c:\users\Toumazis\AppData\Roaming\Babylon

2012-02-06 21:03 . 2012-02-06 21:03 -------- d-----w- c:\programdata\Babylon

2012-02-06 21:03 . 2012-02-06 21:07 -------- d-----w- c:\users\Toumazis\AppData\Roaming\Systweak

2012-01-19 14:44 . 2009-08-19 20:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

2012-01-19 14:43 . 2012-01-03 17:42 112056 ----a-w- c:\windows\system32\acaptuser32.dll

2012-01-14 12:04 . 2012-01-14 12:04 0 ---ha-w- c:\users\Toumazis\AppData\Local\BIT8C95.tmp

2012-01-12 22:04 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-01-12 22:04 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-01-12 22:04 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys

2012-01-12 22:04 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll

2012-01-12 22:04 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll

2012-01-12 22:04 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll

2012-01-12 22:04 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll

2012-01-12 22:04 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll

2012-01-12 22:04 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll

2012-01-12 22:04 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-06 21:36 . 2011-11-06 18:17 417440 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-02-06 21:36 . 2011-03-15 21:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-12 00:19 . 2012-01-12 00:19 4448256 ----a-w- c:\windows\system32\GPhotos.scr

2012-01-07 09:10 . 2010-04-29 09:47 499712 ----a-w- c:\windows\system32\msvcp71.dll

2012-01-07 09:10 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-12-16 15:32 . 2011-12-16 15:32 637848 ----a-w- c:\windows\system32\npdeployJava1.dll

2011-12-16 15:32 . 2010-08-22 17:23 567184 ----a-w- c:\windows\system32\deployJava1.dll

2011-12-10 13:24 . 2010-08-22 18:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-24 04:25 . 2011-12-16 15:10 2342912 ----a-w- c:\windows\system32\win32k.sys

2011-11-21 10:47 . 2011-12-23 15:16 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7925898D-831A-4715-83D0-0B3719FDE7C6}\mpengine.dll

2011-11-19 14:01 . 2012-01-12 05:31 67072 ----a-w- c:\windows\system32\packager.dll

2011-11-17 05:38 . 2012-01-12 05:31 1288472 ----a-w- c:\windows\system32\ntdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-08-09 248832]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-03 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2010-11-12 10:13 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-11-01 21:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-09-22 962560]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-01-31 158856]

R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2352640]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-06 253600]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]

R3 DivioUSBDCam;Crypto Smart PLUS USB Camera;c:\windows\system32\DRIVERS\pcam.sys [2000-03-31 159672]

R3 esihdrv;esihdrv;c:\users\Toumazis\AppData\Local\Temp\esihdrv.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 s1039bus;Sony Ericsson Device 1039 driver (WDM);c:\windows\system32\DRIVERS\s1039bus.sys [2009-11-19 98672]

R3 s1039mdfl;Sony Ericsson Device 1039 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1039mdfl.sys [2009-11-19 14960]

R3 s1039mdm;Sony Ericsson Device 1039 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1039mdm.sys [2009-11-19 124016]

R3 s1039mgmt;Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1039mgmt.sys [2009-11-19 117872]

R3 s1039nd5;Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1039nd5.sys [2009-11-19 25456]

R3 s1039obex;Sony Ericsson Device 1039 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1039obex.sys [2009-11-19 113904]

R3 s1039unic;Sony Ericsson Device 1039 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1039unic.sys [2009-11-19 123504]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-22 1343400]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 118104]

S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 163424]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]

S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-11 2984832]

S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

PEVSystemStart

upnp

s3savagenb

NtMtlFax

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-11-06 21:36]

.

2010-08-22 c:\windows\Tasks\Install.job

- c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2010-08-22 16:29]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.babylon.com/?AF=108298&babsrc=HP_ss&mntrId=a018f0b40000000000000025221c6f9e

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = =

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.10.254

FF - ProfilePath - c:\users\Toumazis\AppData\Roaming\Mozilla\Firefox\Profiles\pvzoju9u.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/|https://mail.google.com/mail/?shva=1#inbox|http://www.facebook.com/|http://www.youtube.com/

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108298

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - a018f0b40000000000000025221c6f9e

FF - user.js: extensions.BabylonToolbar_i.hardId - a018f0b40000000000000025221c6f9e

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15376

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1723:03

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - base

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(528)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

- - - - - - - > 'Explorer.exe'(1572)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\WUDFHost.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\TeamViewer\Version7\TeamViewer.exe

c:\program files\TeamViewer\Version7\tv_w32.exe

c:\program files\Microsoft IntelliPoint\dpupdchk.exe

c:\program files\NVIDIA Corporation\Display\nvtray.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2012-02-11 21:22:09 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-11 19:22

.

Pre-Run: 291.239.870.464 bytes free

Post-Run: 291.169.017.856 bytes free

.

- - End Of File - - 9CD34411A704D3C16715E6030160346D

Elise · February 11, 2012

Could you please rerun combofix once more and post me the new log. Please let me know if you receive any rootkit message.

Toum2 · February 11, 2012

No rootkit message this time.

Also i should mention that NOD32 that says is running, Since the rootkit infection it has not been working

Thank you very much for the support

ComboFix 12-02-10.03 - Toumazis 11/02/2012 22:28:52.2.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3191.1028 [GMT 2:00]

Running from: c:\users\Toumazis\Downloads\ComboFix.exe

AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))

.

2012-02-11 20:36 . 2012-02-11 20:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-02-11 20:36 . 2012-02-11 20:36 -------- d-----w- c:\users\Toumazis.Toumazis-PC\AppData\Local\temp

2012-02-11 20:36 . 2012-02-11 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-11 20:36 . 2012-02-11 20:36 -------- d-----w- c:\users\Admin\AppData\Local\temp

2012-02-11 20:36 . 2012-02-11 20:36 -------- d-----w- c:\users\Admin.Toumazis-PC\AppData\Local\temp

2012-02-11 19:16 . 2012-02-11 20:36 -------- d-----w- c:\users\Toumazis\AppData\Local\temp