I can't get rid of DC3_FEXEC

[Zavatar]

Hi everyone.

I've recently noticed that I can't use accents on my keyboard anymore, whenever I press the key for one, two apper - ´´ - like that. Anyway, I decided to check things out, and Malwarebytes found and deleted two infections, one of which was in the registry, named DC3_FEXEC. The problem is, whenever I reboot my computer, it shows up again. Could anyone help? Thanks in advance

DDS

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by Jorge at 22:56:57 on 2012-03-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.351.1033.18.6075.4191 [GMT 0:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\windows\system32\nvvsvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\taskhost.exe

C:\windows\system32\ThpSrv.exe

C:\windows\Explorer.EXE

C:\windows\system32\Dwm.exe

C:\windows\system32\taskeng.exe

C:\Program Files\Core Temp\Core Temp.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Rainmeter\Rainmeter.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

C:\Windows\Temp\AdobeUpdate.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\svchost.exe -k HPService

C:\windows\SysWOW64\svchost.exe -k hpdevmgmt

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\DllHost.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\7.8.3.0_0\plugin\ClickClean.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\msiexec.exe

C:\windows\system32\taskhost.exe

C:\windows\SysWOW64\rundll32.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jorge\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://toshiba.msn.com

uDefault_Page_URL = hxxp://toshiba.msn.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit=userinit.exe,

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

uRun: [Google Update] "C:\Users\Jorge\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [MobileBroadband] C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent

dRun: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe

StartupFolder: C:\Users\Jorge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java .exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0AC19D56-55ED-44BD-90B0-D86FAF7F4DC2} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0AC19D56-55ED-44BD-90B0-D86FAF7F4DC2}\56465727F616D6D27657563747 : DhcpNameServer = 10.1.7.250 10.1.7.251

TCP: Interfaces\{224203EB-8B87-4679-8276-C849DB047521} : DhcpNameServer = 212.18.160.133 212.18.160.134

TCP: Interfaces\{26FF2D08-DE9D-453D-A0D9-42E3D9C4947B} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A0D90836-1141-4B3C-963A-2139124544F2} : DhcpNameServer = 212.18.160.133 212.18.160.134

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

mRun-x64: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun-x64: [MobileBroadband] C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent

IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jorge\AppData\Roaming\Mozilla\Firefox\Profiles\8myoayvp.default\

FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll

FF - plugin: C:\Users\Jorge\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]

R1 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]

R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-8-24 1800808]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2010-4-6 258928]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-24 2320920]

R2 VmbService;Serviço Vodafone Mobile Broadband;C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-6-25 9216]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]

R3 enecir;ENE CIR Receiver;C:\windows\system32\DRIVERS\enecir.sys --> C:\windows\system32\DRIVERS\enecir.sys [?]

R3 enecirhid;ENE CIR HID Receiver;C:\windows\system32\DRIVERS\enecirhid.sys --> C:\windows\system32\DRIVERS\enecirhid.sys [?]

R3 enecirhidma;ENE CIR HIDmini Filter;C:\windows\system32\DRIVERS\enecirhidma.sys --> C:\windows\system32\DRIVERS\enecirhidma.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]

R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

R3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;C:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys --> C:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]

S3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]

S3 massfilter;MBB Mass Storage Filter Driver;C:\windows\system32\DRIVERS\massfilter.sys --> C:\windows\system32\DRIVERS\massfilter.sys [?]

S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\windows\system32\DRIVERS\MpNWMon.sys --> C:\windows\system32\DRIVERS\MpNWMon.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-2-11 124368]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-8-24 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

S3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2010-2-23 835952]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S3 ZTEusbnet;ZTE USB-NDIS miniport;C:\windows\system32\DRIVERS\ZTEusbnet.sys --> C:\windows\system32\DRIVERS\ZTEusbnet.sys [?]

S3 ZTEusbvoice;ZTE VoUSB Port;C:\windows\system32\DRIVERS\ZTEusbvoice.sys --> C:\windows\system32\DRIVERS\ZTEusbvoice.sys [?]

.

=============== Created Last 30 ================

.

2012-03-13 22:51:42 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7D135418-1B74-4C68-8EE6-53574B9BD3A4}\offreg.dll

2012-03-13 22:26:07 -------- d-----w- C:\HJT

2012-03-13 22:21:35 -------- d-----w- C:\sh4ldr

2012-03-13 22:21:35 -------- d-----w- C:\Program Files\Enigma Software Group

2012-03-13 22:20:59 -------- d-----w- C:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP

2012-03-13 22:00:56 -------- d-----w- C:\Users\Jorge\AppData\Roaming\DYA_JITODISSHNHULOVMM

2012-03-13 22:00:56 -------- d-----w- C:\ProgramData\DYA_JITODISSHNHULOVMM

2012-03-13 18:56:58 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7D135418-1B74-4C68-8EE6-53574B9BD3A4}\mpengine.dll

2012-03-11 00:56:16 -------- d-----w- C:\NVIDIA

2012-03-10 16:20:31 -------- d-----w- C:\Program Files\CCleaner

2012-03-08 15:09:54 -------- d-----w- C:\Users\Jorge\AppData\Roaming\DYA_UDGIWSURCJSANRBGR

2012-03-08 15:09:54 -------- d-----w- C:\ProgramData\DYA_UDGIWSURCJSANRBGR

2012-03-06 14:49:22 -------- d-----w- C:\Users\Jorge\AppData\Roaming\DYA_RESGVQDWEMAJBMTWM

2012-03-06 14:49:22 -------- d-----w- C:\ProgramData\DYA_RESGVQDWEMAJBMTWM

2012-03-05 22:44:06 -------- d-----w- C:\Users\Jorge\AppData\Roaming\DYA_HMRCNDLPKVWTBQDDK

2012-03-05 22:44:06 -------- d-----w- C:\ProgramData\DYA_HMRCNDLPKVWTBQDDK

2012-03-04 21:15:42 -------- d-----w- C:\Users\Jorge\AppData\Roaming\DYA_WMONMGVBMFSIIDGVO

2012-03-04 21:15:42 -------- d-----w- C:\ProgramData\DYA_WMONMGVBMFSIIDGVO

2012-03-03 02:17:26 -------- d-----w- C:\Users\Jorge\AppData\Local\Chromium

2012-03-03 00:53:45 1560576 ----a-w- C:\Users\Jorge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java .exe

2012-03-01 19:32:17 -------- d-----w- C:\Users\Jorge\AppData\Local\Apps

2012-03-01 19:22:08 -------- d-----w- C:\Users\Jorge\AppData\Local\Shareaza

2012-03-01 19:21:59 -------- d-----w- C:\Users\Jorge\AppData\Roaming\Shareaza

2012-03-01 13:33:37 -------- d-----w- C:\Users\Jorge\Porn

2012-03-01 01:37:14 -------- d-----w- C:\Users\Jorge\Torrents

2012-02-29 19:51:50 -------- d-----w- C:\ubuntu

2012-02-29 10:48:45 -------- d-----w- C:\Users\Jorge\AppData\Roaming\Stellarium

2012-02-29 10:48:33 -------- d-----w- C:\Program Files (x86)\Stellarium

2012-02-25 18:34:28 -------- d-----w- C:\Users\Jorge\AppData\Roaming\MathematicaPlayer

2012-02-25 18:34:28 -------- d-----w- C:\Users\Jorge\AppData\Local\MathematicaPlayer

2012-02-25 18:34:28 -------- d-----w- C:\ProgramData\MathematicaPlayer

2012-02-25 18:34:22 -------- d-----w- C:\Program Files\Common Files\Wolfram Research

2012-02-25 18:34:21 -------- d-----w- C:\ProgramData\Mathematica

2012-02-25 18:34:21 -------- d-----w- C:\Program Files (x86)\Common Files\Wolfram Research

2012-02-25 18:34:21 -------- d-----w- C:\Program Files (x86)\Common Files\ResearchSoft

2012-02-25 18:33:51 93712 ----a-w- C:\windows\SysWow64\mltcp32.mlp

2012-02-25 18:33:51 88080 ----a-w- C:\windows\SysWow64\mlshm32.mlp

2012-02-25 18:33:51 334352 ----a-w- C:\windows\SysWow64\mltcpip32.mlp

2012-02-25 18:33:50 79376 ----a-w- C:\windows\SysWow64\mlmap32.mlp

2012-02-25 18:33:50 370704 ----a-w- C:\windows\SysWow64\ml32i3.dll

2012-02-25 18:33:50 260112 ----a-w- C:\windows\SysWow64\ml32i2.dll

2012-02-25 18:33:50 253968 ----a-w- C:\windows\SysWow64\ml32i1.dll

2012-02-25 18:33:50 163344 ----a-w- C:\windows\SysWow64\mlmodule32.dll

2012-02-25 18:33:21 -------- d-----w- C:\Program Files (x86)\Wolfram Research

.

==================== Find3M ====================

.

2012-03-11 00:44:20 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll

2012-02-18 01:23:52 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-02-10 03:14:04 6074176 ----a-w- C:\windows\System32\nvcpl.dll

2012-02-10 03:14:01 3089728 ----a-w- C:\windows\System32\nvsvc64.dll

2012-02-10 03:07:03 2561856 ----a-w- C:\windows\System32\nvsvcr.dll

2012-02-10 03:07:00 889664 ----a-w- C:\windows\System32\nvvsvc.exe

2012-02-10 03:07:00 63296 ----a-w- C:\windows\System32\nvshext.dll

2012-02-10 03:07:00 118080 ----a-w- C:\windows\System32\nvmctray.dll

2012-01-31 12:44:20 279656 ------w- C:\windows\System32\MpSigStub.exe

2012-01-17 12:46:01 31040 ----a-w- C:\windows\System32\nvhdap64.dll

2012-01-17 12:45:56 188224 ----a-w- C:\windows\System32\drivers\nvhda64v.sys

2012-01-17 12:45:55 1451840 ----a-w- C:\windows\System32\nvhdagenco6420103.dll

2012-01-14 04:06:27 3145728 ----a-w- C:\windows\System32\win32k.sys

2012-01-04 10:44:20 509952 ----a-w- C:\windows\System32\ntshrui.dll

2012-01-04 08:58:41 442880 ----a-w- C:\windows\SysWow64\ntshrui.dll

2011-12-30 06:26:08 515584 ----a-w- C:\windows\System32\timedate.cpl

2011-12-30 05:27:56 478720 ----a-w- C:\windows\SysWow64\timedate.cpl

2011-12-28 03:59:24 498688 ----a-w- C:\windows\System32\drivers\afd.sys

2011-12-16 08:47:38 1188864 ----a-w- C:\windows\System32\wininet.dll

2011-12-16 08:46:06 634880 ----a-w- C:\windows\System32\msvcrt.dll

2011-12-16 07:54:22 981504 ----a-w- C:\windows\SysWow64\wininet.dll

2011-12-16 07:52:58 690688 ----a-w- C:\windows\SysWow64\msvcrt.dll

2011-12-16 06:44:38 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2011-12-16 06:09:17 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

2010-11-05 01:58:15 1169224 --sh--w- C:\windows\Temp\AdobeUpdate.exe

.

============= FINISH: 22:57:39,46 ===============

Attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 24-08-2011 11:58:21

System Uptime: 13-03-2012 22:37:19 (0 hours ago)

.

Motherboard: TOSHIBA | | NWQAA

Processor: Intel® Core i7 CPU Q 720 @ 1.60GHz | CPU | 1600/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 438 GiB total, 236,085 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP237: 11-03-2012 00:18:20 - Installed DirectX

RP238: 12-03-2012 20:26:23 - Windows Update

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 10 ActiveX

µTorrent

Borderlands

BufferChm

Compatibility Pack for the 2007 Office system

Copy

DAEMON Tools Lite

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Destinations

DeviceDiscovery

DJ_AIO_06_F4500_SW_MIN

F4500

Foxit Reader 5.1

GnuCash 2.4.8

Google Chrome

GPBaseService2

HPPhotoGadget

HPProductAssistant

ImagXpress

Intel® Management Engine Components

Intel® Rapid Storage Technology

JMicron Flash Media Controller Driver

Junk Mail filter update

LastPass (uninstall only)

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft Choice Guard

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (Portuguese (Portugal)) 2010

Microsoft Office Excel MUI (Portuguese (Portugal)) 2010

Microsoft Office OneNote MUI (Portuguese (Portugal)) 2010

Microsoft Office Outlook MUI (Portuguese (Portugal)) 2010

Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2010

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Professional 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Portuguese (Portugal)) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (Portuguese (Portugal)) 2010

Microsoft Office Publisher MUI (Portuguese (Portugal)) 2010

Microsoft Office Shared MUI (Portuguese (Portugal)) 2010

Microsoft Office Single Image 2010

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (Portuguese (Portugal)) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Works

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Mozilla Firefox 8.0 (x86 en-US)

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

neroxml

Notepad++

NVIDIA PhysX

NVIDIA Updatus

Picasa 3

Python 2.7.2

Q10 Editor

Racket v5.0.2

Rainmeter

Realtek Ethernet Controller Driver For Windows 7

Realtek High Definition Audio Driver

Revo Uninstaller 1.93

Scan

Section 8: Prejudice

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition

Sid Meier's Civilization 4 Complete

SolutionCenter

Spybot - Search & Destroy

Status

Steam

Stellarium 0.11.1

Toolbox

Toshiba Assist

TOSHIBA Bulletin Board

TOSHIBA ConfigFree

TOSHIBA eco Utility

TOSHIBA Face Recognition

TOSHIBA Flash Cards Support Utility

TOSHIBA Hardware Setup

TOSHIBA HDD/SSD Alert

Toshiba Manuals

TOSHIBA Media Controller

TOSHIBA Media Controller Plug-in

TOSHIBA Online Product Information

TOSHIBA Recovery Media Creator Reminder

TOSHIBA ReelTime

TOSHIBA Remote Control Manager

TOSHIBA Service Station

TOSHIBA Sleep Utility

TOSHIBA Supervisor Password

Toshiba TEMPRO

TOSHIBA Value Added Package

TOSHIBA Web Camera Application

TrayApp

Ubuntu

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition

Update for Microsoft Outlook Social Connector (KB2583935)

Utility Common Driver

VLC media player 1.1.11

Vodafone Mobile Broadband Lite

WebReg

Winamp

Winamp Detector Plug-in

WinDirStat 1.1.2

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Wolfram CDF Player (M-WIN-D 8.0.4 2609533)

.

==== Event Viewer Messages From Past Week ========

.

13-03-2012 22:38:11, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

13-03-2012 22:38:00, Error: Service Control Manager [7034] - The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).

13-03-2012 22:20:41, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).

13-03-2012 22:07:24, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

13-03-2012 21:43:28, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

13-03-2012 21:11:11, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

13-03-2012 14:47:50, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

13-03-2012 13:00:44, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

12-03-2012 23:41:16, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

12-03-2012 17:22:07, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

12-03-2012 14:27:56, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

12-03-2012 11:52:19, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

12-03-2012 09:41:10, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

11-03-2012 15:32:52, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

11-03-2012 15:07:26, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

11-03-2012 01:42:14, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

11-03-2012 00:30:57, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

10-03-2012 21:50:54, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

10-03-2012 14:09:32, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

09-03-2012 14:54:36, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

08-03-2012 16:51:51, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

08-03-2012 13:27:02, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

07-03-2012 20:16:50, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

06-03-2012 20:42:15, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

.

==== End Of File ===========================

[miekiemoes]

Hi,

We have added detection for this new variant, which will be available in a few hours. So please update Malwarebytes - It has to be at least database version v2012.03.14.02 (as that's the version where this detection will be present).

Then rescan again, remove what it found and post the Malwarebytes log in your next reply.

Also, can you let me know what these folders are?

C:\Users\Jorge\AppData\Roaming\DYA_UDGIWSURCJSANRBGR

C:\ProgramData\DYA_UDGIWSURCJSANRBGR

C:\Users\Jorge\AppData\Roaming\DYA_RESGVQDWEMAJBMTWM

C:\ProgramData\DYA_RESGVQDWEMAJBMTWM

C:\Users\Jorge\AppData\Roaming\DYA_HMRCNDLPKVWTBQDDK

C:\ProgramData\DYA_HMRCNDLPKVWTBQDDK

C:\Users\Jorge\AppData\Roaming\DYA_WMONMGVBMFSIIDGVO

C:\ProgramData\DYA_WMONMGVBMFSIIDGVO

C:\Users\Jorge\AppData\Roaming\DYA_JITODISSHNHULOVMM

C:\ProgramData\DYA_JITODISSHNHULOVMM

Do you recognise them? What's inside them? They appear to be created by the same app as they look similar, so the files inside should be similar as well.

[Zavatar]

I've update Malwarebytes to v2012.03.14.02 and rescaned. It detected 3 infections, and cleared them, telling me I had to restart in order for the changes to take effect. I did and rescaned again, one of the infections (the one in the registry key, I think) was still there.

Here's the log, like you asked:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.14.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Jorge :: HAL [administrator]

14-03-2012 13:12:41

mbam-log-2012-03-14 (13-12-41).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 224820

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Jorge\AppData\Local\Temp\dclogs\2012-03-13-3.dc (Stolen.Data) -> Quarantined and deleted successfully.

C:\Users\Jorge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java .exe (Backdoor.Agent.DC) -> Quarantined and deleted successfully.

(end)

As for the folders you mentioned, I'm afraid I have no idea what they're for.

They all have the same structure, Weird Name\1.0.0\Data and seem to have been created a few days apart.

The ones in the AppData\Roaming folder have a single file called dya.dat while the ones in the ProgramData folder have two files, one called app.dat and one called update.dat

Thanks for you help

[miekiemoes]

Hi,

The ones in the AppData\Roaming folder have a single file called dya.dat while the ones in the ProgramData folder have two files, one called app.dat and one called update.dat

Can you zip and send me those files please? (dya.dat, app.dat & update.dat), so I can have a look and see with what they may be related.

Also, please perform a new quick scan with Malwarebytes once again and let me know if the detections still return (they shouldnt this time as it now removed the main loader)

[Zavatar]

Files sent

I did a new quick scan and it found 2 infections, one it still the registry key, the other is a file with the results of a key loger. I deleted both, here is the log

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.14.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Jorge :: HAL [administrator]

14-03-2012 19:04:36

mbam-log-2012-03-14 (19-04-36).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 224797

Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Jorge\AppData\Local\Temp\dclogs\2012-03-14-4.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)

[miekiemoes]

Hi,

I have received the files, but can't really figure out with what it is related. We'll have a closer look at those folders afterwards.

Looks like something is still present there which recreates those files again, so let's have a closer look..

* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Also, can you zip & send the following file as well if still present?

C:\Windows\Temp\AdobeUpdate.exe

[Zavatar]

Here's the log file from ComboFix (I forgot to mention, my Windows is in Portuguese, so I guess that's the reason the log is too):

ComboFix 12-03-14.01 - Jorge 14-03-2012 22:15:02.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.351.1033.18.6075.4582 [GMT 0:00]

Executando de: c:\users\Jorge\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\DYA_HMRCNDLPKVWTBQDDK

c:\programdata\DYA_HMRCNDLPKVWTBQDDK\1.0.0\Data\app.dat

c:\programdata\DYA_HMRCNDLPKVWTBQDDK\1.0.0\Data\updates.dat

c:\programdata\DYA_JITODISSHNHULOVMM

c:\programdata\DYA_JITODISSHNHULOVMM\1.0.0\Data\app.dat

c:\programdata\DYA_JITODISSHNHULOVMM\1.0.0\Data\updates.dat

c:\programdata\DYA_RESGVQDWEMAJBMTWM

c:\programdata\DYA_RESGVQDWEMAJBMTWM\1.0.0\Data\app.dat

c:\programdata\DYA_RESGVQDWEMAJBMTWM\1.0.0\Data\updates.dat

c:\programdata\DYA_UDGIWSURCJSANRBGR

c:\programdata\DYA_UDGIWSURCJSANRBGR\1.0.0\Data\app.dat

c:\programdata\DYA_UDGIWSURCJSANRBGR\1.0.0\Data\updates.dat

c:\programdata\DYA_WMONMGVBMFSIIDGVO

c:\programdata\DYA_WMONMGVBMFSIIDGVO\1.0.0\Data\app.dat

c:\programdata\DYA_WMONMGVBMFSIIDGVO\1.0.0\Data\updates.dat

c:\programdata\xp

c:\programdata\xp\EBLib.dll

c:\programdata\xp\TPwSav.sys

c:\users\Jorge\AppData\Roaming\DYA_HMRCNDLPKVWTBQDDK

c:\users\Jorge\AppData\Roaming\DYA_HMRCNDLPKVWTBQDDK\1.0.0\Data\dya.dat

c:\users\Jorge\AppData\Roaming\DYA_JITODISSHNHULOVMM

c:\users\Jorge\AppData\Roaming\DYA_JITODISSHNHULOVMM\1.0.0\Data\dya.dat

c:\users\Jorge\AppData\Roaming\DYA_RESGVQDWEMAJBMTWM

c:\users\Jorge\AppData\Roaming\DYA_RESGVQDWEMAJBMTWM\1.0.0\Data\dya.dat

c:\users\Jorge\AppData\Roaming\DYA_UDGIWSURCJSANRBGR

c:\users\Jorge\AppData\Roaming\DYA_UDGIWSURCJSANRBGR\1.0.0\Data\dya.dat

c:\users\Jorge\AppData\Roaming\DYA_WMONMGVBMFSIIDGVO

c:\users\Jorge\AppData\Roaming\DYA_WMONMGVBMFSIIDGVO\1.0.0\Data\dya.dat

.

.

(((((((((((((((( Arquivos/Ficheiros criados de 2012-02-14 to 2012-03-14 ))))))))))))))))))))))))))))

.

.

2012-03-14 22:20 . 2012-03-14 22:20 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-03-14 22:20 . 2012-03-14 22:20 -------- d-----w- c:\users\postgres\AppData\Local\temp

2012-03-14 22:20 . 2012-03-14 22:20 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-14 19:12 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E51DAD81-39B4-4799-B046-6D2D073AF03E}\mpengine.dll

2012-03-14 13:12 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-03-14 13:12 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-03-14 13:12 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-03-14 13:12 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-03-14 13:12 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2012-03-14 13:12 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-14 13:12 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-03-13 22:21 . 2012-03-13 22:50 -------- d-----w- C:\sh4ldr

2012-03-13 22:21 . 2012-03-13 22:21 -------- d-----w- c:\program files\Enigma Software Group

2012-03-13 22:20 . 2012-03-13 22:50 -------- d-----w- c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP

2012-03-11 00:56 . 2012-03-11 00:56 -------- d-----w- C:\NVIDIA

2012-03-10 16:20 . 2012-03-10 16:20 -------- d-----w- c:\program files\CCleaner

2012-03-03 02:17 . 2012-03-03 02:17 -------- d-----w- c:\users\Jorge\AppData\Local\Chromium

2012-03-01 19:32 . 2012-03-01 19:32 -------- d-----w- c:\users\Jorge\AppData\Local\Apps

2012-03-01 19:22 . 2012-03-01 19:22 -------- d-----w- c:\users\Jorge\AppData\Local\Shareaza

2012-03-01 19:21 . 2012-03-01 19:27 -------- d-----w- c:\users\Jorge\AppData\Roaming\Shareaza

2012-03-01 13:33 . 2012-03-14 02:37 -------- d-----w- c:\users\Jorge\Porn

2012-03-01 01:37 . 2012-03-14 02:31 -------- d-----w- c:\users\Jorge\Torrents

2012-02-29 19:51 . 2012-02-29 19:59 -------- d-----w- C:\ubuntu

2012-02-29 10:48 . 2012-02-29 10:48 -------- d-----w- c:\users\Jorge\AppData\Roaming\Stellarium

2012-02-29 10:48 . 2012-02-29 10:48 -------- d-----w- c:\program files (x86)\Stellarium

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\users\Jorge\AppData\Roaming\MathematicaPlayer

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\users\Jorge\AppData\Local\MathematicaPlayer

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\program files\Common Files\Wolfram Research

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\program files (x86)\Common Files\Wolfram Research

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\programdata\Mathematica

2012-02-25 18:34 . 2012-02-25 18:34 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft

2012-02-25 18:33 . 2011-10-03 18:45 334352 ----a-w- c:\windows\SysWow64\mltcpip32.mlp

2012-02-25 18:33 . 2011-10-03 18:45 93712 ----a-w- c:\windows\SysWow64\mltcp32.mlp

2012-02-25 18:33 . 2011-10-03 18:45 88080 ----a-w- c:\windows\SysWow64\mlshm32.mlp

2012-02-25 18:33 . 2011-10-03 18:45 163344 ----a-w- c:\windows\SysWow64\mlmodule32.dll

2012-02-25 18:33 . 2011-10-03 18:45 79376 ----a-w- c:\windows\SysWow64\mlmap32.mlp

2012-02-25 18:33 . 2011-10-03 18:45 370704 ----a-w- c:\windows\SysWow64\ml32i3.dll

2012-02-25 18:33 . 2011-10-03 18:45 260112 ----a-w- c:\windows\SysWow64\ml32i2.dll

2012-02-25 18:33 . 2011-10-03 18:45 253968 ----a-w- c:\windows\SysWow64\ml32i1.dll

2012-02-25 18:33 . 2012-02-25 18:33 -------- d-----w- c:\program files (x86)\Wolfram Research

.

.

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-14 19:14 . 2012-03-14 19:12 724 ----a-w- C:\Samples.zip

2012-03-11 00:44 . 2012-01-25 19:03 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-02-18 01:23 . 2011-08-24 13:14 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-02-11 12:37 . 2012-02-11 12:37 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39EFB4B7-8A36-468A-BC4D-B0A59BF63CEB}\gapaengine.dll

2012-02-10 04:13 . 2010-03-23 07:29 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-02-10 04:13 . 2010-03-23 07:29 2660160 ----a-w- c:\windows\system32\nvapi64.dll

2012-02-10 04:13 . 2010-03-23 07:29 15009600 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-02-10 03:14 . 2010-03-22 21:39 6074176 ----a-w- c:\windows\system32\nvcpl.dll

2012-02-10 03:14 . 2010-03-22 21:39 3089728 ----a-w- c:\windows\system32\nvsvc64.dll

2012-02-10 03:07 . 2010-03-22 21:39 2561856 ----a-w- c:\windows\system32\nvsvcr.dll

2012-02-10 03:07 . 2010-03-22 21:39 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-02-10 03:07 . 2010-03-22 21:39 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-02-10 03:07 . 2010-03-22 21:39 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-02-08 07:13 . 2011-08-25 15:32 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-01-31 12:44 . 2011-08-24 11:59 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-01-01 18:26 . 2009-08-18 11:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll

2012-01-01 18:26 . 2009-08-18 10:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

.

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por padrão não são apresentadas.

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-22 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"MobileBroadband"="c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-06-25 253952]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"TOSHIBA Online Product Information"="c:\program files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe" [2010-03-03 4581280]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-1-8 107720]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 VmbService;Serviço Vodafone Mobile Broadband;c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-06-25 9216]

R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [x]

R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [x]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-02-11 124368]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 137560]

R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-23 835952]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Jorge\..RealTemp_360\WinRing0x64.sys [x]

R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [x]

R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [x]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]

S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2010-03-22 1800808]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 ALSysIO;ALSysIO;c:\users\Jorge\AppData\Local\Temp\ALSysIO64.sys [x]

S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]

S3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [x]

S3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [x]

.

.

--- =Outros Serviços/Drivers Na Memória ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Conteúdo da pasta 'Tarefas Agendadas'

.

2012-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2193289667-373123696-739203813-1002Core.job

- c:\users\Jorge\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-23 10:45]

.

2012-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2193289667-373123696-739203813-1002UA.job

- c:\users\Jorge\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-23 10:45]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Scan Suplementar -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://toshiba.msn.com

uDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\SysWOW64\blank.htm

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Jorge\AppData\Roaming\Mozilla\Firefox\Profiles\8myoayvp.default\

.

- - - - ORFãOS REMOVIDOS - - - -

.

Toolbar-Locked - (no file)

Toolbar-Locked - (no file)

HKLM-Run-(Default) - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

.

[HKEY_USERS\S-1-5-21-2193289667-373123696-739203813-1002\Software\SecuROM\License information*]

"datasecu"=hex:f5,d4,33,c2,34,14,fa,50,0f,87,d3,fb,1a,73,fd,51,3a,29,c3,3f,91,

db,90,23,69,79,81,64,8e,84,5e,a9,d5,be,ed,fa,1e,06,40,19,5f,df,3c,3b,70,e1,\

"rkeysecu"=hex:5c,68,92,9b,9a,3d,a1,fb,0c,66,e5,36,87,b9,e5,85

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Outros Processos em Execução ------------------------

.

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

.

**************************************************************************

.

Tempo para conclusão: 2012-03-14 22:28:06 - Máquina reiniciou

ComboFix-quarantined-files.txt 2012-03-14 22:28

.

Pré-execução: 266.616.205.312 bytes free

Pós execução: 266.521.042.944 bytes free

.

- - End Of File - - 4D98B3E1B06493A9F08AA6E50545835D

The file you asked for is no longer there, for some reason.

But, on the bright side, it seams that the infection is gone. I ran Malwarebytes again after ComboFix was done and it couldn't find anything

[miekiemoes]

Hi,

Looks like Combofix already nuked those suspicious folders as well.

I guess you couldn't find the file anymore, because Combofix actually deletes the contents of the C:\windows\temp folder as well. I should have asked you for the file, before running Combofix

Anyway, that file is deleted now (where I suspected it to be another component keeping the infection alive) - so you should be OK now.

I'll try to hunt for that file somewhere else, so I can add detection for it as well

As a final cleanup,

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[Zavatar]

Thank you for all your help

[miekiemoes]

You're most welcome

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!