jcbk003 Posted March 15, 2012 ID:535091 Share Posted March 15, 2012 For a while when ever i tried to go to a website i would get 404 not found nginx or the webpage would redirect me to a random advertisement site. I did the TDDSSkiller and removed the rootkit. but i still get the svhost.exe and an alureon virus. the svhost.exe is picked up by malwarebytes and the alureon is picked up by microsoft secruity essentials. also when i run the DDS the logs do not appear. Link to post Share on other sites More sharing options...
MrCharlie Posted March 17, 2012 ID:535526 Share Posted March 17, 2012 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller.Click Scan to scan the system (don't run any other options)Post back the report.MrC Link to post Share on other sites More sharing options...
jcbk003 Posted March 17, 2012 Author ID:535609 Share Posted March 17, 2012 RogueKiller V7.3.1 [03/10/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser: Jason [Admin rights]Mode: Scan -- Date: 03/17/2012 15:42:33¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 9 ¤¤¤[bLACKLIST DLL] HKUS\S-1-5-21-1309008262-3471485794-2862141471-1012[...]\Run : Update (rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll",DllRegisterServer) -> FOUND[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [NOT LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: WDC WD6000HLHX-01JJPV0 ATA Device +++++--- User ---[MBR] 73e29ead1057b042155324796a563ef2[bSP] e81dd4c7f8c9f5d6b36ec63d5ba60023 : Windows 7 MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 572323 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive1: WDC WD3000HLFS-01G6U0 ATA Device +++++--- User ---[MBR] 72ddd996752207f06998b8b6bd4db501[bSP] 1b00967697098c3dcfbdfe5f18ebd3cc : Windows 7 MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 286166 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive2: SiImage SCSI Disk Device +++++--- User ---[MBR] 9a42938f51d2bfad3ebe134c855e32bf[bSP] 1d99c69b99ea0436abe5903af8bc560c : Windows 7 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114479 MoUser = LL1 ... OK!Error reading LL2 MBR!+++++ PhysicalDrive3: Kingston DataTraveler 2.0 USB Device +++++--- User ---[MBR] c8a6a8f81b498f6b66c4ffbbd38782d9[bSP] 19eaf529da4cc0ba58efdc50214a5567 : Windows XP MBR CodePartition table:0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 982 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 17, 2012 ID:535614 Share Posted March 17, 2012 Run TDSSKiller again, click scan and make sure this is deleted:[bLACKLIST DLL] HKUS\S-1-5-21-1309008262-3471485794-2862141471-1012[...]\Run : Update (rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll",DllRegisterServer) -> FOUND------------------------------------------Please download and run TDSSKiller to your desktop as outlined below:Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.-------------------------Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.------------------------Click the Start Scan button.-----------------------If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on Continue----------------------If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.--------------------A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply. MrC Link to post Share on other sites More sharing options...
jcbk003 Posted March 18, 2012 Author ID:535682 Share Posted March 18, 2012 i have ran the TDSS and all it found wasTDSS file systemPhysical drive: \deviceharddisk2\Dr2suspicious objectm medium riskwhat should i do? Link to post Share on other sites More sharing options...
MrCharlie Posted March 18, 2012 ID:535690 Share Posted March 18, 2012 Can you post the log??? MrC Link to post Share on other sites More sharing options...
jcbk003 Posted March 18, 2012 Author ID:535695 Share Posted March 18, 2012 im sorry i couldnt copy paste the report it was too longTDSS report.txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 18, 2012 ID:535742 Share Posted March 18, 2012 TDSS file systemYou can choose Delete for that.-----------------------------Then.....Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Please include the C:\ComboFix.txt in your next reply for further review.MrC Link to post Share on other sites More sharing options...
jcbk003 Posted March 18, 2012 Author ID:535754 Share Posted March 18, 2012 My log after combo fixComboFix 12-03-15.01 - Jason 03/18/2012 7:53.2.8 - x64Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8183.5899 [GMT -5:00]Running from: c:\users\Jason\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point..((((((((((((((((((((((((( Files Created from 2012-02-18 to 2012-03-18 )))))))))))))))))))))))))))))))..2012-03-18 12:58 . 2012-03-18 12:58 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0680EC74-4FFC-4F1A-92B5-11D1F9B4968F}\offreg.dll2012-03-18 12:56 . 2012-03-18 12:56 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp2012-03-18 12:56 . 2012-03-18 12:56 -------- d-----w- c:\users\UpdatusUser.Jason-PC\AppData\Local\temp2012-03-18 12:56 . 2012-03-18 12:56 -------- d-----w- c:\users\Jason\AppData\Local\temp2012-03-18 12:56 . 2012-03-18 12:56 -------- d-----w- c:\users\Default\AppData\Local\temp2012-03-16 18:42 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0680EC74-4FFC-4F1A-92B5-11D1F9B4968F}\mpengine.dll2012-03-16 04:27 . 2012-03-18 12:58 -------- d-----w- c:\users\Jason\AppData\Roaming\Skype2012-03-16 04:27 . 2012-03-16 04:27 -------- d-----w- c:\program files (x86)\Common Files\Skype2012-03-16 04:27 . 2012-03-16 04:27 -------- d-----r- c:\program files (x86)\Skype2012-03-16 04:27 . 2012-03-16 04:27 -------- d-----w- c:\programdata\Skype2012-03-15 10:01 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe2012-03-15 10:01 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe2012-03-15 10:01 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe2012-03-15 09:55 . 2012-03-18 12:50 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-14 06:18 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll2012-03-14 06:18 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll2012-03-14 06:18 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys2012-03-14 06:16 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll2012-03-14 06:16 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll2012-03-14 06:16 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll2012-03-14 06:16 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-03-14 06:16 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys2012-03-14 06:16 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe2012-03-14 06:16 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll2012-03-14 06:16 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll2012-03-04 22:16 . 2012-03-05 00:35 -------- d-----w- c:\users\Jason\AppData\Roaming\Audacity2012-02-26 02:22 . 2012-02-26 02:22 -------- d-----w- c:\users\Jason\AppData\Local\IsolatedStorage2012-02-25 22:31 . 2012-02-25 22:39 -------- d-----w- C:\AV_LOGS2012-02-25 22:21 . 2012-02-25 22:21 -------- d-----w- c:\users\Jason\AppData\Roaming\Avnex2012-02-25 22:20 . 2008-12-26 18:56 21504 ----a-w- c:\windows\system32\drivers\vcsvad.sys2012-02-25 22:08 . 2012-02-26 02:23 -------- d-----w- c:\program files (x86)\Screaming Bee2012-02-25 22:04 . 2012-02-25 22:05 -------- d-----w- c:\users\Jason\AppData\Roaming\Screaming Bee2012-02-25 22:04 . 2012-02-26 02:22 -------- d-----w- c:\programdata\Screaming Bee2012-02-18 22:36 . 2012-02-18 22:36 -------- d-----w- c:\users\UpdatusUser.Jason-PC.0002012-02-18 22:36 . 2012-01-26 11:35 2477468 ----a-w- c:\windows\system32\nvcoproc.bin2012-02-18 22:30 . 2012-02-18 22:30 -------- d-----w- C:\NVIDIA2012-02-18 01:03 . 2012-02-18 01:03 -------- d-----w- C:\Temp...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-02-21 20:12 . 2011-06-05 13:55 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2012-02-10 12:58 . 2012-02-10 12:58 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A506A573-18C5-482F-9FEE-AFDC83B0E75E}\gapaengine.dll2012-02-08 07:13 . 2011-04-25 05:05 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll2012-01-31 12:44 . 2011-04-23 08:53 279656 ------w- c:\windows\system32\MpSigStub.exe2012-01-26 14:53 . 2011-10-25 09:40 9716544 ----a-w- c:\windows\system32\nvwgf2umx.dll2012-01-26 14:53 . 2011-10-25 09:40 7712576 ----a-w- c:\windows\SysWow64\nvwgf2um.dll2012-01-26 14:53 . 2011-10-25 09:40 25540928 ----a-w- c:\windows\system32\nvoglv64.dll2012-01-26 14:53 . 2011-10-25 09:40 2660160 ----a-w- c:\windows\system32\nvapi64.dll2012-01-26 14:53 . 2011-10-25 09:40 2300736 ----a-w- c:\windows\SysWow64\nvapi.dll2012-01-26 14:53 . 2011-10-25 09:40 1737536 ----a-w- c:\windows\system32\nvdispco64.dll2012-01-26 14:53 . 2011-10-25 09:40 15007552 ----a-w- c:\windows\SysWow64\nvd3dum.dll2012-01-26 14:53 . 2011-10-25 09:40 1466176 ----a-w- c:\windows\system32\nvgenco64.dll2012-01-26 11:48 . 2011-11-01 20:39 6063936 ----a-w- c:\windows\system32\nvcpl.dll2012-01-26 11:40 . 2011-11-01 20:39 3089728 ----a-w- c:\windows\system32\nvsvc64.dll2012-01-26 11:37 . 2011-11-01 20:39 889664 ----a-w- c:\windows\system32\nvvsvc.exe2012-01-26 11:37 . 2011-11-01 20:39 63296 ----a-w- c:\windows\system32\nvshext.dll2012-01-26 11:37 . 2011-11-01 20:39 118080 ----a-w- c:\windows\system32\nvmctray.dll2012-01-26 10:17 . 2012-01-26 10:17 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe2012-01-04 20:22 . 2012-01-04 20:22 309888 ----a-w- c:\windows\SysWow64\InputControl.dll2012-01-04 20:22 . 2012-01-04 20:22 1636480 ----a-w- c:\windows\SysWow64\SubmitControl.dll2012-01-04 10:44 . 2012-02-15 23:05 509952 ----a-w- c:\windows\system32\ntshrui.dll2012-01-04 08:58 . 2012-02-15 23:05 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll2011-12-30 06:26 . 2012-02-15 23:05 515584 ----a-w- c:\windows\system32\timedate.cpl2011-12-30 05:27 . 2012-02-15 23:05 478720 ----a-w- c:\windows\SysWow64\timedate.cpl2011-12-28 03:59 . 2012-02-15 23:05 498688 ----a-w- c:\windows\system32\drivers\afd.sys..((((((((((((((((((((((((((((( SnapShot@2012-03-15_09.37.56 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-15 09:42 . 2012-03-15 09:38 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012031520120316\index.dat- 2012-03-08 08:39 . 2012-03-14 08:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat+ 2012-03-08 08:39 . 2012-03-15 09:51 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat+ 2011-04-23 09:59 . 2012-03-17 13:24 78738 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin+ 2009-07-14 05:10 . 2012-03-17 13:24 41772 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2011-04-23 09:15 . 2012-03-17 13:24 14642 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1309008262-3471485794-2862141471-1001_UserData.bin+ 2009-07-14 04:46 . 2012-03-15 20:22 87696 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat- 2009-07-14 04:46 . 2012-03-14 08:17 87696 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat+ 2012-03-18 12:57 . 2012-03-18 12:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat- 2012-03-15 09:37 . 2012-03-15 09:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat+ 2012-03-08 08:32 . 2012-03-15 09:51 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat- 2012-03-08 08:32 . 2012-03-15 09:32 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat+ 2009-07-14 04:54 . 2012-03-15 20:40 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat- 2009-07-14 04:54 . 2012-03-15 09:32 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat+ 2009-07-14 05:01 . 2012-03-18 12:57 396992 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat- 2009-07-14 05:01 . 2012-03-15 09:36 396992 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat+ 2012-03-16 04:27 . 2012-03-16 04:27 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe- 2009-07-14 04:54 . 2012-03-15 09:32 3899392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat+ 2009-07-14 04:54 . 2012-03-15 20:40 3899392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat+ 2009-07-14 04:54 . 2012-03-15 20:40 8126464 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat+ 2011-04-23 09:57 . 2012-03-17 13:29 3519904 c:\windows\system32\prfh0804.dat+ 2011-04-23 09:57 . 2012-03-17 13:29 3537206 c:\windows\system32\prfh0404.dat+ 2011-04-23 09:57 . 2012-03-17 13:29 1185436 c:\windows\system32\prfc0804.dat+ 2011-04-23 09:57 . 2012-03-17 13:29 1180522 c:\windows\system32\prfc0404.dat+ 2009-07-14 02:36 . 2012-03-17 13:29 3802582 c:\windows\system32\perfh009.dat+ 2009-07-14 02:36 . 2012-03-17 13:29 1187576 c:\windows\system32\perfc009.dat+ 2009-07-14 04:45 . 2012-03-15 10:57 5980439 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat- 2009-07-14 04:45 . 2012-03-14 08:09 5980439 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat+ 2012-02-25 22:38 . 2012-03-15 09:55 3296220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat- 2012-02-25 22:38 . 2012-03-15 09:29 3296220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat- 2009-07-14 02:34 . 2012-03-14 08:06 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat+ 2009-07-14 02:34 . 2012-03-15 10:21 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat+ 2011-04-23 10:24 . 2012-03-18 12:57 20369236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1309008262-3471485794-2862141471-1001-12288.dat+ 2012-03-16 04:27 . 2012-03-16 04:27 18984960 c:\windows\Installer\1c2e435.msi.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-23 39408]"Steam"="d:\games\Steam\steam.exe" [2011-08-02 1242448]"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-10-02 3077528]"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]"DisplayFusion"="d:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2009-12-09 645296]"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-02-19 248320]"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-12-09 74752].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0AQQBUAEEARwBLAC0ARQBKAFIAMgAzAC0AMwBGAFAAMABBAC0AWQBZAEYAUQBXAC0ATgBCAEQAOABXAA&inst=NwA2AC0AOQA3ADEANQA1ADUAMAAxADYALQBEAEQAVAArADAALQBOADEARAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAATAArADkALQBGAFUASQArADIA∏=92&ver=9.0.914" [?].c:\users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client Default.lnk - c:\program files (x86)\Samurize\Client.exe [2007-4-7 2010624].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-2-5 107720]Status Monitor.lnk - c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [2011-4-24 1159168].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R1 ProtectorA;ProtectorA;c:\windows\syswow64\drivers\ProtectorA.sys [2009-11-26 17288]R1 SASDIFSV;SASDIFSV;d:\tmp\SAS_SelfExtract\SASDIFSV64.SYS [x]R1 SASKUTIL;SASKUTIL;d:\tmp\SAS_SelfExtract\SASKUTIL64.SYS [x]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-23 136176]R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-01-26 2345792]R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]R3 Gun;Gun;d:\games\SoftnyxGame\GunBoundIS\Gun64.sys [2012-01-30 45176]R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-23 136176]R3 kbdcap;kbdcap; [x]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R3 X6va005;X6va005;d:\tmp\005300A.tmp [x]S0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\DRIVERS\Si3124r5.sys [x]S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]S2 MSSQL$DYNAMICSGPEDU;SQL Server (DYNAMICSGPEDU);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe [2010-08-19 386344]S2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneLtdController.exe [2008-09-16 352312]S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-01-26 382272]S3 ALSysIO;ALSysIO;d:\temp\ALSysIO64.sys [x]S3 cmudaxp;HTO CLARO Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2012-02-20 13368]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - ALSYSIO.Contents of the 'Scheduled Tasks' folder.2012-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-23 09:59].2012-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-23 09:59]..--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2010-11-16 104008]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-23 8151040]"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = hxxp://google.com/mLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.0.1DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cabDPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://mybank.icbc.com.cn/icbc/ICBC_NetSign.dllFF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\epv39tfz.default\FF - user.js: network.protocol-handler.warn-external.dnupdate - false..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\X6va005]"ImagePath"="\??\d:\tmp\005300A.tmp".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]@Denied: (2) (LocalSystem)"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90, 43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b, 27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b, ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f, aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0, b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84, f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]@Denied: (2) (LocalSystem)"Timestamp"=hex:73,15,a7,f9,09,f4,cc,01.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\MSI Afterburner\MSIAfterburner.exec:\windows\SysWOW64\rundll32.exec:\program files (x86)\Brother\ControlCenter3\brccMCtl.exec:\program files (x86)\Brother\Brmfcmon\BrMfimon.exec:\program files (x86)\Razer\DeathAdder\razertra.exec:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\windows\SysWOW64\PnkBstrA.exec:\program files (x86)\RosettaStoneLtdServices\RosettaStoneLtdServer.exec:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe.**************************************************************************.Completion time: 2012-03-18 07:59:13 - machine was rebootedComboFix-quarantined-files.txt 2012-03-18 12:59ComboFix2.txt 2012-03-15 09:39.Pre-Run: 79,347,171,328 bytes freePost-Run: 79,307,657,216 bytes free.- - End Of File - - 886FF66FA048C1E217292926E6087C23 Link to post Share on other sites More sharing options...
MrCharlie Posted March 18, 2012 ID:535759 Share Posted March 18, 2012 Please Update and run a Quick Scan with MBAM, post the report.Please let me know how it is, MrC Link to post Share on other sites More sharing options...
jcbk003 Posted March 19, 2012 Author ID:535943 Share Posted March 19, 2012 Malwarebytes Anti-Malware (PRO) 1.60.1.1000www.malwarebytes.orgDatabase version: v2012.03.18.02Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421Jason :: JASON-PC [administrator]Protection: Enabled3/18/2012 8:20:33 PMmbam-log-2012-03-18 (20-20-33).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 258408Time elapsed: 43 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted March 19, 2012 ID:536010 Share Posted March 19, 2012 How is it? MrC Link to post Share on other sites More sharing options...
LDTate Posted March 25, 2012 ID:537382 Share Posted March 25, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts