Jump to content

Help please with winrscmde message and trojan removal


Recommended Posts

Hello Maniac,

Sorry for the long delay. I've just returned from Hong Kong and taken over the clean up from my wife. I've gotten a fresh version of TDSSKiller and run it twice now but it appears that a log is not being created, perhaps because there are only suspicious objects currently being found and no malicious objects. Would that be correct or am I missing the new logs. I've searched the entire computer and cannot find a fresh log.

Regards

Link to post
Share on other sites

I did manage to find one of the skipped objects that you had previously mentioned and deleted it. The results of the ComboFix scan are posted below. I'll bet that the toughest part of your job is dealing with boneheads like me. Your patience is much appreciated.

ComboFix 12-08-10.02 - Anne 08/11/2012 15:34:19.2.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3934.1371 [GMT -6:00]

Running from: c:\users\Anne\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\PrivacySafeGuard\PrIVacysafeguard.dll

c:\users\Anne\AppData\Roaming\Qwiklinx\QwIKlinx.dll

c:\users\Anne\Documents\ShopToWin

c:\windows\svchost.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))

.

.

2012-08-11 21:43 . 2012-08-11 21:43 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-11 21:43 . 2012-08-11 21:43 -------- d-----w- c:\users\Anne\AppData\Local\temp

2012-08-05 02:32 . 2012-08-05 02:32 -------- d-----w- c:\users\Anne\AppData\Roaming\Titanium Gears

2012-07-30 23:07 . 2012-07-30 23:07 -------- d-----w- c:\program files (x86)\7-Zip

2012-07-30 23:06 . 2012-08-11 21:42 -------- d-----w- c:\users\Anne\AppData\Roaming\Qwiklinx

2012-07-30 23:06 . 2012-07-30 23:06 -------- d-----w- c:\program files (x86)\Qwiklinx

2012-07-30 23:04 . 2012-08-05 00:51 -------- d-----w- c:\programdata\Tarma Installer

2012-07-30 23:04 . 2012-08-11 21:42 -------- d-----w- c:\program files\PrivacySafeGuard

2012-07-30 23:04 . 2012-07-30 23:04 304 ----a-w- C:\user.js

2012-07-30 23:04 . 2012-07-30 23:04 -------- d-----w- c:\programdata\Babylon

2012-07-30 22:35 . 2012-07-30 22:35 -------- d-----w- c:\program files (x86)\AMP Font Viewer

2012-07-25 18:50 . 2012-08-03 11:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-25 18:50 . 2012-07-25 18:50 -------- d-----w- c:\windows\system32\Macromed

2012-07-25 16:52 . 2012-07-25 16:53 -------- d-----w- C:\Ancestry

2012-07-22 16:50 . 2012-08-06 23:36 -------- d-----w- C:\Politics

2012-07-16 20:31 . 2012-07-16 20:31 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2012-07-16 20:31 . 2012-07-16 20:31 -------- d-----w- c:\program files\Symantec

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\windows\system32\drivers\NISx64

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\program files (x86)\Norton Internet Security

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\program files (x86)\NortonInstaller

2012-07-15 03:53 . 2012-08-11 21:23 -------- d-----w- C:\TDSSKiller_Quarantine

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 11:14 . 2011-08-09 17:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-12 07:06 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe

2012-07-03 17:46 . 2012-07-12 19:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:58 . 2012-07-12 07:02 2769408 ----a-w- c:\windows\system32\win32k.sys

2012-06-08 17:59 . 2012-07-11 12:40 12899840 ----a-w- c:\windows\system32\shell32.dll

2012-06-05 16:47 . 2012-07-11 12:40 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-05 16:47 . 2012-07-11 12:40 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-05 16:22 . 2012-07-11 12:40 1797120 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:22 . 2012-07-11 12:40 1869824 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:29 . 2012-07-11 12:40 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:19 . 2012-06-22 07:21 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 07:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-22 07:22 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 07:22 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 07:21 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-02 22:19 . 2012-06-22 07:21 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-22 07:21 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-02 22:15 . 2012-06-22 07:22 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-22 07:21 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 22:12 . 2012-06-22 07:21 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-02 19:19 . 2012-06-22 07:21 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:19 . 2012-06-22 07:21 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-02 19:15 . 2012-06-22 07:21 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 19:12 . 2012-06-22 07:21 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-02 12:49 . 2012-07-12 07:03 17807360 ----a-w- c:\windows\system32\mshtml.dll

2012-06-02 12:17 . 2012-07-12 07:03 10924032 ----a-w- c:\windows\system32\ieframe.dll

2012-06-02 12:12 . 2012-07-12 07:03 2311680 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 12:05 . 2012-07-12 07:03 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-06-02 12:05 . 2012-07-12 07:03 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 12:04 . 2012-07-12 07:03 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 12:04 . 2012-07-12 07:03 237056 ----a-w- c:\windows\system32\url.dll

2012-06-02 12:03 . 2012-07-12 07:03 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-06-02 12:01 . 2012-07-12 07:03 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 12:00 . 2012-07-12 07:03 818688 ----a-w- c:\windows\system32\jscript.dll

2012-06-02 11:59 . 2012-07-12 07:03 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-06-02 11:57 . 2012-07-12 07:03 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-06-02 11:57 . 2012-07-12 07:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 11:54 . 2012-07-12 07:03 248320 ----a-w- c:\windows\system32\ieui.dll

2012-06-02 08:33 . 2012-07-12 07:03 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-06-02 08:25 . 2012-07-12 07:03 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-06-02 08:25 . 2012-07-12 07:03 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-06-02 08:20 . 2012-07-12 07:03 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-06-02 08:16 . 2012-07-12 07:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-06-02 00:22 . 2012-07-11 12:40 347136 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:22 . 2012-07-11 12:40 254464 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 00:05 . 2012-07-11 12:40 77312 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 00:04 . 2012-07-11 12:40 278528 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 00:03 . 2012-07-11 12:40 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]

"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2008-06-27 77824]

"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-05-20 24576]

"AML"="c:\program files (x86)\Sony\VAIO Launcher\AML.exe" [2008-06-13 1097728]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]

"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-05-26 413696]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]

.

c:\users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

OneNote Table Of Contents.onetoc2 [2010-6-24 3656]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-21 1048616]

QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-12 972064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-07-29 00:45 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 05171673

*NewlyCreated* - 27742188

*NewlyCreated* - 40303232

*NewlyCreated* - 77156661

*NewlyCreated* - 80251133

*NewlyCreated* - 82036170

*NewlyCreated* - 82137449

*NewlyCreated* - 86398627

*NewlyCreated* - ERASERUTILDRV11220

*Deregistered* - 05171673

*Deregistered* - 27742188

*Deregistered* - 40303232

*Deregistered* - 77156661

*Deregistered* - 80251133

*Deregistered* - 82036170

*Deregistered* - 82137449

*Deregistered* - 86398627

*Deregistered* - EraserUtilDrv11220

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-25 11:14]

.

2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-03 18:11]

.

2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-03 18:11]

.

2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-622961194-3611557593-2110596406-1000Core.job

- c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-06 16:43]

.

2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-622961194-3611557593-2110596406-1000UA.job

- c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-06 16:43]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036AD63-AEAC-460B-9060-C96005D4DC86}]

2012-07-19 20:14 105472 ----a-w- c:\program files\PrivacySafeGuard\PrivacySafeGuard-x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-07-15 6453760]

"Skytel"="Skytel.exe" [2008-07-15 1826816]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-07-18 152576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-09 151064]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-09 209432]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-09 181784]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 2114376]

"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: constantcontact.com\www

Trusted Zone: convergysworkathome.com\www

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

DPF: {89F9AA82-9B9F-4D1C-A637-33388558FAAC} - hxxp://webcal.weber.k12.ut.us/webcal/cab/ccuweb1_5_9.cab

DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\twlmg6ex.default\

FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=113959&tt=3112_1&babsrc=HP_ss&mntrId=9e6eef7000000000000000214f4ab62f

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=113959&tt=3112_1&babsrc=KW_ss&mntrId=9e6eef7000000000000000214f4ab62f&q=

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: extensions.BabylonToolbar.autoRvrt - false

FF - user.js: extensions.BabylonToolbar_i.newTab - false

FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=

FF - user.js: extensions.BabylonToolbar.id - 9e6eef7000000000000000214f4ab62f

FF - user.js: extensions.BabylonToolbar.instlDay - 15551

FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1

FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.117:04

FF - user.js: extensions.BabylonToolbar.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar.tlbrId - base

FF - user.js: extensions.BabylonToolbar.instlRef - sst

FF - user.js: extensions.BabylonToolbar.dfltLng - en

FF - user.js: extensions.BabylonToolbar.excTlbr - false

FF - user.js: extensions.BabylonToolbar.admin - false

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=3112_1

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.autoDisableScopes - 14

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.7.1.5\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-08-11 15:47:41

ComboFix-quarantined-files.txt 2012-08-11 21:47

ComboFix2.txt 2012-07-16 20:06

.

Pre-Run: 83,837,030,400 bytes free

Post-Run: 84,179,755,008 bytes free

.

- - End Of File - - AD5BAB2C643B439D4C6659169BE4B6DB

Link to post
Share on other sites

How is the life in Hong Kong? :)

I don't need TDSSKiller log, that's why I didn't ask to post it for me.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\PrivacySafeGuard
c:\programdata\Babylon

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036AD63-AEAC-460B-9060-C96005D4DC86}]

FireFox::
FF - ProfilePath - c:\users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\twlmg6ex.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=113959&tt=3112_1&babsrc=HP_ss&mntrId=9e6eef7000000000000000214f4ab62f
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=113959&tt=3112_1&babsrc=KW_ss&mntrId=9e6eef7000000000000000214f4ab62f&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 9e6eef7000000000000000214f4ab62f
FF - user.js: extensions.BabylonToolbar.instlDay - 15551
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.117:04
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=3112_1
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.autoDisableScopes - 14

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hong Kong is very hot and humid this time of year...much more enjoyable after the sun sets. But that just makes the beer that much more refreshing!

We have been responding to you via two computers, mine running Firefox as the primary web browser and my wife's running Internet Explorer 8. I noticed that the script you sent seems to be specifying Firefox commands and I want to be sure that you are aware that the infected computer in the one using IE. Perhaps it means nothing but I'd like to be sure I'm using a proper script before I proceed.

Regards

Link to post
Share on other sites

ComboFix 12-08-10.02 - Anne 08/12/2012 14:33:15.3.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3934.1101 [GMT -6:00]

Running from: c:\users\Anne\Desktop\ComboFix.exe

Command switches used :: c:\users\Anne\Desktop\CFScript.txt

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\PrivacySafeGuard

c:\program files\PrivacySafeGuard\enablebho.exe

c:\program files\PrivacySafeGuard\Install.Stats.Ping.exe

c:\program files\PrivacySafeGuard\PrivacySafeGuard-x64.dll

c:\program files\PrivacySafeGuard\pschrome_adk-cb_1_1.crx

c:\program files\PrivacySafeGuard\unins000.dat

c:\program files\PrivacySafeGuard\unins000.exe

c:\programdata\Babylon

.

.

((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))

.

.

2012-08-12 20:42 . 2012-08-12 20:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-12 20:42 . 2012-08-12 20:42 -------- d-----w- c:\users\Anne\AppData\Local\temp

2012-08-05 02:32 . 2012-08-05 02:32 -------- d-----w- c:\users\Anne\AppData\Roaming\Titanium Gears

2012-07-30 23:07 . 2012-07-30 23:07 -------- d-----w- c:\program files (x86)\7-Zip

2012-07-30 23:06 . 2012-08-11 21:42 -------- d-----w- c:\users\Anne\AppData\Roaming\Qwiklinx

2012-07-30 23:06 . 2012-07-30 23:06 -------- d-----w- c:\program files (x86)\Qwiklinx

2012-07-30 23:04 . 2012-08-05 00:51 -------- d-----w- c:\programdata\Tarma Installer

2012-07-30 23:04 . 2012-07-30 23:04 304 ----a-w- C:\user.js

2012-07-30 22:35 . 2012-07-30 22:35 -------- d-----w- c:\program files (x86)\AMP Font Viewer

2012-07-25 18:50 . 2012-08-03 11:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-25 18:50 . 2012-07-25 18:50 -------- d-----w- c:\windows\system32\Macromed

2012-07-25 16:52 . 2012-07-25 16:53 -------- d-----w- C:\Ancestry

2012-07-22 16:50 . 2012-08-06 23:36 -------- d-----w- C:\Politics

2012-07-16 20:31 . 2012-07-16 20:31 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2012-07-16 20:31 . 2012-07-16 20:31 -------- d-----w- c:\program files\Symantec

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\windows\system32\drivers\NISx64

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\program files (x86)\Norton Internet Security

2012-07-16 20:29 . 2012-07-16 20:29 -------- d-----w- c:\program files (x86)\NortonInstaller

2012-07-15 03:53 . 2012-08-11 21:23 -------- d-----w- C:\TDSSKiller_Quarantine

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 11:14 . 2011-08-09 17:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-12 07:06 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe

2012-07-03 17:46 . 2012-07-12 19:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:58 . 2012-07-12 07:02 2769408 ----a-w- c:\windows\system32\win32k.sys

2012-06-08 17:59 . 2012-07-11 12:40 12899840 ----a-w- c:\windows\system32\shell32.dll

2012-06-05 16:47 . 2012-07-11 12:40 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-05 16:47 . 2012-07-11 12:40 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-05 16:22 . 2012-07-11 12:40 1797120 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:22 . 2012-07-11 12:40 1869824 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:29 . 2012-07-11 12:40 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:19 . 2012-06-22 07:21 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 07:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-22 07:22 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 07:22 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 07:21 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-02 22:19 . 2012-06-22 07:21 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-22 07:21 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-02 22:15 . 2012-06-22 07:22 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-22 07:21 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 22:12 . 2012-06-22 07:21 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-02 19:19 . 2012-06-22 07:21 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:19 . 2012-06-22 07:21 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-02 19:15 . 2012-06-22 07:21 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 19:12 . 2012-06-22 07:21 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-02 12:49 . 2012-07-12 07:03 17807360 ----a-w- c:\windows\system32\mshtml.dll

2012-06-02 12:17 . 2012-07-12 07:03 10924032 ----a-w- c:\windows\system32\ieframe.dll

2012-06-02 12:12 . 2012-07-12 07:03 2311680 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 12:05 . 2012-07-12 07:03 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-06-02 12:05 . 2012-07-12 07:03 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 12:04 . 2012-07-12 07:03 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 12:04 . 2012-07-12 07:03 237056 ----a-w- c:\windows\system32\url.dll

2012-06-02 12:03 . 2012-07-12 07:03 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-06-02 12:01 . 2012-07-12 07:03 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 12:00 . 2012-07-12 07:03 818688 ----a-w- c:\windows\system32\jscript.dll

2012-06-02 11:59 . 2012-07-12 07:03 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-06-02 11:57 . 2012-07-12 07:03 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-06-02 11:57 . 2012-07-12 07:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 11:54 . 2012-07-12 07:03 248320 ----a-w- c:\windows\system32\ieui.dll

2012-06-02 08:33 . 2012-07-12 07:03 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-06-02 08:25 . 2012-07-12 07:03 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-06-02 08:25 . 2012-07-12 07:03 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-06-02 08:20 . 2012-07-12 07:03 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-06-02 08:16 . 2012-07-12 07:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-06-02 00:22 . 2012-07-11 12:40 347136 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:22 . 2012-07-11 12:40 254464 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 00:05 . 2012-07-11 12:40 77312 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 00:04 . 2012-07-11 12:40 278528 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 00:03 . 2012-07-11 12:40 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-08-11_21.44.40 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-21 03:20 . 2012-08-05 16:57 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2008-01-21 03:20 . 2012-08-11 22:05 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2008-01-21 03:20 . 2012-08-11 22:05 4833280 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2008-01-21 03:20 . 2012-08-05 16:57 4833280 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-21 03:20 . 2012-08-11 22:05 4276224 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2008-01-21 03:20 . 2012-08-05 16:57 4276224 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]

"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2008-06-27 77824]

"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-05-20 24576]

"AML"="c:\program files (x86)\Sony\VAIO Launcher\AML.exe" [2008-06-13 1097728]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]

"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-05-26 413696]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]

.

c:\users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

OneNote Table Of Contents.onetoc2 [2010-6-24 3656]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-21 1048616]

QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-12 972064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-07-29 00:45 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 05171673

*NewlyCreated* - 27742188

*NewlyCreated* - 40303232

*NewlyCreated* - 77156661

*NewlyCreated* - 80251133

*NewlyCreated* - 82036170

*NewlyCreated* - 82137449

*NewlyCreated* - 86398627

*NewlyCreated* - ERASERUTILDRV11220

*Deregistered* - 05171673

*Deregistered* - 27742188

*Deregistered* - 40303232

*Deregistered* - 77156661

*Deregistered* - 80251133

*Deregistered* - 82036170

*Deregistered* - 82137449

*Deregistered* - 86398627

*Deregistered* - EraserUtilDrv11220

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-25 11:14]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-03 18:11]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-03 18:11]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-622961194-3611557593-2110596406-1000Core.job

- c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-06 16:43]

.

2012-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-622961194-3611557593-2110596406-1000UA.job

- c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-06 16:43]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-07-15 6453760]

"Skytel"="Skytel.exe" [2008-07-15 1826816]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-07-18 152576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-09 151064]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-09 209432]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-09 181784]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 2114376]

"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: constantcontact.com\www

Trusted Zone: convergysworkathome.com\www

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

DPF: {89F9AA82-9B9F-4D1C-A637-33388558FAAC} - hxxp://webcal.weber.k12.ut.us/webcal/cab/ccuweb1_5_9.cab

DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\twlmg6ex.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.7.1.5\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-08-12 14:46:23

ComboFix-quarantined-files.txt 2012-08-12 20:46

ComboFix2.txt 2012-08-11 21:47

ComboFix3.txt 2012-07-16 20:06

.

Pre-Run: 83,000,287,232 bytes free

Post-Run: 82,252,460,032 bytes free

.

- - End Of File - - 9856EF6DFD109F8CCAD4FF7246DFB98C

Link to post
Share on other sites

Great!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=76e7fe2df8f3f24e880997007a7f2c3b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-08-13 06:23:01

# local_time=2012-08-13 12:23:01 (-0700, Mountain Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=3584 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 56 87373922 181430053 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=377926

# found=11

# cleaned=11

# scan_time=7633

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Anne\Downloads\Setup.exe a variant of Win32/Adware.iBryte.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\06.08.2012_09.04.57\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\11.08.2012_15.22.05\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

C:\Users\Anne\Downloads\Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined

Here's the log file and the ESETScanner list of threats...a bit redundant, perhaps.

Regards

Link to post
Share on other sites

Good morning, Maniac. My wife reports that her system appears to be working normally now and that all of the applications that were problematic before are now A-OK. So thanks for that. Questions. Do we still have to deal with the same "back door" vulnerability as before? Will using the Malwarebytes protection be better than her Norton Internet Security 2012? Is it possible that a Trojan could command Norton to shut down because my wife tells me that in the recent past (before all of our communications) she has noticed that her Norton security has been turned off and she has to manually turn it back on. Perhaps that is how the Trojans gained repeated access.

I back up her computer onto a separate portable hard drive made by Clickfree. It's an automatic process that only backs up data and not programs. Do I have to worry that her data, word, .pdf, .pst, Outlook and emails are corrupted, too? That is her big worry now, that if we do have to replace this computer for some reason (or cleanse the hard drive with a new install) her backed up data will be suspect or corrupted. Is it likely that a Trojan of the type that you've seen here can be transported onto the backup system?

Any advice you can give us going forward will be very much appreciated and we're very grateful for the prompt and helpful advice you've given us to date. As I've said in the past, you and the other experts are all that stands between decent people and the scum who choose to use their talents to prey on them.

By the way, I've got a real good excuse for not responding sooner...and I'd copy a picture of all the beautiful brown trout I spent the day with if I could just figure out how to do it!

Link to post
Share on other sites

Do we still have to deal with the same "back door" vulnerability as before?

As I mentioned from the very beginning, we can never be sure in this system. We cleaned everything found.

Will using the Malwarebytes protection be better than her Norton Internet Security 2012?

Malwarebytes' is not anti-virus program and anti-malware. At least the name makes it clear that it does not deal with viruses, so it does not replace your Norton.

ble that a Trojan could command Norton to shut down because my wife tells me that in the recent past (before all of our communications) she has noticed that her Norton security has been turned off and she has to manually turn it back on. Perhaps that is how the Trojans gained repeated access.

When the Trojan takes control of the system, the first thing done is to protect itself from your protection programs.

Do I have to worry that her data, word, .pdf, .pst, Outlook and emails are corrupted, too? That is her big worry now, that if we do have to replace this computer for some reason (or cleanse the hard drive with a new install) her backed up data will be suspect or corrupted. Is it likely that a Trojan of the type that you've seen here can be transported onto the backup system?

You could transfer them, but as I already said in my warning at the beginning, they may have been stolen.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.